Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated dhcpcd package fixes security vulnerability:

In dhcpcd before 6.4.3, a specially crafted packet received from a malicious
DHCP server caused dhcpcd to enter an infinite loop, causing a denial of
service.

References:
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.462420
========================

Updated packages in core/updates_testing:
========================
dhcpcd-5.6.8-1.1.mga3
dhcpcd-6.1.0-2.1.mga4

from SRPMS:
dhcpcd-5.6.8-1.1.mga3.src.rpm
dhcpcd-6.1.0-2.1.mga4.src.rpm

Assignee: bugsquad => qa-bugs

Working fine Mageia 4 i586.

Whiteboard: MGA3TOO => MGA3TOO MGA4-32-OK

This is just to note things to help test this (thanks to David Walser).

if you're using DHCP (which most people are), make sure your system is using dhcpcd and not dhclient (dhcp-client):-
Check your current DHCP pkgs. If you have dhcp-client (= dhclient) and not dhcpcd, install dhcpcd and either uninstall dhcp-client; or
go through the network configurator in MCC, it's a drop-down box choice.

CC: (none) => lewyssmith

To clarify the MCC route:
Network & Internet -> Network Centre -> select the Ethernet connnection, Configuration -> configuration dialogue; scroll down to Advanced -> IP installation dialogue which has the DHCP client drop-down list from which you can choose dhcpcd once installed.

As for UNinstalling dhcp-client, this wanted to take with it:
- networkmanager-0.9.8.8-3.1.mga4.x86_64
- networkmanager-applet-0.9.8.8-1.mga4.x86_64
- task-gnome-minimal-3.10.1-3.mga4.noarch
! So I left it. Test follows.

MGA4 x64 real hardware.

Installed dhcpcd from Release repository, selected it as described in Comment 4, re-booted, confirmed Internet via Ethernet with DHCP worked.

Updated from Testing repository to dhcpcd-6.1.0-2.1.mga4.
Re-booted, confirmed in MCC that dhcpcd was still selected [is there a quicker way from console?], am using the resulting Ethernet connection. Update OK.

Whiteboard: MGA3TOO MGA4-32-OK => MGA3TOO MGA4-32-OK MGA4-64-OK

You can confirm that it's still selected by checking /etc/sysconfig/network-scripts/ifcfg-{ifname} for whatever your interface name is.  You should see DHCP_CLIENT=dhcpcd in there.  You can also confirm that it's being *used* by checking your process list for a dhcpcd process.  Finally, rebooting is not necessary to test.  "systemctl restart network.service" is sufficient.

In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
dhcpcd

default install of dhcpcd

[root@localhost wilcal]# urpmi dhcpcd
Package dhcpcd-5.6.8-1.mga3.i586 is already installed

Select dhcpcd from MCC per Comment #4. Reboot system.
Recheck setting as set per Comment #4. dhcpcd remains selected.
Vbox client has been assigned proper LAN IP as expected.
LAN & WAN connectivity is confirmed.

install dhcpcd from updates_testing
reboot system

[root@localhost wilcal]# urpmi dhcpcd
Package dhcpcd-5.6.8-1.1.mga3.i586 is already installed

Recheck setting as set per Comment #4. dhcpcd remains selected.
Vbox client has been assigned proper LAN IP as expected.
LAN & WAN connectivity is confirmed.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int
Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA4-32-OK MGA4-64-OK

In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
dhcpcd

default install of dhcpcd

[root@localhost wilcal]# urpmi dhcpcd
Package dhcpcd-5.6.8-1.mga3.x86_64 is already installed

Select dhcpcd from MCC per Comment #4. Reboot system.
Recheck setting as set per Comment #4. dhcpcd remains selected.
Vbox client has been assigned proper LAN IP as expected.
LAN & WAN connectivity is confirmed.

install dhcpcd from updates_testing
reboot system

[root@localhost wilcal]# urpmi dhcpcd
Package dhcpcd-5.6.8-1.1.mga3.x86_64 is already installed

Recheck setting as set per Comment #4. dhcpcd remains selected.
Vbox client has been assigned proper LAN IP as expected.
LAN & WAN connectivity is confirmed.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

For me this update works fine.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Advisory uploaded.

CC: (none) => remi
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0334.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

A CVE was finally assigned today, CVE-2014-6060:
http://openwall.com/lists/oss-security/2014/09/01/11

Advisory:
========================

Updated dhcpcd package fixes security vulnerability:

In dhcpcd before 6.4.3, a specially crafted packet received from a malicious
DHCP server caused dhcpcd to enter an infinite loop, causing a denial of
service (CVE-2014-6060).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6060
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.462420
http://openwall.com/lists/oss-security/2014/09/01/11

Summary: dhcpcd new denial of service security issue fixed upstream in 6.4.3 => dhcpcd new denial of service security issue fixed upstream in 6.4.3 (CVE-2014-6060)