#7333: dhcpcd-6.10.0
-------------------------+--------------------------
Reporter: fo | Owner: blfs-book@…
Type: enhancement | Status: new
Priority: high | Milestone: 7.9
Component: BOOK | Version: SVN
Severity: normal | Resolution:
Keywords: |
-------------------------+--------------------------
Description changed by fo:
Old description:
> == Fixes Include Security CVE-2016-1503 and CVE-2016-1504 ==
>
> Also:
>
> '''Care should be taken for this upgrade because dhcpcd will no longer
> try to manage wpa_supplicant by default - if you rely on this you will
> have to ensure you update the hook yourself or manage starting/stopping
> wpa_supplicant another way.
> The rationale is that it's not really the job of dhcpcd to configure the
> interface.'''
>
> [http://roy.marples.name/downloads/dhcpcd/dhcpcd-6.10.0.tar.xz]
>
> [ftp://roy.marples.name/pub/dhcpcd/dhcpcd-6.10.0.tar.xz]
>
> [http://roy.marples.name/archives/dhcpcd-discuss/2016/1143.html]
>
> {{{
> dhcpcd-6.10.0 released
>
> From: Roy Marples <roy_at_marples.name>
> Date: Thu, 7 Jan 2016 17:18:02 +0000
>
> Hi List! Happy 2016!
>
> To kick off the new year, here is a new dhcpcd release with the
> following changes:
> • --noption requires an argument
> • optimise the ARP BPF filter, thanks to Nate Karstens
> • send gratuitous ARP each time we apply our IP address
> • fix truncation of hostnames based on the short hostname option
> • improve routing and address management by always loading all
> interfaces, routes and addresses even for interfaces we are not
> directly working on
> • timezone, lookup-hostname, wpa_supplicant and YP hooks are no longer
> installed by default but are installed to an example directory
> • fix compile on kFreeBSD thanks to Christoph Egger for providing a
> temporary build host
> • improve error logging of packet parsing
> • fix ignoring routing messages generated by dhcpcd just before
> forking
> • fix handling of rapid commit messages (allow ACK after DISCOVER)
> • add PROBE state so we can easily reject DHCP messages received
> during the ARP probe phase
> • fix CVE-2016-1503
> • fix CVE-2016-1504
>
> Care should be taken for this upgrade because dhcpcd will no longer try
> to manage wpa_supplicant by default - if you rely on this you will have
> to ensure you update the hook yourself or manage starting/stopping
> wpa_supplicant another way.
> The rationale is that it's not really the job of dhcpcd to configure the
> interface.
>
> The two CVE's mentioned are to do with malformed DHCP messages causing
> dhcpcd to crash. The current view is the worst case is a DoS.
> http://openwall.com/lists/oss-security/2016/01/07/3
> http://roy.marples.name/projects/dhcpcd/info/76a1609352263bd9
> http://roy.marples.name/projects/dhcpcd/info/595883e2a431f65d
> Subsequent commits have improved the above work, but the above two
> really fix the issues.
>
> dhcpcd releases from 4.0.0 onwards are vulnerable to the first issue,
> 6.0.0 onwards for the second issue.
> Contact me off list if you need help with patching a specific dhcpcd
> version, but I do encourge everyone to upgrade to dhcpcd-6.10.0 which
> has a lot of other fixes since those versions as well!
>
> Thanks
>
> Roy
> }}}
New description:
== Fixes Include Security CVE-2016-1503 and CVE-2016-1504 ==
Also:
Care should be taken for this upgrade because dhcpcd will '''no longer
try to manage wpa_supplicant''' by default - if you rely on this you
will have to ensure you update the hook yourself or manage
starting/stopping wpa_supplicant another way.
The rationale is that it's not really the job of dhcpcd to configure the
interface.
[http://roy.marples.name/downloads/dhcpcd/dhcpcd-6.10.0.tar.xz]
[ftp://roy.marples.name/pub/dhcpcd/dhcpcd-6.10.0.tar.xz]
[http://roy.marples.name/archives/dhcpcd-discuss/2016/1143.html]
{{{
dhcpcd-6.10.0 released
From: Roy Marples <roy_at_marples.name>
Date: Thu, 7 Jan 2016 17:18:02 +0000
Hi List! Happy 2016!
To kick off the new year, here is a new dhcpcd release with the
following changes:
• --noption requires an argument
• optimise the ARP BPF filter, thanks to Nate Karstens
• send gratuitous ARP each time we apply our IP address
• fix truncation of hostnames based on the short hostname option
• improve routing and address management by always loading all
interfaces, routes and addresses even for interfaces we are not
directly working on
• timezone, lookup-hostname, wpa_supplicant and YP hooks are no longer
installed by default but are installed to an example directory
• fix compile on kFreeBSD thanks to Christoph Egger for providing a
temporary build host
• improve error logging of packet parsing
• fix ignoring routing messages generated by dhcpcd just before
forking
• fix handling of rapid commit messages (allow ACK after DISCOVER)
• add PROBE state so we can easily reject DHCP messages received
during the ARP probe phase
• fix CVE-2016-1503
• fix CVE-2016-1504
Care should be taken for this upgrade because dhcpcd will no longer try
to manage wpa_supplicant by default - if you rely on this you will have
to ensure you update the hook yourself or manage starting/stopping
wpa_supplicant another way.
The rationale is that it's not really the job of dhcpcd to configure the
interface.
The two CVE's mentioned are to do with malformed DHCP messages causing
dhcpcd to crash. The current view is the worst case is a DoS.
http://openwall.com/lists/oss-security/2016/01/07/3
http://roy.marples.name/projects/dhcpcd/info/76a1609352263bd9
http://roy.marples.name/projects/dhcpcd/info/595883e2a431f65d
Subsequent commits have improved the above work, but the above two
really fix the issues.
dhcpcd releases from 4.0.0 onwards are vulnerable to the first issue,
6.0.0 onwards for the second issue.
Contact me off list if you need help with patching a specific dhcpcd
version, but I do encourge everyone to upgrade to dhcpcd-6.10.0 which
has a lot of other fixes since those versions as well!
Thanks
Roy
}}}
--
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/7333#comment:1>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
