Hi, We've just updated the dhcp package (dhcp-* binary subpackages) in Owl-current to version 3.0.7 with an additional potentially security relevant fix. This update is mostly due to work by Dmitry V. Levin. 2009/07/15 Package: dhcp SECURITY FIX Severity: none to low, remote, active Updated to 3.0.7. Fixed the DHCP server premature termination bug when receiving certain well-formed DHCP requests, provided that the server configuration mixes host definitions using "dhcp-client-identifier" and "hardware ethernet". It has not been fully researched whether the bug had any impact on versions 3.0.x of the DHCP server, and there is a specific reason why it might not have had any impact, yet we're fixing the underlying bug. Discovery and patch by Christoph Biedl. Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1892 This is not in Owl 2.0-stable yet, although the packages should install and work on 2.0-stable as well. I'd like to ask those who use this package (the DHCP server and/or relay) to please install and test this update, then report back, such that we can roll it into 2.0-stable once it receives some more testing. Additionally, some of you may have noticed that many distros are releasing updates fixing a DHCP client (not server) bug these days, and the client bug is far more severe: https://www.isc.org/node/468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692 We do not officially support the DHCP client because it is rather complicated, yet it runs entirely as root, which we find an unacceptable and unjustified security risk. Thus, we have the DHCP client build disabled in our dhcp.spec file (and we always had it that way). Yet, for those brave enough to enable the DHCP client build, we have included a patch for the client security bug in the native tree in Owl-current. For our official builds, this is a no-op, and we do not promise any kind of support for the DHCP client in the future. We also do not claim that the included patch works, it just happens to be there. ;-) We're considering replacing or significantly modifying the DHCP client to introduce privilege separation, though, at which point we'd support it, but we're not there yet. Once again, the desired feedback to this posting is test results for the DHCP server and/or relay functionality of dhcp-3.0.7-owl1. Thanks, Alexander -- To unsubscribe, e-mail owl-users-unsubscribe_at_private and reply to the automated confirmation request that will be sent to you.Received on Wed Jul 15 2009 - 17:39:00 PDT
This archive was generated by hypermail 2.2.0 : Wed Jul 15 2009 - 17:40:03 PDT