Your message dated Tue, 07 May 2019 15:48:35 +0000
with message-id <e1ho2kz-0008xy...@fasolo.debian.org>
and subject line Bug#928104: fixed in dhcpcd5 7.1.0-2
has caused the Debian Bug report #928104,
regarding dhcpcd5: CVE-2019-11579: DHCP: Fix a potential 1 byte read overflow
with DHO_OPTSOVERLOADED
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
928104: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928104
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: dhcpcd5
Version: any
Severity: serious
Dear Maintainer,
upstream released a new version of dhcpcd5 fixing three security issues. All
versions currently found in Debian (jessie, stretch, buster, sid) are
vulnerable to at least two of these issues, according to the announcement on
upstreams's mailinglist [1].
The fixed issues are (copied from upstream's announcement):
* auth: Use consttime_memequal to avoid latency attack consttime_memequal is
supplied if libc does not support it
dhcpcd >=6.2 <7.2.1 are vulnerable
* DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED
dhcpcd >=4 <7.2.1 are vulnerable
* DHCPv6: Fix a potential buffer overflow reading NA/TA addresses
dhcpcd >=7 <7.2.1 are vulnerable
Upstream provides a patch series for version 7 which would be relevant for
buster and sid [2]. In addition, version 6.10.6 was released with backported
fixes for the first two issues [3][4]. These might be useful for backporting to
stretch and wheezy as they ship versions 6.10.1 and 6.0.5.
Please consider applying/backporting those patches to the dhcpcd versions found
in Debian. I have not checked the exploitability of these issues, so the
severity might not be as serious. But I marked it serious anyway to make sure
this issue doesn't fly under the radar.
Thanks and regards,
Timo
[1] https://roy.marples.name/archives/dhcpcd-discuss/0002415.html
[2]
https://roy.marples.name/git/dhcpcd.git/patch/?id=23525884a346ed81c808c1ed90e3c56a8bf0cc68
[3]
https://roy.marples.name/git/dhcpcd.git/patch/?id=3ad25d3b306c890df8a15250f5ded70764075aa8
[4]
https://roy.marples.name/git/dhcpcd.git/patch/?id=b6605465e1ab8f9cb82bf6707c517505991f18a4
--- End Message ---
--- Begin Message ---
Source: dhcpcd5
Source-Version: 7.1.0-2
We believe that the bug you reported is fixed in the latest version of
dhcpcd5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 928...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Scott Leggett <sc...@sl.id.au> (supplier of updated dhcpcd5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 05 May 2019 21:55:14 +0800
Source: dhcpcd5
Binary: dhcpcd5 dhcpcd5-dbgsym
Architecture: source amd64
Version: 7.1.0-2
Distribution: unstable
Urgency: high
Maintainer: Scott Leggett <sc...@sl.id.au>
Changed-By: Scott Leggett <sc...@sl.id.au>
Description:
dhcpcd5 - DHCPv4, IPv6RA and DHCPv6 client with IPv4LL support
Closes: 928056 928104 928105 928440
Changes:
dhcpcd5 (7.1.0-2) unstable; urgency=high
.
* Apply upstream patches to fix potential security vulnerabilities:
CVE-2019-11578, CVE-2019-11579, CVE-2019-11577, and CVE-2019-11766.
(Closes: #928056, #928104, #928105, #928440)
* Add lintian override for upstream patch spelling
Checksums-Sha1:
6d7058d48b9456da69d0fb7370ff27567aa4b83a 1932 dhcpcd5_7.1.0-2.dsc
3a3fd4013fb0a21097319713b3af168190f26ae4 13524 dhcpcd5_7.1.0-2.debian.tar.xz
75f83a28ce2e103a274ae7c8157adaaee1bb362a 425436
dhcpcd5-dbgsym_7.1.0-2_amd64.deb
d64151559e91dc2b36ba530f869d1abbd988b2cf 5500 dhcpcd5_7.1.0-2_amd64.buildinfo
eaeb6d6ac60b03b5578397bfa9978d5570f88993 163448 dhcpcd5_7.1.0-2_amd64.deb
Checksums-Sha256:
6defc54426e666561d850792d903ed3136a435021ed35219883823317f91fbfd 1932
dhcpcd5_7.1.0-2.dsc
5cd77586c7fe16207828ce23df70638f4a0d46040eefe0237299394802d11890 13524
dhcpcd5_7.1.0-2.debian.tar.xz
1387dd61520f487be36a08b540861d97897739842a24933616d83e69279b3089 425436
dhcpcd5-dbgsym_7.1.0-2_amd64.deb
5e69c2fcfb29319364654de3dba1e267d43d0e42fffb3aa1d2a2b05adcf23a01 5500
dhcpcd5_7.1.0-2_amd64.buildinfo
7b7d4dd0416616232df3add2cc4d462adae9206e0e56ac2ee29134fb76d86f24 163448
dhcpcd5_7.1.0-2_amd64.deb
Files:
8f5f652f1a080f00a97909b30f99614a 1932 net optional dhcpcd5_7.1.0-2.dsc
9fd8b0b0731d3b6acd9130559673ce50 13524 net optional
dhcpcd5_7.1.0-2.debian.tar.xz
1364ae4b938da32dfbc3aab67eeed050 425436 debug optional
dhcpcd5-dbgsym_7.1.0-2_amd64.deb
8de3c768961cda5d1c2cc1f37f872888 5500 net optional
dhcpcd5_7.1.0-2_amd64.buildinfo
4914574c4a470c0e4823b440a311e6de 163448 net optional dhcpcd5_7.1.0-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJDBAEBCgAtFiEEQ0m4g1ajFzrQYHfBYJV0Vg0xPN0FAlzRluwPHHNjb3R0QHNs
LmlkLmF1AAoJEGCVdFYNMTzdb0UP/39O9jCsuCcP/lC9QoKmU57u60SvOkyCW+Nf
q2spmiiXX113r9CaFiTFnFJLfMH1mHNvw11sx6SUJOUIzGShf7+6jap6VU2bMjlb
gmUMAknRctfD6jQ0vvncgUwHuIzmLrXcatz6+M0A/G71bT8Eq3P6HHIxqQOUozRH
nQVE+S7dnew1KTfvWAcX8LXiGS4o/h2ark/Efb1uArT7tXkqcZ/6tyinT573A6Zf
Tr/nnBHmyHpgEoTFoOK0g/YrlWrorhMu3bCYoWCO9Dht22dCOHzBaB2oESNCB5KG
sZNrgslD+NE+5IT61lGi0T8rX1XQe6NwABtBR2FORI+GVpnf8W+F6qypZvn4RJLn
kp0RbUoqEmzWsfEI5UjoJ0tWAnhMoBtscYro9cCRu3+ZWi4ZHiAwVCtyg56105v8
Cbta8Gg+SZPiGK0A+Hg40i4yYqzeOE0glN35PnxxXz3n1Rl/HQzRsyraDWOL1oQp
LvXYc5yR9yZPcxd4qsP0fjyc0bsE/Bl01M3/55TRlN8ysgAx8bAgcDKZX20bjKJJ
5EWyFWwRJLhlFm2NEnDaeuGWCF3pPLr3QtaOq+VRAVRMkQ5CEFp5U1NGeDJMd0M+
AweaJGRoq0TijZGEM247ldUMG0uW7TpexQhjxtGcVtwVtsnjkYpK41I+ABbrUCeM
KPukZKaX
=TF9O
-----END PGP SIGNATURE-----
--- End Message ---
