Bug 7473 - dhcp new security issue CVE-2012-3955
Summary: dhcp new security issue CVE-2012-3955
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA1TOO has_procedure MGA1-32-OK MGA1...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-09-13 20:09 CEST by David Walser
Modified: 2012-09-14 00:19 CEST (History)
4 users (show)

See Also:
Source RPM: dhcp
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

David Walser 2012-09-13 20:12:28 CEST

Whiteboard: (none) => MGA2TOO, MGA1TOO

Comment 1 David Walser 2012-09-13 21:10:26 CEST 
Updated packages uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory to come.

Package list:
dhcp-common-4.2.4-0.P2.1.mga1
dhcp-doc-4.2.4-0.P2.1.mga1
dhcp-server-4.2.4-0.P2.1.mga1
dhcp-client-4.2.4-0.P2.1.mga1
dhcp-relay-4.2.4-0.P2.1.mga1
dhcp-devel-4.2.4-0.P2.1.mga1
dhcp-common-4.2.4P2-1.1.mga2
dhcp-doc-4.2.4P2-1.1.mga2
dhcp-server-4.2.4P2-1.1.mga2
dhcp-client-4.2.4P2-1.1.mga2
dhcp-relay-4.2.4P2-1.1.mga2
dhcp-devel-4.2.4P2-1.1.mga2

from SRPMS:
dhcp-4.2.4-0.P2.1.mga1
dhcp-4.2.4P2-1.1.mga2

Version: Cauldron => 2
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

David Walser 2012-09-13 21:49:36 CEST

CC: (none) => oe

Comment 2 David Walser 2012-09-13 22:28:15 CEST 
Advisory:
========================

Updated dhcp packages fix security vulnerability:

In the ISC DHCP server, prior to 4.2.4-P2, reducing the expiration time
for an active IPv6 lease may cause the server to crash (CVE-2012-3955).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3955
https://kb.isc.org/article/AA-00779
https://kb.isc.org/article/AA-00792
========================

Updated packages in core/updates_testing:
========================
dhcp-common-4.2.4-0.P2.1.mga1
dhcp-doc-4.2.4-0.P2.1.mga1
dhcp-server-4.2.4-0.P2.1.mga1
dhcp-client-4.2.4-0.P2.1.mga1
dhcp-relay-4.2.4-0.P2.1.mga1
dhcp-devel-4.2.4-0.P2.1.mga1
dhcp-common-4.2.4P2-1.1.mga2
dhcp-doc-4.2.4P2-1.1.mga2
dhcp-server-4.2.4P2-1.1.mga2
dhcp-client-4.2.4P2-1.1.mga2
dhcp-relay-4.2.4P2-1.1.mga2
dhcp-devel-4.2.4P2-1.1.mga2

from SRPMS:
dhcp-4.2.4-0.P2.1.mga1.src.rpm
dhcp-4.2.4P2-1.1.mga2.src.rpm

Assignee: bugsquad => qa-bugs

David Walser 2012-09-13 22:38:23 CEST

Severity: normal => major

Comment 3 Dave Hodgins 2012-09-13 22:58:35 CEST 
Testing in progress, using the procedure at
https://bugs.mageia.org/show_bug.cgi?id=6872#c6

CC: (none) => davidwhodgins
Whiteboard: MGA1TOO => MGA1TOO has_procedure

Comment 4 Dave Hodgins 2012-09-14 00:05:52 CEST 
Testing complete on Mageia 1 and 2, x86-64 and i586.

Could someone from the sysadmin team push the srpm
dhcp-4.2.4P2-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
dhcp-4.2.4-0.P2.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated dhcp packages fix security vulnerability:

In the ISC DHCP server, prior to 4.2.4-P2, reducing the expiration time
for an active IPv6 lease may cause the server to crash (CVE-2012-3955).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3955
https://kb.isc.org/article/AA-00779
https://kb.isc.org/article/AA-00792

https://bugs.mageia.org/show_bug.cgi?id=7473

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO has_procedure => MGA1TOO has_procedure MGA1-32-OK MGA1-64-OK MGA2-32-OK MGA2-64-OK

Comment 5 Thomas Backlund 2012-09-14 00:19:47 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0270

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.