Hi, On Tue, Jan 26, 2016 at 07:55:02AM +0000, Mike Gabriel wrote: > HI Guido, > > On Mo 25 Jan 2016 20:44:34 CET, Guido Günther wrote: > > >Hi, > >looking at the above CVEs concerning dhcpcd, you wrote > > > ># Remove not-affected tags for squeeze. By simple code inspection we > ># cannot say that the issue is not present in squeeze's / wheezy's version > ># of dhcpcd. Further actions: try exploit, ask upstream, second opinion. > > > >did you contact upstream about that alread? I don't want to bother them > >again. > >Cheers, > > -- Guido > > No, I haven't contacted upstream, yet. Nor have I tried the exploit on > dhcpcd in Debian squeeze(-lts).
Thanks for the heads up! I had a closer look and think squeeze is not affected (will have to check wheezy) since dhcpcd doesn't munge embedded or encapsulated options and marked the package accordingly. I also contacted the current and former maintainers to double check. Cheers, -- Guido
