Debian-LTS alert DLA-506-1 (dhcpcd5)
| From: | Ola Lundqvist <opal@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 506-1] dhcpcd5 security update | |
| Date: | Mon, 6 Jun 2016 23:38:06 +0200 | |
| Message-ID: | <20160606213806.GA16868@inguza.net> | |
| Cc: | ola@inguza.com |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : dhcpcd5 Version : 5.5.6-1+deb7u2 CVE ID : CVE-2014-7912 CVE-2014-7913 Debian Bug : N/A Two vulnerabilities were discovered in dhcpcd5 a DHCP client package. A remote (on a local network) attacker can possibly execute arbitrary code or cause a denial of service attack by crafted messages. CVE-2014-7912 The get_option function does not validate the relationship between length fields and the amount of data, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corruption) via a large length value of an option in a DHCPACK message. CVE-2014-7913 The print_option function misinterprets the return value of the snprintf function, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted message. For Debian 7 "Wheezy", these problems have been fixed in version 5.5.6-1+deb7u2. We recommend that you upgrade your dhcpcd5 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- --------------------- Ola Lundqvist --------------------------- / opal@debian.org Folkebogatan 26 \ | ola@inguza.com 654 68 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 22F2 32C6 B1E0 F4BF 2B26 0A6A 5E90 DCFA 9426 876F / --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJXVe0+AAoJEF6Q3PqUJodv/5sQAMTyDoM0smhIiOLQt7lm+mXU pp1eQYKA//35Ev18d0r7XYewbJUI664Go994v08suZZ1ZsJapFbXlHpa8QakXoqc 4umHVG7ISv448LpULTEdIq8fwO+BOTMOx3c66fQvp/IsEiklw5E0AEyeHDX3aefL x7Z5AP6Byjw+usvgfihYSz7UIjme235SRpCwV05Xc86t2uD4J14QZbA4tDwbsZQ5 aKd3kmjRKDhyTILtqLZSuLEx4k7jyXR5lQx23IrbBTQpqWBrrGTrDO9gLqOiRO5b huIKQC4LYTh+tLG5BCTpvDr0PobsXP2uPSyMewomuGhWa/npmEOb5upkaJyrJOMg tp2jX52bbQy26fKO5uEKrmiGC5Rqd23D1xbGKrGYb7pvswGq/tNEBMEgivEnLbZ6 nbNcTrEDa3tG26rvYwXk0OOXxMc4NN9IACfiRL+PQTJEvSC+D6le7Jo3GYfASDoa VHkGvg1ZOqxCOzrN3lKvlQbUqu7klzaS0pHKa3meNZkL6Gs4Z0OuEwbRFk9hhtO1 n/8DXNKye/0U7uTtQr9D1Xhj1MQ6DvPy2QPICQek5NWd6O0p8bioYofbQug2dZP1 z99FaX6c1y+WmY65L+fZgadtTe/YMiRg974WCcZDvh0LNp6xnZh/DAloVODuADLB pRxtkwgHqGW9qGTx9EMV =hoM6 -----END PGP SIGNATURE-----