Two CVEs have been assigned for bugs fixed upstream in dhcpcd: http://openwall.com/lists/oss-security/2016/01/07/4 A new release with the fixes is not available yet, but their releases come out fairly frequently, so it shouldn't be long. Reproducible: Steps to Reproduce:
dhcpcd 6.10.0 has been released, fixing these: http://roy.marples.name/archives/dhcpcd-discuss/2016/1143.html
URL: (none) => http://lwn.net/Vulnerabilities/671444/
Release announcements for the versions between 6.7.1 and 6.10.0: http://roy.marples.name/archives/dhcpcd-discuss/2015/1001.html http://roy.marples.name/archives/dhcpcd-discuss/2015/1004.html http://roy.marples.name/archives/dhcpcd-discuss/2015/1012.html http://roy.marples.name/archives/dhcpcd-discuss/2015/1018.html http://roy.marples.name/archives/dhcpcd-discuss/2015/1058.html http://roy.marples.name/archives/dhcpcd-discuss/2015/1089.html http://roy.marples.name/archives/dhcpcd-discuss/2015/1093.html http://roy.marples.name/archives/dhcpcd-discuss/2015/1129.html
Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated dhcpcd packages fix security vulnerabilities: Possible heap overflow in dhcpcd before 6.10.0 caused by malformed dhcp responses due to incorrect option length values (CVE-2016-1503). Possible invalid read in dhcpcd before 6.10.0 caused by malformed dhcp responses can lead to a crash (CVE-2016-1504). The dhcpcd package has been updated to version 6.10.0 which fixes these issues and has several other bug fixes and enhancements. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1503 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1504 http://roy.marples.name/archives/dhcpcd-discuss/2015/1001.html http://roy.marples.name/archives/dhcpcd-discuss/2015/1004.html http://roy.marples.name/archives/dhcpcd-discuss/2015/1012.html http://roy.marples.name/archives/dhcpcd-discuss/2015/1018.html http://roy.marples.name/archives/dhcpcd-discuss/2015/1058.html http://roy.marples.name/archives/dhcpcd-discuss/2015/1089.html http://roy.marples.name/archives/dhcpcd-discuss/2015/1093.html http://roy.marples.name/archives/dhcpcd-discuss/2015/1129.html http://roy.marples.name/archives/dhcpcd-discuss/2016/1143.html http://openwall.com/lists/oss-security/2016/01/07/4 ======================== Updated packages in core/updates_testing: ======================== dhcpcd-6.10.0-1.mga5 from dhcpcd-6.10.0-1.mga5.src.rpm
Assignee: bugsquad => qa-bugs
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
In VirtualBox, M5, KDE, 32-bit Package(s) under test: dhcpcd default install of dhcpcd [root@localhost wilcal]# urpmi dhcpcd Package dhcpcd-6.7.1-1.mga5.i586 is already installed MCC -> Network & Internet -> Network Center -> select the Ethernet connection -> Configure connection -> go to Advanced -> IP settings -> DHCP client -> select dhcpcd reboot system under test Network connection successful. LAN & WAN connectivity is confirmed. Vbox client has been assigned proper LAN IP as expected. install dhcpcd from updates_testing reboot system [root@localhost wilcal]# urpmi dhcpcd Package dhcpcd-6.10.0-1.mga5.i586 is already installed Check MCC -> Network & Internet to ensure dhcpcd is still being used. Network connection successful. LAN & WAN connectivity is confirmed. Vbox client has been assigned proper LAN IP as expected.
CC: (none) => wilcal.intWhiteboard: advisory => advisory MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: dhcpcd default install of dhcpcd [root@localhost wilcal]# urpmi dhcpcd Package dhcpcd-6.7.1-1.mga5.x86_64 is already installed MCC -> Network & Internet -> Network Center -> select the Ethernet connection -> Configure connection -> go to Advanced -> IP settings -> DHCP client -> select dhcpcd reboot system under test Network connection successful. LAN & WAN connectivity is confirmed. Vbox client has been assigned proper LAN IP as expected. install dhcpcd from updates_testing reboot system [root@localhost wilcal]# urpmi dhcpcd Package dhcpcd-6.10.0-1.mga5.x86_64 is already installed Check MCC -> Network & Internet to ensure dhcpcd is still being used. Network connection successful. LAN & WAN connectivity is confirmed. Vbox client has been assigned proper LAN IP as expected.
Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0034.html
Status: NEW => RESOLVEDResolution: (none) => FIXED