lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1SuRqz-0003hd-7E@titan.mandriva.com>
Date: Thu, 26 Jul 2012 19:28:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2012:116 ] dhcp

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2012:116
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : dhcp
 Date    : July 26, 2012
 Affected: Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in ISC DHCP:
 
 An error in the handling of malformed client identifiers can cause
 a DHCP server running affected versions (see Impact) to enter a
 state where further client requests are not processed and the server
 process loops endlessly, consuming all available CPU cycles. Under
 normal circumstances this condition should not be triggered, but a
 non-conforming or malicious client could deliberately trigger it in
 a vulnerable server. In order to exploit this condition an attacker
 must be able to send requests to the DHCP server (CVE-2012-3571).
 
 Two memory leaks have been found and fixed in ISC DHCP. Both are
 reproducible when running in DHCPv6 mode (with the -6 command-line
 argument.) The first leak is confirmed to only affect servers
 operating in DHCPv6 mode, but based on initial code analysis the
 second may theoretically affect DHCPv4 servers (though this has not
 been demonstrated.) (CVE-2012-3954).
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3571
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3954
 _______________________________________________________________________

 Updated Packages:

 Mandriva Enterprise Server 5:
 98ba7b30258cfd06bc7a19bd4757a183  mes5/i586/dhcp-client-4.1.2-0.7mdvmes5.2.i586.rpm
 331d5e2d556f3877f16173d13ec68b5f  mes5/i586/dhcp-common-4.1.2-0.7mdvmes5.2.i586.rpm
 1af957f584ba970e1842df8b292b9474  mes5/i586/dhcp-devel-4.1.2-0.7mdvmes5.2.i586.rpm
 e6ee64358b5c5bca19e16e523a071711  mes5/i586/dhcp-doc-4.1.2-0.7mdvmes5.2.i586.rpm
 39fb25199a18755c702a3e746b3bb8f4  mes5/i586/dhcp-relay-4.1.2-0.7mdvmes5.2.i586.rpm
 f1da21f64e8867506447422ffd871195  mes5/i586/dhcp-server-4.1.2-0.7mdvmes5.2.i586.rpm 
 b1615f9c33a0cbb3e6e7e1e7ef04ee07  mes5/SRPMS/dhcp-4.1.2-0.7mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 fb2e6ba527910d8ef4dd1f7a48f30356  mes5/x86_64/dhcp-client-4.1.2-0.7mdvmes5.2.x86_64.rpm
 cf5be061e3c8870e70a54df491a7b329  mes5/x86_64/dhcp-common-4.1.2-0.7mdvmes5.2.x86_64.rpm
 3f20bd4ffd8855696f76876994c286d8  mes5/x86_64/dhcp-devel-4.1.2-0.7mdvmes5.2.x86_64.rpm
 c4fa73d255e097277d501e2fd008c145  mes5/x86_64/dhcp-doc-4.1.2-0.7mdvmes5.2.x86_64.rpm
 ddb661502b75f6e6b454e369719961f1  mes5/x86_64/dhcp-relay-4.1.2-0.7mdvmes5.2.x86_64.rpm
 89911babd5524527358b41a787136450  mes5/x86_64/dhcp-server-4.1.2-0.7mdvmes5.2.x86_64.rpm 
 b1615f9c33a0cbb3e6e7e1e7ef04ee07  mes5/SRPMS/dhcp-4.1.2-0.7mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFQEVJymqjQ0CJFipgRAgZ/AJoDUR3yQZ+z5pywvEKKb3ZhsdnlwwCgjF1V
8RcyXB2jyJfp5uHmWRMZZPU=
=jLLd
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ