Opened 6 years ago

Closed 6 years ago

#7333 closed enhancement (fixed)

dhcpcd-6.10.0

Reported by: Fernando de Oliveira Owned by: Fernando de Oliveira
Priority: high Milestone: 7.9
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description (last modified by Fernando de Oliveira)

Fixes Include Security CVE-2016-1503 and CVE-2016-1504

Also:

Care should be taken for this upgrade because dhcpcd will no longer try to manage wpa_supplicant by default - if you rely on this you will have to ensure you update the hook yourself or manage starting/stopping wpa_supplicant another way. The rationale is that it's not really the job of dhcpcd to configure the interface.

http://roy.marples.name/downloads/dhcpcd/dhcpcd-6.10.0.tar.xz

ftp://roy.marples.name/pub/dhcpcd/dhcpcd-6.10.0.tar.xz

http://roy.marples.name/archives/dhcpcd-discuss/2016/1143.html

dhcpcd-6.10.0 released

From: Roy Marples <roy_at_marples.name>
Date: Thu, 7 Jan 2016 17:18:02 +0000

Hi List! Happy 2016!

To kick off the new year, here is a new dhcpcd release with the
following changes:
  • --noption requires an argument
  • optimise the ARP BPF filter, thanks to Nate Karstens
  • send gratuitous ARP each time we apply our IP address
  • fix truncation of hostnames based on the short hostname option
  • improve routing and address management by always loading all
    interfaces, routes and addresses even for interfaces we are not
    directly working on
  • timezone, lookup-hostname, wpa_supplicant and YP hooks are no longer
    installed by default but are installed to an example directory
  • fix compile on kFreeBSD thanks to Christoph Egger for providing a
    temporary build host
  • improve error logging of packet parsing
  • fix ignoring routing messages generated by dhcpcd just before
    forking
  • fix handling of rapid commit messages (allow ACK after DISCOVER)
  • add PROBE state so we can easily reject DHCP messages received
    during the ARP probe phase
  • fix CVE-2016-1503
  • fix CVE-2016-1504

Care should be taken for this upgrade because dhcpcd will no longer try
to manage wpa_supplicant by default - if you rely on this you will have
to ensure you update the hook yourself or manage starting/stopping
wpa_supplicant another way.
The rationale is that it's not really the job of dhcpcd to configure the
interface.

The two CVE's mentioned are to do with malformed DHCP messages causing
dhcpcd to crash. The current view is the worst case is a DoS.
http://openwall.com/lists/oss-security/2016/01/07/3
http://roy.marples.name/projects/dhcpcd/info/76a1609352263bd9
http://roy.marples.name/projects/dhcpcd/info/595883e2a431f65d
Subsequent commits have improved the above work, but the above two
really fix the issues.

dhcpcd releases from 4.0.0 onwards are vulnerable to the first issue,
6.0.0 onwards for the second issue.
Contact me off list if you need help with patching a specific dhcpcd
version, but I do encourge everyone to upgrade to dhcpcd-6.10.0 which
has a lot of other fixes since those versions as well!

Thanks

Roy

Change History (3)

comment:1 by Fernando de Oliveira, 6 years ago

Description: modified (diff)

comment:2 by Fernando de Oliveira, 6 years ago

Owner: changed from blfs-book@… to Fernando de Oliveira
Status: newassigned

comment:3 by Fernando de Oliveira, 6 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.