On Wed, Jan 26, 2011 at 03:24:19PM -0600, Raphael Geissert wrote:
> Package: isc-dhcp-server
> Version: 4.1.1-P1-15
> Severity: grave
> Tags: security patch
>
> Hi Ari,
>
> Just as a public record, the following advisory (CVE-2011-0413[0]) has been
> published by ISC[1]:
>
> > When the DHCPv6 server code processes a message for an address that was
> > previously declined and internally tagged as abandoned it can trigger an
> > assert failure resulting in the server crashing. This could be used to
> > crash DHCPv6 servers remotely. This issue only affects DHCPv6 servers.
> > DHCPv4 servers are unaffected.
>
> I'm attaching the patch that was used for 4.1-ESV, which applies almost
> cleanly in 4.1.1-P1 (3 lines diff between hunks.) I have not tested it,
> though.
>
>
> [0]http://security-tracker.debian.org/tracker/CVE-2011-0413
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0413
> [1]http://www.isc.org/software/dhcp/advisories/cve-2011-0413
Why was there no maintainer reaction since a week? No we need to prepare
a DSA for this :-/
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
