Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 28 Feb 2018 15:29:55 -0500
From: Michael McNally <>
Cc: "" <>
Subject: Multiple CVEs announced by ISC (ISC DHCP: CVE-2018-5732 &
 CVE-2018-5733, BIND CVE-2018-5734)

Today ISC publicly disclosed three CVEs, two in ISC DHCP and a third
in BIND Supported Preview Edition [which is a customer-only non-public
version of BIND, but since the disclosure is public we wish to be
clear about it here so as not to confuse those who are following the
public open source version of the product.]

All three vulnerabilities are now public.  Thank you, to those who were
informed in advance, for cooperating with our disclosure schedule.

The two DHCP vulnerabilities are:

   CVE-2018-5732: A specially constructed response from a
   malicious server can cause a buffer overflow in dhclient

   CVE-2018-5733: A malicious client can overflow a
   reference counter in ISC dhcpd

And the (Supported Preview Edition-only) BIND vulnerability is:

   CVE-2018-5734: A malformed request can trigger an
   assertion failure in badcache.c

If you have questions about these announcements please direct
them to

Michael McNally
ISC Security Officer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.