| Summary: | <net-misc/dhcp-4.2.2-r1: DoS (CVE-2011-{2748,2749}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | base-system, hwoarang, petr.pisar |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.isc.org/software/dhcp/advisories/cve-2011-2748 | ||
| Whiteboard: | A3 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 362535, 380717, 380829 | ||
| Bug Blocks: | |||
|
Description
Agostino Sarubbo
2011-08-11 16:32:41 UTC
*** Bug 379229 has been marked as a duplicate of this bug. *** dhcp-4.2.2 now in the tree (In reply to comment #2) > dhcp-4.2.2 now in the tree Thanks. Arches, please test and mark stable: =net-misc/dhcp-4.2.2 Target keywords : "alpha amd64 arm hppa ppc ppc64 s390 sh sparc x86" *** Bug 374445 has been marked as a duplicate of this bug. *** x86 stable Stable dhcp-4.2.2 doesn`t run in chroot :( Please look at https://bugs.gentoo.org/show_bug.cgi?id=362535 we'll want to do 4.2.2-r1 since it fixes a few path related bugs no one noticed before now amd64 ok dhcp-4.2.2-r1 doesn`t run in chroot :( ... I think that bug 362535 is not a regression and it should be removed from "Depends on" (In reply to comment #10) > I think that bug 362535 is not a regression and it should be removed from > "Depends on" It is a regressions. Version 3.X (which is the current stable) does not seem to have the same problem CVE-2011-2749 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2749): The server in ISC DHCP 3.x and 4.x before 4.2.2, 3.1-ESV before 3.1-ESV-R3, and 4.1-ESV before 4.1-ESV-R3 allows remote attackers to cause a denial of service (daemon exit) via a crafted BOOTP packet. CVE-2011-2748 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2748): The server in ISC DHCP 3.x and 4.x before 4.2.2, 3.1-ESV before 3.1-ESV-R3, and 4.1-ESV before 4.1-ESV-R3 allows remote attackers to cause a denial of service (daemon exit) via a crafted DHCP packet. amd64: emerged, invoked, all ok @base-system. Can we please do 4.2.2-r1 instead? This revision seems to have fixed all the blocking issues posted in this bug please read comment #7 (In reply to comment #9) > dhcp-4.2.2-r1 doesn`t run in chroot :( > ... Well you need to open a separate bug and not complaining on security bugs. 4.2.2-r1 stable on amd64. Thanks Agostino and Ian (In reply to comment #16) chroot should be fixed in 4.2.2-r2. if arches want to jump straight to that, it should be fine. + 20 Sep 2011; Tony Vroon <chainsaw@gentoo.org> dhcp-4.2.2-r2.ebuild: + Marked stable on AMD64 based on explicit recommendation by Markos "hwoarang" + Chandras in #gentoo-amd64-dev. Chroot usage seems still a bit broken with dhcp-4.2.2-r2. Sep 21 15:03:37 localhost dhcpd: Error opening '/proc/net/dev' to list interfaces Sep 21 15:03:37 localhost dhcpd: Can't get list of interfaces. If i mount proc manually into the chroot before the start, i get Sep 21 15:11:58 localhost dhcpd: Not configured to listen on any interfaces! Yes, it is configured in /etc/conf.d/dhcpd... But it seems to get lost on the way to the chroot!? new issue -> new bug Builds fine on x86, rdep builds fine as well. Tested the client, no problems encountered. Ok to go for me. x86 stable. Thanks all! ppc/ppc64 stable alpha/arm/ia64/s390/sh/sparc stable Stable for HPPA. Thanks, folks. GLSA request filed. This issue was resolved and addressed in GLSA 201301-06 at http://security.gentoo.org/glsa/glsa-201301-06.xml by GLSA coordinator Stefan Behte (craig). |
