| Summary: | dhcp new security issues CVE-2018-5732 and CVE-2018-5733 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, bruno, davidwhodgins, marja11, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | dhcp-4.3.6-2.mga7.src.rpm | CVE: | |
| Status comment: | Fixed upstream in 4.3.6-P1 and 4.4.1 | ||
|
Description
David Walser
2018-03-01 06:12:30 CET
David Walser
2018-03-01 06:12:44 CET
Whiteboard:
(none) =>
MGA6TOO Assigning to the registered maintainer. Assignee:
bugsquad =>
shlomif RedHat has issued an advisory for this today (March 8): https://access.redhat.com/errata/RHSA-2018:0469 Fedora has issued an advisory for this on March 5: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RR3UFXHOL7MG7FGZSMXZ7S25Y6CWOFYL/ RedHat has issued an advisory for this today (March 12): https://access.redhat.com/errata/RHSA-2018:0483 dhcp-4.3.6P1-1.mga7 uploaded for Cauldron. We might be able to borrow patches from Fedora for the older versions if they apply: https://src.fedoraproject.org/cgit/rpms/dhcp.git/commit/?h=f27&id=a7c8513f1d318de7553b975cbb9089dc4b5ba8b8 Whiteboard:
MGA6TOO =>
MGA5TOO openSUSE has issued an advisory for this on March 27: https://lists.opensuse.org/opensuse-updates/2018-03/msg00106.html Version 4.4.1 pushed into cauldron Status:
NEW =>
ASSIGNED Fedora patches mentionned in comment 5 applied to 4.3.5. Updated version now pushed (4.3.5-2.1) in core/updates_testing for mga6 Assignee:
shlomif =>
qa-bugs Advisory: ======================== Updated dhcp packages fix security vulnerabilities: Buffer overflow in dhclient possibly allowing code execution triggered by malicious server (CVE-2018-5732). Reference count overflow in dhcpd allows denial of service (CVE-2018-5733). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5732 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5733 https://kb.isc.org/article/AA-01565 https://kb.isc.org/article/AA-01567 https://access.redhat.com/errata/RHSA-2018:0483 ======================== Updated packages in core/updates_testing: ======================== dhcp-common-4.3.5-2.1.mga6 dhcp-doc-4.3.5-2.1.mga6 dhcp-server-4.3.5-2.1.mga6 dhcp-client-4.3.5-2.1.mga6 dhcp-relay-4.3.5-2.1.mga6 dhcp-devel-4.3.5-2.1.mga6 from dhcp-4.3.5-2.1.mga6.src.rpm Whiteboard:
MGA5TOO =>
(none) I updated dhcp-common and dhcp-client on both 64-bit and 32-bit systems on a Probook 6550b. I then did a cold boot on each system, to make sure that my wifi connection would establish, using dhcp with my router. There were no problems noted. Using the 64-bit system to make this comment. Going by Comment 1, these issues have been around for months. It's time the update was passed along. Since the update doesn't appear to break anything, I am OKing on both arches, and validating. Whiteboard:
(none) =>
MGA6-32-OK MGA6-64-OK
Dave Hodgins
2018-10-26 15:29:10 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0410.html Status:
ASSIGNED =>
RESOLVED |