Your message dated Tue, 08 Jun 2021 20:17:26 +0000
with message-id <[email protected]>
and subject line Bug#989157: fixed in isc-dhcp 4.4.1-2+deb10u1
has caused the Debian Bug report #989157,
regarding isc-dhcp: CVE-2021-25217: A buffer overrun in lease file parsing code
can be used to exploit a common vulnerability shared by dhcpd and dhclient
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
989157: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989157
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: isc-dhcp
Version: 4.4.1-2.2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 4.4.1-2
Hi,
The following vulnerability was published for isc-dhcp.
CVE-2021-25217[0]:
| In ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16, ISC DHCP 4.4.0 -> 4.4.2
| (Other branches of ISC DHCP (i.e., releases in the 4.0.x series or
| lower and releases in the 4.3.x series) are beyond their End-of-Life
| (EOL) and no longer supported by ISC. From inspection it is clear that
| the defect is also present in releases from those series, but they
| have not been officially tested for the vulnerability), The outcome of
| encountering the defect while reading a lease that will trigger it
| varies, according to: the component being affected (i.e., dhclient or
| dhcpd) whether the package was built as a 32-bit or 64-bit binary
| whether the compiler flag -fstack-protection-strong was used when
| compiling In dhclient, ISC has not successfully reproduced the error
| on a 64-bit system. However, on a 32-bit system it is possible to
| cause dhclient to crash when reading an improper lease, which could
| cause network connectivity problems for an affected system due to the
| absence of a running DHCP client process. In dhcpd, when run in DHCPv4
| or DHCPv6 mode: if the dhcpd server binary was built for a 32-bit
| architecture AND the -fstack-protection-strong flag was specified to
| the compiler, dhcpd may exit while parsing a lease file containing an
| objectionable lease, resulting in lack of service to clients.
| Additionally, the offending lease and the lease immediately following
| it in the lease database may be improperly deleted. if the dhcpd
| server binary was built for a 64-bit architecture OR if the -fstack-
| protection-strong compiler flag was NOT specified, the crash will not
| occur, but it is possible for the offending lease and the lease which
| immediately followed it to be improperly deleted.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-25217
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25217
[1] https://kb.isc.org/docs/cve-2021-25217
[2] https://www.openwall.com/lists/oss-security/2021/05/26/6
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: isc-dhcp
Source-Version: 4.4.1-2+deb10u1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
isc-dhcp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated isc-dhcp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 03 Jun 2021 12:59:09 +0200
Source: isc-dhcp
Architecture: source
Version: 4.4.1-2+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian ISC DHCP Maintainers <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 989157
Changes:
isc-dhcp (4.4.1-2+deb10u1) buster; urgency=medium
.
* Non-maintainer upload.
* A buffer overrun in lease file parsing code can be used to exploit a
common vulnerability shared by dhcpd and dhclient (CVE-2021-25217)
(Closes: #989157)
Checksums-Sha1:
64a20933db9bfeb1239b22cf1b883f9c1d54e304 2708 isc-dhcp_4.4.1-2+deb10u1.dsc
0006789e6a9794b5cf17a6fd0bd1ce169e1ddcf6 86992
isc-dhcp_4.4.1-2+deb10u1.debian.tar.xz
Checksums-Sha256:
011f0ad858ee04d840dc0458b5b50fa9eedd52811f6a25159b3fa4f6f4aa537c 2708
isc-dhcp_4.4.1-2+deb10u1.dsc
7ac29435491556c0525976801347cc1609f44200e0feda757ddae8e227bff282 86992
isc-dhcp_4.4.1-2+deb10u1.debian.tar.xz
Files:
5a50f605ca649ad8dd8d9e45d4b1a38f 2708 net important
isc-dhcp_4.4.1-2+deb10u1.dsc
9bc069251af676cf30b853ce5cf8083a 86992 net important
isc-dhcp_4.4.1-2+deb10u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmC4t8pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EpDsP/1YwSanA8W/HtyAsZW9I7CSo/w1d96no
cOKkoKtGvQ/Zupsp1wd9KR7oWNH9Kodqyp6o+I/dLIaxrbQf4W9yx8J3nBu0ff78
6ahqigembAPaoXbkXTSZru7J4s7JKA49mh2etOY0V0z4cBlACBghAxCzIMnmz+SO
w1b0gxTzgNJ5EjGsHLoU50Oa+T9kmI4EzFGNxjZS80NcCPWwM2iFOOcTw8J0gJU7
93sXoNItl/WKVUOQlQ7oIgdOdspE2DIjhkKiidu2QXVej2jHdlQy8BDqy0NIQAqJ
czIDoG75AAhO90/h/KQdWSoABF+9sbXtHLUsNxKDeEyrU08lQHnbehFmDXoWUfq3
TlLw0CRWyuxOapvrd98r50uLJhh4N2jZWjNdY3Txh2BcNl1+gcCbloCi05dSSYGm
335lDkhqtSjQ59JZOyiIk5+IqLVJAVuVBMcmKoNyc+zuIJ9jAG1ltYvlOsw8l7QP
gYuXVS0qYAifuEPg/6LrSBmVmBPO4M25LsfjmDlwVT8gVdO4wUGkGzxwEPTJdSh6
FJ08dnbTreuAsUbm4gwLkyQiIRAQFHuMeO65qA3rdLh97iemGCR2acDjIpbsUE4N
GfSaM5q3hHkHP08SCTgY1Vmphh/PHVbn5kZOjYPJZW2gIySo57inE/tJOIqqD+7G
MuCutUFzDpWn
=EA8O
-----END PGP SIGNATURE-----
--- End Message ---
