UCS 5 seems to be running an outdated BIND9-Version?

UCS - Univention Corporate Server
#1

Dear Univention Team,

our company is running your UCS (and we are very happy with it!).
While performing a pentest on our network infrastructure we got the feedback, that the BIND9 server running on the UCS server has reached its end-of-life (version 9.11.5-P4-5.1+deb10u8). The UCS itself is up-todate.
Is there a reason or using an old version of BIND9? Or do we have wrong sources?

Additionally, also openSSH seems to be installed with an old version, but again, neither the UCS update nor the apt update delivers a newer version :confused:

Any help would be appreciated :slight_smile:

Best
Sascha

#2

UCS is based on Debian/GNU-Linux which has the policy to backport security patches to older versions instead of updating to the latest upstream version, which might then have other bugs or worse — changed behavior or dropped support for older features.
Your security scanner therefore must understand that Debian package version schema, e.g. +deb10u8 and know, that this is not the plain unpatched 9.11.5-P4-5 original version, but a fixed version. Just because the version is older than the latest does not meed it is still vulnerable. You have to check individual issues; see Security and bugfix errata for Univention Corporate Server

Mastodon