dhcpcd-6.4.6 released
Roy Marples
Sat Sep 27 01:10:11 2014Hi List! dhcpcd-6.4.6 has been released with the following changes: * configure errors are now logged to config.log * Only hunt for a cross compiler if build != host * Detect removal of IPv6 routes * Don't add link-local addresses to POINTOPOINT interfaces * Don't discard expired DHCPv6 leases when dumping them * If a DHCPv6 lease has no timers, expire it right away * Report delegated addresses* Call dhcpcd-run-hooks correctly when delegated prefixes already exist
* Fix a memory error when ia_* config exists but IPv6 is disabled
* Ensure servername and bootfile are safely exported
* Sanitise the following characters using svis(3) with VIS_CTYLE and
VIS_OCTAL:
| ^ & ; < > ( ) $ ` \ " ' <tab> <newline>
This allows a non buggy unvis(1) to decode it 100% and stays
compatible
with how dhcpcd used to handle encoding on most platforms.
For systems that supply svis(3) there is a code reduction, for
systems
that do not, a slight code increase. This change mitigates systems
affected by bash CVE-2014-6271 and CVE-2014-7169.
Obviously the last one is quite important as DHCP/RA is one of the
attack vectors the "shellshock" bug.
As dhcpcd cannot know if /bin/sh is vulnerable (and as of now, bash is
*still* vulnerable),
it sanitises all the important shell characters as noted in IEEE Std
1003.1, 2004 Edition,
2. Shell Command Language, 2.2 Quoting with the exception of the space
character.
http://pubs.opengroup.org/onlinepubs/009604599/utilities/xcu_chap02.html Download links: ftp://roy.marples.name/pub/dhcpcd/dhcpcd-6.4.6.tar.bz2 http://roy.marples.name/downloads/dhcpcd/dhcpcd-6.4.6.tar.bz2 Thanks Roy
Archive administrator: postmaster@marples.name