Summary: | <net-misc/dhcpcd-5.2.12: Hostname sanitation failure (CVE-2011-{0996,0997}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | alexanderyt, base-system, williamh |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://roy.marples.name/projects/dhcpcd/changeset/c317b39786ac6c3a939dc711db7c78cf099859fd | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alex Legler (RETIRED)
2011-04-07 15:37:51 UTC
Dhcpcd 5.2.12 is in the tree. (In reply to comment #1) > Dhcpcd 5.2.12 is in the tree. Thank you. Arches, please test and mark stable: =net-misc/dhcpcd-5.2.12 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" for me: if i launch dhcpcd eth0 it assign me an address but when i verify with ifconfig eth0 i see the previous address. If i modify my /etc/conf.d/net at startup dhcpcd works Stable for HPPA. x86 stable. Thanks arm stable amd64 done alpha/ia64/s390/sh/sparc stable Marked ppc stable. ppc64 stable, last arch done Thanks, everyone. GLSA request filed. Security, should I remove all older versions of dhcpcd? Thanks, William (In reply to comment #12) > Security, > > should I remove all older versions of dhcpcd? > Yes, please, thank you. All versions of dhcpcd < 5.2.12 have been removed. CVE-2011-0997 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0997): dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by a hostname that is provided to dhclient-script. This issue was resolved and addressed in GLSA 201301-04 at http://security.gentoo.org/glsa/glsa-201301-04.xml by GLSA coordinator Stefan Behte (craig). This issue was resolved and addressed in GLSA 201301-04 at http://security.gentoo.org/glsa/glsa-201301-04.xml by GLSA coordinator Stefan Behte (craig). |