Hi, I found some nasty security problems with dhcpd. They appear to have been addressed in an official release + patch, so it's time to let the world know... It's probably mentioned in the following forwarded announcement, but if using dhcpd, you really should consider this a mandatory upgrade... :) Thanks to Alan Cox for co-ordinating things once the problem was discovered. Chris ------- Blind-Carbon-Copy To: dhcp-announceat_private Subject: DHCP 1.0 and 2.0 SECURITY ALERT! Date: Sun, 17 May 1998 23:45:15 -0700 From: Ted Lemon <mellonat_private> There are two bugs in all previous releases of the Internet Software Consortium DHCP Distribution which can be exploited to crash the DHCP server, or possibly worse. I have prepared new distributions of version 1.0 and 2.0 of the DHCP Distribution which correct these problems. Patches and for and new distributions of version 1.0 and version 2.0 are available at: ftp://ftp.isc.org/isc/dhcp/dhcp-1.0.0-1.0pl1.diff.gz ftp://ftp.isc.org/isc/dhcp/dhcp-2.0b1pl0-2.0b1pl1.diff.gz ftp://ftp.isc.org/isc/dhcp/dhcp-1.0pl1.tar.gz ftp://ftp.isc.org/isc/dhcp/dhcp-2.0b1pl1.tar.gz This is not the long-awaited first snapshot of 3.0, but there are some additional bug fixes in these releases. Please upgrade at your earliest convenience. Also, please accept my humble apology for making one of the oldest, stupidest security mistakes in the book. Sigh. BTW, thanks to Chris Evans and Alan Cox of the Linux development team for finding these bugs. _MelloN_ ------- End of Blind-Carbon-Copy
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:53:55 PDT