Gentoo Archives: gentoo-announce

From: Aaron Bauman <bman@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201804-05 ] ISC DHCP: Multiple vulnerabilities
Date: Sun, 08 Apr 2018 16:49:10
Message-Id: 20180408164727.GG24250@monkey
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201804-05
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: ISC DHCP: Multiple vulnerabilities
9 Date: April 08, 2018
10 Bugs: #644708, #649010
11 ID: 201804-05
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in ISC DHCP, the worst of
19 which could allow for the remote execution of arbitrary code.
20
21 Background
22 ==========
23
24 ISC DHCP is a Dynamic Host Configuration Protocol (DHCP) client/server.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 net-misc/dhcp < 4.3.6_p1 >= 4.3.6_p1
33
34 Description
35 ===========
36
37 Multiple vulnerabilities have been discovered in ISC DHCP. Please
38 review the CVE identifiers referenced below for details.
39
40 Impact
41 ======
42
43 Remote attackers could execute arbitrary code, cause a Denial of
44 Service condition, or have other unspecified impacts.
45
46 Workaround
47 ==========
48
49 There are no known workarounds at this time for CVE-2018-5732 or
50 CVE-2018-5733.
51
52 In accordance with upstream documentation, the recommended workaround
53 for CVE-2017-3144 is, "to disallow access to the OMAPI control port
54 from unauthorized clients (in accordance with best practices for server
55 operation)."
56
57 Resolution
58 ==========
59
60 All DHCP users should upgrade to the latest version:
61
62 # emerge --sync
63 # emerge --ask --oneshot --verbose ">=net-misc/dhcp-4.3.6_p1"
64
65 References
66 ==========
67
68 [ 1 ] CVE-2017-3144
69 https://nvd.nist.gov/vuln/detail/CVE-2017-3144
70 [ 2 ] CVE-2018-5732
71 https://nvd.nist.gov/vuln/detail/CVE-2018-5732
72 [ 3 ] CVE-2018-5733
73 https://nvd.nist.gov/vuln/detail/CVE-2018-5733
74
75 Availability
76 ============
77
78 This GLSA and any updates to it are available for viewing at
79 the Gentoo Security Website:
80
81 https://security.gentoo.org/glsa/201804-05
82
83 Concerns?
84 =========
85
86 Security is a primary focus of Gentoo Linux and ensuring the
87 confidentiality and security of our users' machines is of utmost
88 importance to us. Any security concerns should be addressed to
89 security@g.o or alternatively, you may file a bug at
90 https://bugs.gentoo.org.
91
92 License
93 =======
94
95 Copyright 2018 Gentoo Foundation, Inc; referenced text
96 belongs to its owner(s).
97
98 The contents of this document are licensed under the
99 Creative Commons - Attribution / Share Alike license.
100
101 https://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature