|Reported by:||Fernando de Oliveira||Owned by:||Fernando de Oliveira|
Description (last modified by )
Fixes Include Security CVE-2016-1503 and CVE-2016-1504
Care should be taken for this upgrade because dhcpcd will no longer try to manage wpa_supplicant by default - if you rely on this you will have to ensure you update the hook yourself or manage starting/stopping wpa_supplicant another way. The rationale is that it's not really the job of dhcpcd to configure the interface.
dhcpcd-6.10.0 released From: Roy Marples <roy_at_marples.name> Date: Thu, 7 Jan 2016 17:18:02 +0000 Hi List! Happy 2016! To kick off the new year, here is a new dhcpcd release with the following changes: • --noption requires an argument • optimise the ARP BPF filter, thanks to Nate Karstens • send gratuitous ARP each time we apply our IP address • fix truncation of hostnames based on the short hostname option • improve routing and address management by always loading all interfaces, routes and addresses even for interfaces we are not directly working on • timezone, lookup-hostname, wpa_supplicant and YP hooks are no longer installed by default but are installed to an example directory • fix compile on kFreeBSD thanks to Christoph Egger for providing a temporary build host • improve error logging of packet parsing • fix ignoring routing messages generated by dhcpcd just before forking • fix handling of rapid commit messages (allow ACK after DISCOVER) • add PROBE state so we can easily reject DHCP messages received during the ARP probe phase • fix CVE-2016-1503 • fix CVE-2016-1504 Care should be taken for this upgrade because dhcpcd will no longer try to manage wpa_supplicant by default - if you rely on this you will have to ensure you update the hook yourself or manage starting/stopping wpa_supplicant another way. The rationale is that it's not really the job of dhcpcd to configure the interface. The two CVE's mentioned are to do with malformed DHCP messages causing dhcpcd to crash. The current view is the worst case is a DoS. http://openwall.com/lists/oss-security/2016/01/07/3 http://roy.marples.name/projects/dhcpcd/info/76a1609352263bd9 http://roy.marples.name/projects/dhcpcd/info/595883e2a431f65d Subsequent commits have improved the above work, but the above two really fix the issues. dhcpcd releases from 4.0.0 onwards are vulnerable to the first issue, 6.0.0 onwards for the second issue. Contact me off list if you need help with patching a specific dhcpcd version, but I do encourge everyone to upgrade to dhcpcd-6.10.0 which has a lot of other fixes since those versions as well! Thanks Roy