BIND security issues wiht RH labeled important status [update May 21, 2026]

LayLow · May 21, 2026, 8:02pm

davidep · May 25, 2026, 7:13am

Hi LayLow, thanks for the CVE heads up. The fixes will be released in the ns8-baseos mirror repository as soon as they become available from Red Hat and Rocky Linux, according to the usual schedule.

As for the BIND DNS server, NS8 does not implement or include it at all.

LayLow · June 3, 2026, 9:56am

How come RedHat says RH9 is affected?

LayLow · June 3, 2026, 9:57am

What IS the usual schedule?

dan · June 3, 2026, 10:23am

Because RH makes bind available for EL9? But just because it’s available doesn’t mean you need to install it.

LayLow · June 3, 2026, 10:26am

Not really sure, and never inteded, but the package BIND is installed on my NS8

[root@srv01 ~]# yum provides “bind”

Last metadata expiration check: 2:51:46 ago on Wed 03 Jun 2026 09:36:07 AM CEST.

bind-32:9.16.23-34.el9_7.1.x86_64 : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server

Repo : ns-appstream

Matched from:

Provide : bind = 32:9.16.23-34.el9_7.1

bind-32:9.16.23-34.el9_7.2.x86_64 : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server

Repo : ns-appstream

Matched from:

Provide : bind = 32:9.16.23-34.el9_7.2

bind9.18-32:9.18.29-5.el9_7.2.x86_64 : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server

Repo : ns-appstream

Matched from:

Provide : bind = 9.18.29-5.el9_7.2

bind9.18-32:9.18.29-5.el9_7.4.x86_64 : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server

Repo : ns-appstream

Matched from:

Provide : bind = 9.18.29-5.el9_7.4

dan · June 3, 2026, 10:39am

Maybe it is and maybe it isn’t, but yum provides doesn’t show this either way; it just shows what’s available in enabled repositories that provides the name in question. My system doesn’t have bind installed, but it does have other related packages:

➜  ~ dnf list installed | grep bind
bind-libs.x86_64                    32:9.16.23-34.el9_7.2         @ns-appstream
bind-license.noarch                 32:9.16.23-34.el9_7.2         @ns-appstream
bind-utils.x86_64                   32:9.16.23-34.el9_7.2         @ns-appstream
rpcbind.x86_64                      1.2.6-7.el9                   @baseos

LayLow · June 3, 2026, 11:13am

It should be very easy for Nethesis to clarify.

That does not show anything on ‘my’ server.

dan · June 3, 2026, 11:18am

I think they have already, and you quoted it:

Edit: I’m really not sure what more there would be for them to clarify. RH has published a vuln with a package that NS8 doesn’t use. You’ve confirmed your installation doesn’t use it, I’ve confirmed my installation doesn’t use it, and Davide has confirmed that NS8 doesn’t include or use it. What more would you want them to clarify?

Then bind is not installed for you either.

As to why bind-utils is on my system, it appears that provides dig, so I likely installed it manually in order to use that tool.

LayLow · June 3, 2026, 1:57pm

Clear, thanks.