Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 16 Jul 2009 04:39:00 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: DHCP suite update

Hi,

We've just updated the dhcp package (dhcp-* binary subpackages) in
Owl-current to version 3.0.7 with an additional potentially security
relevant fix.  This update is mostly due to work by Dmitry V. Levin.

2009/07/15	Package: dhcp
SECURITY FIX	Severity: none to low, remote, active
Updated to 3.0.7.  Fixed the DHCP server premature termination bug when
receiving certain well-formed DHCP requests, provided that the server
configuration mixes host definitions using "dhcp-client-identifier" and
"hardware ethernet".  It has not been fully researched whether the bug
had any impact on versions 3.0.x of the DHCP server, and there is a
specific reason why it might not have had any impact, yet we're fixing
the underlying bug.  Discovery and patch by Christoph Biedl.
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1892

This is not in Owl 2.0-stable yet, although the packages should install
and work on 2.0-stable as well.  I'd like to ask those who use this
package (the DHCP server and/or relay) to please install and test this
update, then report back, such that we can roll it into 2.0-stable once
it receives some more testing.

Additionally, some of you may have noticed that many distros are
releasing updates fixing a DHCP client (not server) bug these days, and
the client bug is far more severe:

https://www.isc.org/node/468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692

We do not officially support the DHCP client because it is rather
complicated, yet it runs entirely as root, which we find an unacceptable
and unjustified security risk.  Thus, we have the DHCP client build
disabled in our dhcp.spec file (and we always had it that way).  Yet,
for those brave enough to enable the DHCP client build, we have included
a patch for the client security bug in the native tree in Owl-current.
For our official builds, this is a no-op, and we do not promise any kind
of support for the DHCP client in the future.  We also do not claim that
the included patch works, it just happens to be there. ;-)

We're considering replacing or significantly modifying the DHCP client
to introduce privilege separation, though, at which point we'd support
it, but we're not there yet.

Once again, the desired feedback to this posting is test results for
the DHCP server and/or relay functionality of dhcp-3.0.7-owl1.

Thanks,

Alexander

-- 
To unsubscribe, e-mail owl-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.