Thanks for the heads-up. CVE-2026-56115 doesn't seem to concern dhcpcd, though.
Martin-Éric pe 26.6.2026 klo 7.15 Salvatore Bonaccorso ([email protected]) kirjoitti: > > Source: dhcpcd > Version: 1:10.3.2-3 > Severity: important > Tags: security upstream > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > Hi, > > The following vulnerabilities were published for dhcpcd. > > CVE-2026-56113[0]: > | dhcpcd through 10.3.2, fixed in commit 5733d3c, contains a heap use- > | after-free vulnerability that allows unauthenticated same-link > | attackers to crash the daemon by sending a crafted DHCPv6 RENEW > | reply with RFC6603 OPTION_PD_EXCLUDE and both preferred and valid > | lifetimes set to zero. Attackers acting as or impersonating a DHCPv6 > | server can trigger dhcp6_deprecatedele() to free a delegated child > | address while an outer TAILQ_FOREACH_SAFE iterator in > | dhcp6_deprecateaddrs() still holds the freed pointer, causing a use- > | after-free when TAILQ_REMOVE is reached. > > > CVE-2026-56114[1]: > | dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte > | stack out-of-bounds write vulnerability in dhcp6_makemessage() in > | src/dhcp6.c that allows unauthenticated same-link attackers to write > | beyond a fixed local buffer by serializing an oversized RFC6603 > | OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 > | ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid > | OPTION_PD_EXCLUDE using an exclude prefix length of /121 through > | /128 to trigger the out-of-bounds write and potentially corrupt > | adjacent stack memory. > > > CVE-2026-56115[2]: > | Bootimus through 0.1.70 contains a broken access control > | vulnerability that allows authenticated low-privileged users to > | perform administrative actions by exploiting missing role > | enforcement in the JWTMiddleware function in internal/auth/auth.go, > | which validates JWT tokens and account status but fails to inspect > | the is_admin flag. Attackers can send requests to any endpoint under > | the /api/users path to create new administrator accounts or reset > | administrator passwords, thereby gaining full control of the server > | and the ability to modify boot menus and installation scripts served > | to PXE clients. > > > CVE-2026-56116[3]: > | dhcpcd through 10.3.2, fixed in commit 708b4a5, contains a memory > | leak vulnerability in the IPv6 Router Advertisement route > | information handling that allows an unauthenticated same-link > | attacker to cause denial of service by sending crafted Router > | Advertisements. Attackers can repeatedly send Router Advertisements > | containing Route Information options with a lifetime of zero, > | triggering unfreed allocations in routeinfo_findalloc() that cause > | linear memory exhaustion and eventual daemon crash. > > > CVE-2026-56117[4]: > | dhcpcd through 10.3.2, fixed in commit 78ea09e, contains a heap use- > | after-free vulnerability in the control socket handling within > | src/control.c that allows local unprivileged attackers to trigger > | memory corruption when privilege separation is disabled. Attackers > | can connect to the control socket and send a privileged command such > | as -x, causing control_recvdata() to free the client object while > | the same READ+HANGUP event subsequently reaches control_hangup() > | with the stale pointer, resulting in a use-after-free condition > | exploitable in deployments using --disable-privsep or where privsep > | initialization has failed with the control socket operating in mode > | 0666. > > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2026-56113 > https://www.cve.org/CVERecord?id=CVE-2026-56113 > [1] https://security-tracker.debian.org/tracker/CVE-2026-56114 > https://www.cve.org/CVERecord?id=CVE-2026-56114 > [2] https://security-tracker.debian.org/tracker/CVE-2026-56115 > https://www.cve.org/CVERecord?id=CVE-2026-56115 > [3] https://security-tracker.debian.org/tracker/CVE-2026-56116 > https://www.cve.org/CVERecord?id=CVE-2026-56116 > [4] https://security-tracker.debian.org/tracker/CVE-2026-56117 > https://www.cve.org/CVERecord?id=CVE-2026-56117 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore
