Bug 17910

Summary: dhcp new security issue CVE-2016-2774
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Shlomi Fish <shlomif>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: marja11
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/686450/
Whiteboard:
Source RPM: dhcp-4.3.3P1-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-03-08 17:07:46 CET 
Upstream has issued an advisory on March 7:
https://kb.isc.org/article/AA-01354

There will be mitigations for this to make it harder to exploit in 4.3.4, so we should update that in Cauldron when it becomes available.

However, the vulnerability isn't exposed by default, as an administrator has to enable OMAPI or failover to expose it.  The real solution, if one has enabled one of those features, is to configure the firewall to reject connections to those ports from untrusted hosts.  So, this is more of a system administrator configuration issue than a software security issue.  Therefore, an updated package for Mageia 5 is unnecessary.
Marja Van Waes 2016-03-28 22:30:54 CEST

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 1 David Walser 2016-03-30 21:49:27 CEST 
dhcp-4.3.4-1.mga6 uploaded for Cauldron.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 2 David Walser 2016-05-05 17:57:55 CEST 
Fedora has issued an advisory for this on April 4:
https://lists.fedoraproject.org/pipermail/package-announce/2016-May/183458.html

I have added their patch in Mageia 5 SVN.

URL: (none) => http://lwn.net/Vulnerabilities/686450/
Severity: normal => major