Control: retitle -1 dhcpcd5: CVE-2019-11766: DHCPv6: Potential read overflow with D6_OPTION_PD_EXCLUDE
Hi, On Sat, May 04, 2019 at 08:08:38PM +0200, Timo Sigurdsson wrote: > Package: dhcpcd5 > Version: 7.1.0-1 > Severity: serious > Tags: security upstream fixed-upstream > > Dear Maintainer, > > another week - another bug ;) Upstream released version 7.2.2 of > dhcpcd5 fixing another potential security issue in DHCPv6. All > versions currently supported in Debian (jessie, stretch, buster, > sid) seem to be vulnerable [1]. > > The following issue has been fixed (copied from upstream's announcement): > * DHCPv6: Fix a potential read overflow with D6_OPTION_PD_EXCLUDE > > > Upstream provides two patches for version 7 which would be relevant > for buster and sid [2][3]. In addition, version 6.10.7 was released > addressing the same issue. The patches from this release might be > useful for backporting to stretch and jessie [4][5]. > > Please consider applying/backporting those patches in your next > round of uploads. This issue has been assigned CVE-2019-11766 by MITRE. Regards, Salvatore
