Your message dated Tue, 30 Jun 2026 23:02:41 +0000
with message-id <[email protected]>
and subject line Bug#1140767: fixed in dhcpcd 1:10.1.0-11+deb13u3
has caused the Debian Bug report #1140767,
regarding dhcpcd: CVE-2026-56113 CVE-2026-56114 CVE-2026-56116 CVE-2026-56117
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140767: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140767
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: dhcpcd
Version: 1:10.3.2-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for dhcpcd.
CVE-2026-56113[0]:
| dhcpcd through 10.3.2, fixed in commit 5733d3c, contains a heap use-
| after-free vulnerability that allows unauthenticated same-link
| attackers to crash the daemon by sending a crafted DHCPv6 RENEW
| reply with RFC6603 OPTION_PD_EXCLUDE and both preferred and valid
| lifetimes set to zero. Attackers acting as or impersonating a DHCPv6
| server can trigger dhcp6_deprecatedele() to free a delegated child
| address while an outer TAILQ_FOREACH_SAFE iterator in
| dhcp6_deprecateaddrs() still holds the freed pointer, causing a use-
| after-free when TAILQ_REMOVE is reached.
CVE-2026-56114[1]:
| dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte
| stack out-of-bounds write vulnerability in dhcp6_makemessage() in
| src/dhcp6.c that allows unauthenticated same-link attackers to write
| beyond a fixed local buffer by serializing an oversized RFC6603
| OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6
| ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid
| OPTION_PD_EXCLUDE using an exclude prefix length of /121 through
| /128 to trigger the out-of-bounds write and potentially corrupt
| adjacent stack memory.
CVE-2026-56115[2]:
| Bootimus through 0.1.70 contains a broken access control
| vulnerability that allows authenticated low-privileged users to
| perform administrative actions by exploiting missing role
| enforcement in the JWTMiddleware function in internal/auth/auth.go,
| which validates JWT tokens and account status but fails to inspect
| the is_admin flag. Attackers can send requests to any endpoint under
| the /api/users path to create new administrator accounts or reset
| administrator passwords, thereby gaining full control of the server
| and the ability to modify boot menus and installation scripts served
| to PXE clients.
CVE-2026-56116[3]:
| dhcpcd through 10.3.2, fixed in commit 708b4a5, contains a memory
| leak vulnerability in the IPv6 Router Advertisement route
| information handling that allows an unauthenticated same-link
| attacker to cause denial of service by sending crafted Router
| Advertisements. Attackers can repeatedly send Router Advertisements
| containing Route Information options with a lifetime of zero,
| triggering unfreed allocations in routeinfo_findalloc() that cause
| linear memory exhaustion and eventual daemon crash.
CVE-2026-56117[4]:
| dhcpcd through 10.3.2, fixed in commit 78ea09e, contains a heap use-
| after-free vulnerability in the control socket handling within
| src/control.c that allows local unprivileged attackers to trigger
| memory corruption when privilege separation is disabled. Attackers
| can connect to the control socket and send a privileged command such
| as -x, causing control_recvdata() to free the client object while
| the same READ+HANGUP event subsequently reaches control_hangup()
| with the stale pointer, resulting in a use-after-free condition
| exploitable in deployments using --disable-privsep or where privsep
| initialization has failed with the control socket operating in mode
| 0666.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-56113
https://www.cve.org/CVERecord?id=CVE-2026-56113
[1] https://security-tracker.debian.org/tracker/CVE-2026-56114
https://www.cve.org/CVERecord?id=CVE-2026-56114
[2] https://security-tracker.debian.org/tracker/CVE-2026-56115
https://www.cve.org/CVERecord?id=CVE-2026-56115
[3] https://security-tracker.debian.org/tracker/CVE-2026-56116
https://www.cve.org/CVERecord?id=CVE-2026-56116
[4] https://security-tracker.debian.org/tracker/CVE-2026-56117
https://www.cve.org/CVERecord?id=CVE-2026-56117
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: dhcpcd
Source-Version: 1:10.1.0-11+deb13u3
Done: Martin-Éric Racine <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dhcpcd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin-Éric Racine <[email protected]> (supplier of updated dhcpcd
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 26 Jun 2026 18:23:21 +0300
Source: dhcpcd
Architecture: source
Version: 1:10.1.0-11+deb13u3
Distribution: trixie
Urgency: medium
Maintainer: Martin-Éric Racine <[email protected]>
Changed-By: Martin-Éric Racine <[email protected]>
Closes: 1140767
Changes:
dhcpcd (1:10.1.0-11+deb13u3) trixie; urgency=medium
.
* [patches] (Closes: #1140767)
+ Cherry-pick upstream fix for CVE-2025-70102 (commit 117742d).
+ Cherry-pick upstream fix for CVE-2026-56113 (commit 5733d3c).
+ Cherry-pick upstream fix for CVE-2026-56114 (commit 2f00c7b).
+ Cherry-pick upstream fix for CVE-2026-56116 (commit 708b4a5).
+ Cherry-pick upstream fix for CVE-2026-56117 (commit 78ea09e).
Checksums-Sha1:
a6e1acc7b0d62c756fb1cc234290f112670b5889 2164 dhcpcd_10.1.0-11+deb13u3.dsc
aa35ba650091de4f14e9e4b7aec7f0c1f19c181d 24840
dhcpcd_10.1.0-11+deb13u3.debian.tar.xz
18bad8c621441d39576cc523884066015fe8a594 6192
dhcpcd_10.1.0-11+deb13u3_source.buildinfo
Checksums-Sha256:
9de235c22001c41fae0c8185c4cf92d1b789009f8f6fdac7d81b9de57bfb30e2 2164
dhcpcd_10.1.0-11+deb13u3.dsc
f4867560736a382a1ee9cd658aa2469d23804ec6423903b3e2e34de5792d5f5d 24840
dhcpcd_10.1.0-11+deb13u3.debian.tar.xz
104bc9214fb11e33cdc1c66536815caef3b1b2f3655f075fd6ebcba44b771a43 6192
dhcpcd_10.1.0-11+deb13u3_source.buildinfo
Files:
7515d6c1a3646256668e1148f1b2ed59 2164 net optional dhcpcd_10.1.0-11+deb13u3.dsc
ff8f1d0525a27580b74020a42666385b 24840 net optional
dhcpcd_10.1.0-11+deb13u3.debian.tar.xz
e2fada9295592e137df52915fa67b919 6192 net optional
dhcpcd_10.1.0-11+deb13u3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEyJACx3qL7GpObXOQrh+Cd8S017YFAmo+oGcACgkQrh+Cd8S0
17bx7w/9FXXnv2B7ZZe7Aa1rn8ysMLKzEwhBeqThgFMexV3MnXoB/XGjzTadpgQ1
Fzh3d3CZHRQwAWGHb0j+qoCwimcompyvuM42m1iLqEANujRBXrf8aH9qxjf5yoC9
q+NiqF1PPt4H4Eak+qX5UsMlqCa5hBUuVMiRgpz1Q7vWcCNNpPA1g+vQcBnpBoAW
n8iiG5wQBof76ZeHDJxhD70Vjs4yXa+EGr6JhpjkP/DlU34ihQUDNbfJg6t9WodJ
UiO6zFLU+epfTvfl9xOyO/nBpcjOYrx9AvKq/WuRI1lfGnyYiPpQPAd4wVxpT48I
6fe3ib9BobYsGOieV5WmeTNEMdKkXvlhDQieQxDFB6ziKEwQsMToX2rcYsTFnvir
ipuisp7x+FYYwUBDH5MITt17lIFszZU9dbb3txQssivyf0cLGAW8/ptPDtoZP5f/
p4uSkJ5jbk4IJqWsEm31QajrkWohAXedmaVu2/oqJRwRaOh4nvC29GHPEwZxj6F4
MNXuJegi2h8wBsTOoLtRfdR01iOhsb6AIuvbt5AssvZ69fxnjn9IwkwpO7Wmrk2z
bSLO1eAAjiQAl+V+YtsS9Zxk6gxIp83M9FNheR/AB0UV7aYuBsZiYmRKXj/ofweI
UUgXiduPuBu8S3JhngpTxzLEWN9UJDJdXTnYMIM+rb6ClFW0ahs=
=1q+l
-----END PGP SIGNATURE-----
pgp8YLmZMM5k5.pgp
Description: PGP signature
--- End Message ---