A CVE was requested on July 30 for an issue fixed in dhcpcd 6.4.3: http://openwall.com/lists/oss-security/2014/07/30/5 Slackware has issued an advisory for this on August 1: http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.462420 The CVE request has not received a response. The dhcpcd package has been updated to version 6.4.3 in Cauldron. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated dhcpcd package fixes security vulnerability: In dhcpcd before 6.4.3, a specially crafted packet received from a malicious DHCP server caused dhcpcd to enter an infinite loop, causing a denial of service. References: http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.462420 ======================== Updated packages in core/updates_testing: ======================== dhcpcd-5.6.8-1.1.mga3 dhcpcd-6.1.0-2.1.mga4 from SRPMS: dhcpcd-5.6.8-1.1.mga3.src.rpm dhcpcd-6.1.0-2.1.mga4.src.rpm
Assignee: bugsquad => qa-bugs
Working fine Mageia 4 i586.
Whiteboard: MGA3TOO => MGA3TOO MGA4-32-OK
This is just to note things to help test this (thanks to David Walser). if you're using DHCP (which most people are), make sure your system is using dhcpcd and not dhclient (dhcp-client):- Check your current DHCP pkgs. If you have dhcp-client (= dhclient) and not dhcpcd, install dhcpcd and either uninstall dhcp-client; or go through the network configurator in MCC, it's a drop-down box choice.
CC: (none) => lewyssmith
To clarify the MCC route: Network & Internet -> Network Centre -> select the Ethernet connnection, Configuration -> configuration dialogue; scroll down to Advanced -> IP installation dialogue which has the DHCP client drop-down list from which you can choose dhcpcd once installed. As for UNinstalling dhcp-client, this wanted to take with it: - networkmanager-0.9.8.8-3.1.mga4.x86_64 - networkmanager-applet-0.9.8.8-1.mga4.x86_64 - task-gnome-minimal-3.10.1-3.mga4.noarch ! So I left it. Test follows.
MGA4 x64 real hardware. Installed dhcpcd from Release repository, selected it as described in Comment 4, re-booted, confirmed Internet via Ethernet with DHCP worked. Updated from Testing repository to dhcpcd-6.1.0-2.1.mga4. Re-booted, confirmed in MCC that dhcpcd was still selected [is there a quicker way from console?], am using the resulting Ethernet connection. Update OK.
Whiteboard: MGA3TOO MGA4-32-OK => MGA3TOO MGA4-32-OK MGA4-64-OK
You can confirm that it's still selected by checking /etc/sysconfig/network-scripts/ifcfg-{ifname} for whatever your interface name is. You should see DHCP_CLIENT=dhcpcd in there. You can also confirm that it's being *used* by checking your process list for a dhcpcd process. Finally, rebooting is not necessary to test. "systemctl restart network.service" is sufficient.
In VirtualBox, M3, KDE, 32-bit Package(s) under test: dhcpcd default install of dhcpcd [root@localhost wilcal]# urpmi dhcpcd Package dhcpcd-5.6.8-1.mga3.i586 is already installed Select dhcpcd from MCC per Comment #4. Reboot system. Recheck setting as set per Comment #4. dhcpcd remains selected. Vbox client has been assigned proper LAN IP as expected. LAN & WAN connectivity is confirmed. install dhcpcd from updates_testing reboot system [root@localhost wilcal]# urpmi dhcpcd Package dhcpcd-5.6.8-1.1.mga3.i586 is already installed Recheck setting as set per Comment #4. dhcpcd remains selected. Vbox client has been assigned proper LAN IP as expected. LAN & WAN connectivity is confirmed. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.intWhiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA4-32-OK MGA4-64-OK
In VirtualBox, M3, KDE, 64-bit Package(s) under test: dhcpcd default install of dhcpcd [root@localhost wilcal]# urpmi dhcpcd Package dhcpcd-5.6.8-1.mga3.x86_64 is already installed Select dhcpcd from MCC per Comment #4. Reboot system. Recheck setting as set per Comment #4. dhcpcd remains selected. Vbox client has been assigned proper LAN IP as expected. LAN & WAN connectivity is confirmed. install dhcpcd from updates_testing reboot system [root@localhost wilcal]# urpmi dhcpcd Package dhcpcd-5.6.8-1.1.mga3.x86_64 is already installed Recheck setting as set per Comment #4. dhcpcd remains selected. Vbox client has been assigned proper LAN IP as expected. LAN & WAN connectivity is confirmed. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
For me this update works fine. Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Whiteboard: MGA3TOO MGA3-32-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
Advisory uploaded.
CC: (none) => remiWhiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0334.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
A CVE was finally assigned today, CVE-2014-6060: http://openwall.com/lists/oss-security/2014/09/01/11 Advisory: ======================== Updated dhcpcd package fixes security vulnerability: In dhcpcd before 6.4.3, a specially crafted packet received from a malicious DHCP server caused dhcpcd to enter an infinite loop, causing a denial of service (CVE-2014-6060). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6060 http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.462420 http://openwall.com/lists/oss-security/2014/09/01/11
Summary: dhcpcd new denial of service security issue fixed upstream in 6.4.3 => dhcpcd new denial of service security issue fixed upstream in 6.4.3 (CVE-2014-6060)