Mandriva issued this advisory on December 8: http://lists.mandriva.com/security-announce/2011-12/msg00004.php It can be fixed by updating to 4.2.3-P1 or with the patch Mandriva used.
Suggested advisory: ======================== Updated dhcp packages fix security vulnerabilities in the DHCP server: dhcpd in ISC DHCP 4.x before 4.2.3-P1 and 4.1-ESV before 4.1-ESV-R4 does not properly handle regular expressions in dhcpd.conf, which allows remote attackers to cause a denial of service (daemon crash) via a crafted request packet. (CVE-2011-4539) The server in ISC DHCP 3.x and 4.x before 4.2.2, 3.1-ESV before 3.1-ESV-R3, and 4.1-ESV before 4.1-ESV-R3 allows remote attackers to cause a denial of service (daemon exit) via a crafted DHCP (CVE-2011-2748) or BOOTP (CVE-2011-2749) packet. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4539 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2748 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2749 http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2011:182 https://www.isc.org/software/dhcp/advisories/cve-2011-4539 ftp://ftp.isc.org/isc/dhcp/dhcp-4.2.3/dhcp-4.2.3-RELNOTES ======================== Updated packages in core/updates_testing: ===================== dhcp-client-4.2.1-0.P1.3.1.mga1 dhcp-common-4.2.1-0.P1.3.1.mga1 dhcp-devel-4.2.1-0.P1.3.1.mga1 dhcp-doc-4.2.1-0.P1.3.1.mga1 dhcp-relay-4.2.1-0.P1.3.1.mga1 dhcp-server-4.2.1-0.P1.3.1.mga1 from dhcp-4.2.1-0.P1.3.1.mga1 src.rpm. ===================== No testcases.
Keywords: (none) => SecurityStatus: NEW => ASSIGNEDCC: (none) => anssi.hannulaHardware: i586 => AllAssignee: bugsquad => qa-bugs
Tested dhcp-server and dhcp-client on i586. Both work fine.
Tested server and client. For server I used dhcping and observed the results in syslog. Update validated advisory: ======================== Updated dhcp packages fix security vulnerabilities in the DHCP server: dhcpd in ISC DHCP 4.x before 4.2.3-P1 and 4.1-ESV before 4.1-ESV-R4 does not properly handle regular expressions in dhcpd.conf, which allows remote attackers to cause a denial of service (daemon crash) via a crafted request packet. (CVE-2011-4539) The server in ISC DHCP 3.x and 4.x before 4.2.2, 3.1-ESV before 3.1-ESV-R3, and 4.1-ESV before 4.1-ESV-R3 allows remote attackers to cause a denial of service (daemon exit) via a crafted DHCP (CVE-2011-2748) or BOOTP (CVE-2011-2749) packet. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4539 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2748 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2749 http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2011:182 https://www.isc.org/software/dhcp/advisories/cve-2011-4539 ftp://ftp.isc.org/isc/dhcp/dhcp-4.2.3/dhcp-4.2.3-RELNOTES ======================== SRPM: dhcp-4.2.1-0.P1.3.1.mga1.src.rpm Could sysadmin please push from core/updates_testing to core/updates Thankyou!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
update pushed
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED