oss-sec mailing list archives
Re: The Bind incident
From: Florian Weimer <fw () deneb enyo de>
Date: Wed, 06 Jul 2011 21:16:51 +0200
* Mike O'Connor:
Note that the BIND 9.4 ESV formally EOLed just last month: http://www.isc.org/softwaresupportpolicy So, if you are distributing an older rev of BIND and some new security issue comes up that you are prone to, it _might_ not be quite as easy to backport the fixes.
If you move from 9.4 or 9.5 to 9.6, your users might hit an issue in the OpenSSL initialization function: <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584911> We've applied the kludge below to our 9.6 version, which seems to address the most common cause of a silently dying named process. (There are others, but those are more difficult to check.) diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c index 2dc7d7e..80e6e00 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -48,12 +48,16 @@ #include "dst_internal.h" #include "dst_openssl.h" +#include <dns/log.h> + #include <openssl/err.h> #include <openssl/rand.h> #include <openssl/evp.h> #include <openssl/conf.h> #include <openssl/crypto.h> +#include <unistd.h> + #if defined(CRYPTO_LOCK_ENGINE) && (OPENSSL_VERSION_NUMBER >= 0x0090707f) #define USE_ENGINE 1 #endif @@ -188,7 +192,19 @@ dst__openssl_init() { rm->pseudorand = entropy_getpseudo; rm->status = entropy_status; #ifdef USE_ENGINE + const char *cnf_path = "/usr/lib/ssl/openssl.cnf"; + if (access(cnf_path, R_OK) == -1 && errno != ENOENT) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_CONFIG, ISC_LOG_CRITICAL, + "The OpenSSL configuration file %s exists, " + "but it is not readable.", cnf_path); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_CONFIG, ISC_LOG_CRITICAL, + "The process may terminate without further " + "notice."); + } OPENSSL_config(NULL); + #ifdef USE_PKCS11 #ifndef PKCS11_SO_PATH #define PKCS11_SO_PATH "/usr/local/lib/engines/engine_pkcs11.so"
Current thread:
- The Bind incident Eugene Teo (Jul 05)
- Re: The Bind incident Eugene Teo (Jul 05)
- Re: The Bind incident Barry Greene (Jul 06)
- Re: The Bind incident Eugene Teo (Jul 07)
- Re: The Bind incident Barry Greene (Jul 06)
- Re: The Bind incident Solar Designer (Jul 05)
- Re: The Bind incident Mike O'Connor (Jul 06)
- Re: The Bind incident Florian Weimer (Jul 06)
- Re: The Bind incident Mike O'Connor (Jul 06)
- Re: The Bind incident Eugene Teo (Jul 05)