Arch teams: I will stable this on amd64, but we need it stabled everywhere else asap. The issue is that Roy advised me that there is a DoS attack vector in dhcpcd versions from 4.0.0 to 6.4.2 which is fixed in 6.4.3 by this patch [1]. http://roy.marples.name/projects/dhcpcd/ci/1d2b93aa5ce25a8a710082fe2d36a6bf7f5794d5?sbs=0
Please test and stabilize asap. Thanks, William
x86 stable
CVE request: http://seclists.org/oss-sec/2014/q3/261
Stable for HPPA.
Stable on alpha.
Marked ppc/ppc64 stable.
ia64 stable
sparc stable
arm stable Cleanup, please! glsa request filed.
All vulnerable versions have been removed. Thanks, William
This issue was resolved and addressed in GLSA 201409-03 at http://security.gentoo.org/glsa/glsa-201409-03.xml by GLSA coordinator Mikle Kolyada (Zlogene).
CVE-2014-6060 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6060): The get_option function in dhcpcd 4.0.0 through 6.x before 6.4.3 allows remote DHCP servers to cause a denial of service by resetting the DHO_OPTIONSOVERLOADED option in the (1) bootfile or (2) servername section, which triggers the option to be processed again.