Bug 22674 - dhcp new security issues CVE-2018-5732 and CVE-2018-5733
Summary: dhcp new security issues CVE-2018-5732 and CVE-2018-5733
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-03-01 06:12 CET by David Walser
Modified: 2018-10-26 20:48 CEST (History)
5 users (show)

See Also:
Source RPM: dhcp-4.3.6-2.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 4.3.6-P1 and 4.4.1


Attachments

Description David Walser 2018-03-01 06:12:30 CET
ISC has issued advisories on February 28:
https://kb.isc.org/article/AA-01565
https://kb.isc.org/article/AA-01567

The issue is fixed upstream in 4.3.6-P1 and 4.4.1:
https://kb.isc.org/article/AA-01570
https://kb.isc.org/article/AA-01567

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-03-01 06:12:44 CET

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 4.3.6-P1 and 4.4.1

Comment 1 Marja Van Waes 2018-03-01 17:34:14 CET
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 David Walser 2018-03-08 16:11:36 CET
RedHat has issued an advisory for this today (March 8):
https://access.redhat.com/errata/RHSA-2018:0469
Comment 3 David Walser 2018-03-11 14:32:22 CET
Fedora has issued an advisory for this on March 5:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RR3UFXHOL7MG7FGZSMXZ7S25Y6CWOFYL/
Comment 4 David Walser 2018-03-12 22:18:48 CET
RedHat has issued an advisory for this today (March 12):
https://access.redhat.com/errata/RHSA-2018:0483
Comment 5 David Walser 2018-03-15 21:15:44 CET
dhcp-4.3.6P1-1.mga7 uploaded for Cauldron.

We might be able to borrow patches from Fedora for the older versions if they apply:
https://src.fedoraproject.org/cgit/rpms/dhcp.git/commit/?h=f27&id=a7c8513f1d318de7553b975cbb9089dc4b5ba8b8

Version: Cauldron => 6
Whiteboard: MGA6TOO => MGA5TOO

Comment 6 David Walser 2018-03-31 21:55:15 CEST
openSUSE has issued an advisory for this on March 27:
https://lists.opensuse.org/opensuse-updates/2018-03/msg00106.html
Comment 7 Bruno Cornec 2018-10-13 15:26:33 CEST
Version 4.4.1 pushed into cauldron

Status: NEW => ASSIGNED
CC: (none) => bruno

Comment 8 Bruno Cornec 2018-10-15 01:49:32 CEST
Fedora patches mentionned in comment 5 applied to 4.3.5. Updated version now pushed (4.3.5-2.1) in core/updates_testing for mga6

Assignee: shlomif => qa-bugs

Comment 9 David Walser 2018-10-15 04:19:57 CEST
Advisory:
========================

Updated dhcp packages fix security vulnerabilities:

Buffer overflow in dhclient possibly allowing code execution triggered by
malicious server (CVE-2018-5732).

Reference count overflow in dhcpd allows denial of service (CVE-2018-5733).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5732
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5733
https://kb.isc.org/article/AA-01565
https://kb.isc.org/article/AA-01567
https://access.redhat.com/errata/RHSA-2018:0483
========================

Updated packages in core/updates_testing:
========================
dhcp-common-4.3.5-2.1.mga6
dhcp-doc-4.3.5-2.1.mga6
dhcp-server-4.3.5-2.1.mga6
dhcp-client-4.3.5-2.1.mga6
dhcp-relay-4.3.5-2.1.mga6
dhcp-devel-4.3.5-2.1.mga6

from dhcp-4.3.5-2.1.mga6.src.rpm

Whiteboard: MGA5TOO => (none)

Comment 10 Thomas Andrews 2018-10-21 21:48:29 CEST
I updated dhcp-common and dhcp-client on both 64-bit and 32-bit systems on a Probook 6550b. I then did a cold boot on each system, to make sure that my wifi connection would establish, using dhcp with my router.

There were no problems noted. Using the 64-bit system to make this comment.

Going by Comment 1, these issues have been around for months. It's time the update was passed along. 

Since the update doesn't appear to break anything, I am OKing on both arches, and validating.

Whiteboard: (none) => MGA6-32-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2018-10-26 15:29:10 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 11 Mageia Robot 2018-10-26 20:48:11 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0410.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.