Package: dhcpcd5 Version: any Severity: serious Dear Maintainer,
upstream released a new version of dhcpcd5 fixing three security issues. All versions currently found in Debian (jessie, stretch, buster, sid) are vulnerable to at least two of these issues, according to the announcement on upstreams's mailinglist [1]. The fixed issues are (copied from upstream's announcement): * auth: Use consttime_memequal to avoid latency attack consttime_memequal is supplied if libc does not support it dhcpcd >=6.2 <7.2.1 are vulnerable * DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED dhcpcd >=4 <7.2.1 are vulnerable * DHCPv6: Fix a potential buffer overflow reading NA/TA addresses dhcpcd >=7 <7.2.1 are vulnerable Upstream provides a patch series for version 7 which would be relevant for buster and sid [2]. In addition, version 6.10.6 was released with backported fixes for the first two issues [3][4]. These might be useful for backporting to stretch and wheezy as they ship versions 6.10.1 and 6.0.5. Please consider applying/backporting those patches to the dhcpcd versions found in Debian. I have not checked the exploitability of these issues, so the severity might not be as serious. But I marked it serious anyway to make sure this issue doesn't fly under the radar. Thanks and regards, Timo [1] https://roy.marples.name/archives/dhcpcd-discuss/0002415.html [2] https://roy.marples.name/git/dhcpcd.git/patch/?id=23525884a346ed81c808c1ed90e3c56a8bf0cc68 [3] https://roy.marples.name/git/dhcpcd.git/patch/?id=3ad25d3b306c890df8a15250f5ded70764075aa8 [4] https://roy.marples.name/git/dhcpcd.git/patch/?id=b6605465e1ab8f9cb82bf6707c517505991f18a4