Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 434880 (CVE-2012-3955)

Summary: <net-misc/dhcp-4.2.4_p2 : IPv6 Lease Expiration Handling Denial of Service Security Issue (CVE-2012-3955)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/50612/
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-09-13 09:36:43 UTC 
Description
A security issue has been reported in ISC DHCP, which can be exploited by malicious people to cause a DoS (Denial of Service).

The security issue is caused due to an error when handling the expiration time of an active IPv6 lease and may result in a server crash if the lease time is reduced.

The security issue is reported in versions 4.1.x and 4.2.x.


Solution
Update to version 4.1-ESV-R7 or 4.2.4-P2.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-09-16 13:56:19 UTC 
CVE-2012-3955 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3955):
  ISC DHCP 4.1.x before 4.1-ESV-R7 and 4.2.x before 4.2.4-P2 allows remote
  attackers to cause a denial of service (daemon crash) in opportunistic
  circumstances by establishing an IPv6 lease in an environment where the
  lease expiration time is later reduced.
Comment 2 SpanKY gentoo-dev 2012-10-10 03:57:29 UTC 
4.2.4_p2 is in the tree
Comment 3 Agostino Sarubbo gentoo-dev 2012-10-10 13:41:24 UTC 
Arch teams, please test and mark stable:
=net-misc/dhcp-4.2.4_p2
Target keywords : "alpha amd64 arm hppa ppc ppc64 s390 sh sparc x86"
Comment 4 Tomáš "tpruzina" Pružina (amd64 [ex]AT) 2012-10-10 14:01:58 UTC 
amd64: ok
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2012-10-10 16:36:18 UTC 
Stable for HPPA.
Comment 6 Markus Meier gentoo-dev 2012-10-11 11:29:13 UTC 
arm stable
Comment 7 Andreas Schürch gentoo-dev 2012-10-11 14:10:03 UTC 
x86 done.
Comment 8 Agostino Sarubbo gentoo-dev 2012-10-11 14:22:08 UTC 
amd64 stable
Comment 9 Anthony Basile gentoo-dev 2012-10-11 23:37:41 UTC 
stable ppc ppc64
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2012-10-13 16:59:12 UTC 
alpha/s390/sh/sparc stable
Comment 11 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-15 00:59:12 UTC 
Thanks, everyone.

Adding to existing GLSA draft.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2013-01-09 00:53:13 UTC 
This issue was resolved and addressed in
 GLSA 201301-06 at http://security.gentoo.org/glsa/glsa-201301-06.xml
by GLSA coordinator Stefan Behte (craig).