463848 – (CVE-2013-2494) <net-misc/dhcp-4.2.5_p1: denial of service (CVE-2013-2494)

Bug 463848 (CVE-2013-2494) - <net-misc/dhcp-4.2.5_p1: denial of service (CVE-2013-2494)

Summary: <net-misc/dhcp-4.2.5_p1: denial of service (CVE-2013-2494)

Status:	RESOLVED FIXED

Alias:	CVE-2013-2494

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	http://web.nvd.nist.gov/view/vuln/det...
Whiteboard:	A3 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2013-03-30 11:54 UTC by Agostino Sarubbo
Modified:	2014-01-06 22:15 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2013-03-30 11:54:50 UTC

From ${URL} :

libdns in ISC DHCP 4.2.x before 4.2.5-P1 allows remote name servers to cause a denial of service 
(memory consumption) via vectors involving a regular expression, as demonstrated by a 
memory-exhaustion attack against a machine running a dhcpd process, a related issue to 
CVE-2013-2266.

Comment 1 SpanKY gentoo-dev

2013-03-31 02:39:30 UTC

Commit message: Version bump
http://sources.gentoo.org/net-misc/dhcp/dhcp-4.2.5_p1.ebuild?rev=1.1

Comment 2 Sean Amoss (RETIRED) gentoo-dev

2013-04-08 21:39:56 UTC

(In reply to comment #1)
> Commit message: Version bump
> http://sources.gentoo.org/net-misc/dhcp/dhcp-4.2.5_p1.ebuild?rev=1.1

Thank you.

Arches, please test and mark stable.
Target KEYWORDS: "alpha amd64 arm hppa ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd"

Comment 3 Agostino Sarubbo gentoo-dev

2013-04-09 18:14:54 UTC

amd64 stable

Comment 4 Agostino Sarubbo gentoo-dev

2013-04-09 18:25:55 UTC

x86 stable

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2013-04-10 14:40:56 UTC

Stable for HPPA.

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2013-04-11 16:39:26 UTC

CVE-2013-2494 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2494):
  libdns in ISC DHCP 4.2.x before 4.2.5-P1 allows remote name servers to cause
  a denial of service (memory consumption) via vectors involving a regular
  expression, as demonstrated by a memory-exhaustion attack against a machine
  running a dhcpd process, a related issue to CVE-2013-2266.

Comment 7 Agostino Sarubbo gentoo-dev

2013-04-11 18:58:41 UTC

ppc stable

Comment 8 Agostino Sarubbo gentoo-dev

2013-04-11 19:28:13 UTC

ppc64 stable

Comment 9 Agostino Sarubbo gentoo-dev

2013-04-11 21:03:33 UTC

alpha stable

Comment 10 Agostino Sarubbo gentoo-dev

2013-04-12 15:07:36 UTC

arm stable

Comment 11 Agostino Sarubbo gentoo-dev

2013-04-13 07:46:19 UTC

sparc stable

Comment 12 Agostino Sarubbo gentoo-dev

2013-04-13 20:58:20 UTC

s390 stable

Comment 13 Agostino Sarubbo gentoo-dev

2013-04-14 16:23:38 UTC

sh stable

Comment 14 Chris Reffett (RETIRED) gentoo-dev

2013-09-03 16:23:36 UTC

GLSA request filed.

Comment 15 Agostino Sarubbo gentoo-dev

2013-09-05 21:51:27 UTC

@base-system: Is possible a cleanup of <4.2.5_p1 ? If not I'll proceed to mask it.

Comment 16 Sergey Popov (RETIRED) gentoo-dev

2014-01-06 21:44:24 UTC

Cleanup is done, permission granted by Tony Vroon

Comment 17 GLSAMaker/CVETool Bot gentoo-dev

2014-01-06 22:15:16 UTC

This issue was resolved and addressed in
 GLSA 201401-05 at http://security.gentoo.org/glsa/glsa-201401-05.xml
by GLSA coordinator Sergey Popov (pinkbyte).