Bug 17910 - dhcp new security issue CVE-2016-2774
Summary: dhcp new security issue CVE-2016-2774
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: Shlomi Fish
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/686450/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-08 17:07 CET by David Walser
Modified: 2016-05-05 17:57 CEST (History)
1 user (show)

See Also:
Source RPM: dhcp-4.3.3P1-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-03-08 17:07:46 CET 
Upstream has issued an advisory on March 7:
https://kb.isc.org/article/AA-01354

There will be mitigations for this to make it harder to exploit in 4.3.4, so we should update that in Cauldron when it becomes available.

However, the vulnerability isn't exposed by default, as an administrator has to enable OMAPI or failover to expose it.  The real solution, if one has enabled one of those features, is to configure the firewall to reject connections to those ports from untrusted hosts.  So, this is more of a system administrator configuration issue than a software security issue.  Therefore, an updated package for Mageia 5 is unnecessary.
Marja Van Waes 2016-03-28 22:30:54 CEST

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 1 David Walser 2016-03-30 21:49:27 CEST 
dhcp-4.3.4-1.mga6 uploaded for Cauldron.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 2 David Walser 2016-05-05 17:57:55 CEST 
Fedora has issued an advisory for this on April 4:
https://lists.fedoraproject.org/pipermail/package-announce/2016-May/183458.html

I have added their patch in Mageia 5 SVN.

URL: (none) => http://lwn.net/Vulnerabilities/686450/
Severity: normal => major
Note You need to log in before you can comment on or make changes to this bug.