From ${URL} : It was reported that ISC DHCP server does not effectively limit the number of simultaneous open TCP connections to the ports the server uses for inter-process communications and control. Because of this, a malicious party could interfere with server operation by opening (and never closing) a large number of TCP connections to the server. As result, the server may deliberately exit after encountering an INSIST failure (server version dependent), or may become unresponsive and stop answering client requests, or may continue operating but not be able to accept further connections from OMAPI clients or failover peers. If no limits are inherited from the environment, the server may consume all available sockets, potentially interfering with other services running on the same machine. Risk of exploitation is highest on the OMAPI port (if OMAPI is configured). The failover code will close incoming connections if they are not received from a peer (making it more difficult but not impossible to attack a server using failover channels). OMAPI, however, has no logic in the server limiting addresses from which it will accept connections. A firewall is recommended as an industry-standard precaution against accepting connections from untrusted hosts. ISC recommends that server operators restrict the hosts allowed to make connections to DHCP server inter-process communication channels to trusted hosts, blocking connections to the OMAPI control port and the failover communications ports from all other hosts. If OMAPI and/or failover are not being actively used, they can be disabled. Additionally, in environments where per-process file descriptor limits can be inherited from the shell used to launch dhcpd, using ulimit to set a reasonable limit on simultaneous socket connections can prevent the INSIST assertion failure outcome but may still allow interference with legitimate interprocess communication traffic. External Reference: https://kb.isc.org/article/AA-01354 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2016-2774 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2774): ISC DHCP 4.1.x before 4.1-ESV-R13 and 4.2.x and 4.3.x before 4.3.4 does not restrict the number of concurrent TCP sessions, which allows remote attackers to cause a denial of service (INSIST assertion failure or request-processing outage) by establishing many sessions.
@maintainer(s), do you want to target 4.3.4 or 4.3.5? Fixed version is 4.3.4.
4.3.5 for stable is fine
amd64 stable
x86 stable
Stable on alpha.
arm stable
ppc64 stable
sparc stable
Stable for HPPA.
ppc stable
ia64 stable. Maintainer(s), please cleanup.
commit c417d2a49de69fa60b408e6bc9c2a372caffe1f8 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Tue Jan 17 16:58:30 2017 net-misc/dhcp: Security cleanup (bug #576866). Package-Manager: Portage-2.3.3, Repoman-2.3.1
GLSA Vote: No