dhcp-users Digest, Vol 115, Issue 6

dhcp-users-request Wed, 16 May 2018 05:01:17 -0700

Send dhcp-users mailing list submissions to
        dhcp-users@lists.isc.org


To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.isc.org/mailman/listinfo/dhcp-users
or, via email, send a message with subject or body 'help' to
        dhcp-users-requ...@lists.isc.org

You can reach the person managing the list at
        dhcp-users-ow...@lists.isc.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of dhcp-users digest..."


Today's Topics:

   1. Regarding RedHat vulnerability CVE-2018-1111 (Michael McNally)


----------------------------------------------------------------------

Message: 1
Date: Tue, 15 May 2018 13:46:32 -0800
From: Michael McNally <mcna...@isc.org>
To: dhcp-users@lists.isc.org
Subject: Regarding RedHat vulnerability CVE-2018-1111
Message-ID: <c00d0b70-ef1a-25d3-ba42-fde959a4e...@isc.org>
Content-Type: text/plain; charset=utf-8

Today RedHat announced CVE-2018-1111, a critical vulnerability in
their DHCP client package that is being referred to generically
in some discussions as a "DHCP vulnerability."   In order to
address any concerns that might arise we thought we ought to send
a short statement concerning the impact on ISC DHCP packages.

  We have examined the RedHat vulnerability and conclude that
  users of stock ISC DHCP should not be at risk.

Details on the RedHat vulnerability are available from RedHat:

  https://access.redhat.com/security/vulnerabilities/3442151

but the most important bit to know is that the vulnerability which
permits command injection is present in a client script which was
provided by RedHat.  RedHat does use dhclient code derived from ISC's
but the vulnerability is in an extension that they added; it's not
present in a build from source of DHCP packages distributed by ISC
and we wanted to reassure you that unless you are using the additional
client scripts provided by RedHat you are not vulnerable to this issue.

Additionally, we'd like to thank RedHat for informing us about their
vulnerability announcement -- giving us the chance to issue this
clarification and hopefully avoid confusion and worry among those
who are not at risk.

Sincerely yours,

Michael McNally
ISC Security Officer


------------------------------

Subject: Digest Footer

_______________________________________________
dhcp-users mailing list
dhcp-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users


------------------------------

End of dhcp-users Digest, Vol 115, Issue 6
******************************************

dhcp-users Digest, Vol 115, Issue 6

Reply via email to