Your message dated Tue, 30 Jun 2026 18:17:26 +0000
with message-id <[email protected]>
and subject line Bug#1140767: fixed in dhcpcd5 9.4.1-24~deb12u5
has caused the Debian Bug report #1140767,
regarding dhcpcd: CVE-2026-56113 CVE-2026-56114 CVE-2026-56116 CVE-2026-56117
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140767: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140767
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: dhcpcd
Version: 1:10.3.2-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for dhcpcd.
CVE-2026-56113[0]:
| dhcpcd through 10.3.2, fixed in commit 5733d3c, contains a heap use-
| after-free vulnerability that allows unauthenticated same-link
| attackers to crash the daemon by sending a crafted DHCPv6 RENEW
| reply with RFC6603 OPTION_PD_EXCLUDE and both preferred and valid
| lifetimes set to zero. Attackers acting as or impersonating a DHCPv6
| server can trigger dhcp6_deprecatedele() to free a delegated child
| address while an outer TAILQ_FOREACH_SAFE iterator in
| dhcp6_deprecateaddrs() still holds the freed pointer, causing a use-
| after-free when TAILQ_REMOVE is reached.
CVE-2026-56114[1]:
| dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte
| stack out-of-bounds write vulnerability in dhcp6_makemessage() in
| src/dhcp6.c that allows unauthenticated same-link attackers to write
| beyond a fixed local buffer by serializing an oversized RFC6603
| OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6
| ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid
| OPTION_PD_EXCLUDE using an exclude prefix length of /121 through
| /128 to trigger the out-of-bounds write and potentially corrupt
| adjacent stack memory.
CVE-2026-56115[2]:
| Bootimus through 0.1.70 contains a broken access control
| vulnerability that allows authenticated low-privileged users to
| perform administrative actions by exploiting missing role
| enforcement in the JWTMiddleware function in internal/auth/auth.go,
| which validates JWT tokens and account status but fails to inspect
| the is_admin flag. Attackers can send requests to any endpoint under
| the /api/users path to create new administrator accounts or reset
| administrator passwords, thereby gaining full control of the server
| and the ability to modify boot menus and installation scripts served
| to PXE clients.
CVE-2026-56116[3]:
| dhcpcd through 10.3.2, fixed in commit 708b4a5, contains a memory
| leak vulnerability in the IPv6 Router Advertisement route
| information handling that allows an unauthenticated same-link
| attacker to cause denial of service by sending crafted Router
| Advertisements. Attackers can repeatedly send Router Advertisements
| containing Route Information options with a lifetime of zero,
| triggering unfreed allocations in routeinfo_findalloc() that cause
| linear memory exhaustion and eventual daemon crash.
CVE-2026-56117[4]:
| dhcpcd through 10.3.2, fixed in commit 78ea09e, contains a heap use-
| after-free vulnerability in the control socket handling within
| src/control.c that allows local unprivileged attackers to trigger
| memory corruption when privilege separation is disabled. Attackers
| can connect to the control socket and send a privileged command such
| as -x, causing control_recvdata() to free the client object while
| the same READ+HANGUP event subsequently reaches control_hangup()
| with the stale pointer, resulting in a use-after-free condition
| exploitable in deployments using --disable-privsep or where privsep
| initialization has failed with the control socket operating in mode
| 0666.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-56113
https://www.cve.org/CVERecord?id=CVE-2026-56113
[1] https://security-tracker.debian.org/tracker/CVE-2026-56114
https://www.cve.org/CVERecord?id=CVE-2026-56114
[2] https://security-tracker.debian.org/tracker/CVE-2026-56115
https://www.cve.org/CVERecord?id=CVE-2026-56115
[3] https://security-tracker.debian.org/tracker/CVE-2026-56116
https://www.cve.org/CVERecord?id=CVE-2026-56116
[4] https://security-tracker.debian.org/tracker/CVE-2026-56117
https://www.cve.org/CVERecord?id=CVE-2026-56117
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: dhcpcd5
Source-Version: 9.4.1-24~deb12u5
Done: Martin-Éric Racine <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dhcpcd5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin-Éric Racine <[email protected]> (supplier of updated dhcpcd5
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 28 Jun 2026 12:02:44 +0300
Source: dhcpcd5
Architecture: source
Version: 9.4.1-24~deb12u5
Distribution: bookworm
Urgency: medium
Maintainer: Martin-Éric Racine <[email protected]>
Changed-By: Martin-Éric Racine <[email protected]>
Closes: 1140767
Changes:
dhcpcd5 (9.4.1-24~deb12u5) bookworm; urgency=medium
.
* [control]
= Migrate Build-Depends from pkg-config to pkgconf.
* [salsa-ci.yml]
+ Implement basic CI support using the stock Debian pipeline include.
* [patches] (Closes: #1140767)
+ Cherry-pick upstream fix for CVE-2025-70102 (commit 117742d).
+ Cherry-pick upstream fix for CVE-2026-56114 (commit 2f00c7b).
= Refresh all patches.
Checksums-Sha1:
03c79097625f6895ccbce85d8e2df45f91fc1eb2 2100 dhcpcd5_9.4.1-24~deb12u5.dsc
943d0aa042f968801446f2a5d48a69faf55add13 25804
dhcpcd5_9.4.1-24~deb12u5.debian.tar.xz
de44603605ff5678ff477677aa8293eaafce0073 5938
dhcpcd5_9.4.1-24~deb12u5_source.buildinfo
Checksums-Sha256:
b82238f0fc10154852c20fcad189b1b06adad450fea9e002b5d27d7fb42734c9 2100
dhcpcd5_9.4.1-24~deb12u5.dsc
390fd3a566088c89a5f34f349284630c09abb015d7294d4af9b7a7c2e3e04ff7 25804
dhcpcd5_9.4.1-24~deb12u5.debian.tar.xz
21d612ee0e76ab59af4b03b30817c12fc18563ae2e490d6e00cc3f79ddd9f6f4 5938
dhcpcd5_9.4.1-24~deb12u5_source.buildinfo
Files:
658e757b015327ec1b65d12ca2c513f1 2100 net optional dhcpcd5_9.4.1-24~deb12u5.dsc
eb761259f8bbe88bfc0291632c985163 25804 net optional
dhcpcd5_9.4.1-24~deb12u5.debian.tar.xz
fea563e94f59f8f3979d333c68e49b51 5938 net optional
dhcpcd5_9.4.1-24~deb12u5_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEyJACx3qL7GpObXOQrh+Cd8S017YFAmpA9xsACgkQrh+Cd8S0
17b8Cw/7BctQY8EPfBbeH1E9BK4vSDOE7sskAvhT1Mnqh2SIkgD6lFB96X44pOyl
n2X7WntQAISBL489NmOhZ2ml7J0lgCLdXib9LoEnFthc464b0bThuV0kU9w/hVOC
yvCDpAItxxeYkV5Y4v5+L6T3oJuQVaG/oyPTqyafjh5le4jcs/JkWBmKFRSeOBXN
71CqsXiBCJmY6xi3JqEecU0GYy8ch75pPrgmu/RNd4Sy7q/Swqv6oDszKguj5fJZ
/7+md14GP3/6QtYKpY5vX+RvO2mcNUMxuGUwwlwN3jTQgO3GOE47xEwlTB9oms0S
l0nx7lbUA5ZIu9U7961gzRXSnJ8JikeKiWiks8hnwfd5czopb/AzA4NDZWjs4oW4
rqe/+N1B9Hg14fnsDJHXxHo+mVfftFIwX0JMRpVuv1zLgL8rjl6LCyio++9xAAxK
6CwZgEuMt9KCOzvaOumMXd1gricGqIlslFB3Fp5UYxJDpWtqn46b7kP5nwdxxTsz
9vntnib5R7NCQq46nXr+rTHMs6LnsTmwcuQ6njTzRxU8zLWduXIvqPS1QUKCwA5N
g2T9X6NaiP32h0OcDfwNuXkOFaKeEH9iaSgdibsGp/T6gd1jUjC1fswjjhI4XEbw
Cff4qXPJNsU7eF86yMLYIWd9sv5i7x4cIzLjzumHSeyCxnufPrc=
=ILpQ
-----END PGP SIGNATURE-----
pgpBXiHIB1ZSx.pgp
Description: PGP signature
--- End Message ---