After looking at this a bit, these are the changes between 4.2.5 and 4.2.5-P1:

--- bind-9.8.4-P1/config.h.in   2012-10-26 06:52:55.000000000 +0200
+++ bind-9.8.4-P2/config.h.in   2013-03-06 17:57:05.000000000 +0100
@@ -286,9 +286,6 @@ int sigwait(const unsigned int *set, int
 /* Define if your OpenSSL version supports GOST. */
 #undef HAVE_OPENSSL_GOST

-/* Define to 1 if you have the <regex.h> header file. */
-#undef HAVE_REGEX_H
-
 /* Define to 1 if you have the `setegid' function. */
 #undef HAVE_SETEGID

--- bind-9.8.4-P1/configure.in  2012-10-26 06:52:55.000000000 +0200
+++ bind-9.8.4-P2/configure.in  2013-03-06 17:57:05.000000000 +0100
@@ -298,7 +298,7 @@ esac

 AC_HEADER_STDC

-AC_CHECK_HEADERS(fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
+AC_CHECK_HEADERS(fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
 [$ac_includes_default
 #ifdef HAVE_SYS_PARAM_H
 # include <sys/param.h>

CC: (none) => oe

Additionally there is a bogus BR in the dhcp.spec file:

BuildRequires:  bind-devel

This is not nessesary as the bundled bind tar ball is extracted, built and used for certain functions in the dhcp codebase.

FYI. Fedora has fixed this by using their bind-libs-devel (or what it's called), not sure if their dhcp uses a shared bind library though, if not pretty useless...

4.2.5-P1 has been submitted to mga2/updates_testing

4.2.5-P1 has been submitted to cauldron.

Assigning to QA.

Advisory:
========================

Updated dhcp packages fix security vulnerability:

Exploitation of a memory exhaustion bug in libdns is theoretically possible in
ISC DHCP before 4.2.5-P1, which uses the library from BIND 9 for Dynamic DNS.
Servers which are targeted by a successful attack will exhaust all memory
available to the server process, which is likely to crash the DHCP server and
may affect other processes running on the same physical machine when system
memory is exhausted (CVE-2013-2494).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2494
https://kb.isc.org/article/AA-00880
https://kb.isc.org/article/AA-00891
========================

Updated packages in core/updates_testing:
========================
dhcp-common-4.2.5P1-1.mga2
dhcp-doc-4.2.5P1-1.mga2
dhcp-server-4.2.5P1-1.mga2
dhcp-client-4.2.5P1-1.mga2
dhcp-relay-4.2.5P1-1.mga2
dhcp-devel-4.2.5P1-1.mga2

from dhcp-4.2.5P1-1.mga2.src.rpm

Assignee: bugsquad => qa-bugs

CVE at mitre.org is just a placeholder.  Nothing found on securityfocus.

CC: (none) => wrw105

Testing complete on Mageia 2 i586 and x86_64.
Tested using the procedure from
https://bugs.mageia.org/show_bug.cgi?id=4514#c9

Could someone from the sysadmin team push the srpm
dhcp-4.2.5P1-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated dhcp packages fix security vulnerability:

Exploitation of a memory exhaustion bug in libdns is theoretically possible in
ISC DHCP before 4.2.5-P1, which uses the library from BIND 9 for Dynamic DNS.
Servers which are targeted by a successful attack will exhaust all memory
available to the server process, which is likely to crash the DHCP server and
may affect other processes running on the same physical machine when system
memory is exhausted (CVE-2013-2494).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2494
https://kb.isc.org/article/AA-00880
https://kb.isc.org/article/AA-00891

https://bugs.mageia.org/show_bug.cgi?id=9547

Keywords: (none) => validated_update
Whiteboard: (none) => MGA2-64-OK MGA2-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0106

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED