dhcpcd-discuss

Home Other Lists Thread Index Date Index Search
Thread Prev Thread Next Date Prev Date Next Thread Index Date Index

dhcpcd-6.10.0 released

Roy Marples

Thu Jan 07 17:18:02 2016
Hi List! Happy 2016!

To kick off the new year, here is a new dhcpcd release with the
following changes:
  *  --noption requires an argument
  *  optimise the ARP BPF filter, thanks to Nate Karstens
  *  send gratuitous ARP each time we apply our IP address
  *  fix truncation of hostnames based on the short hostname option
  *  improve routing and address management by always loading all
     interfaces, routes and addresses even for interfaces we are
     not directly working on
  *  timezone, lookup-hostname, wpa_supplicant and YP hooks are no
     longer installed by default but are installed to an example
     directory
  *  fix compile on kFreeBSD
     thanks to Christoph Egger for providing a temporary build host
  *  improve error logging of packet parsing
  *  fix ignoring routing messages generated by dhcpcd just before
     forking
  *  fix handling of rapid commit messages (allow ACK after DISCOVER)
  *  add PROBE state so we can easily reject DHCP messages received
     during the ARP probe phase
  *  fix CVE-2016-1503
  *  fix CVE-2016-1504

Care should be taken for this upgrade because dhcpcd will no longer try
to manage wpa_supplicant by default - if you rely on this you will have
to ensure you update the hook yourself or manage starting/stopping
wpa_supplicant another way.
The rationale is that it's not really the job of dhcpcd to configure the
interface.

The two CVE's mentioned are to do with malformed DHCP messages causing
dhcpcd to crash. The current view is the worst case is a DoS.
http://openwall.com/lists/oss-security/2016/01/07/3
http://roy.marples.name/projects/dhcpcd/info/76a1609352263bd9
http://roy.marples.name/projects/dhcpcd/info/595883e2a431f65d
Subsequent commits have improved the above work, but the above two
really fix the issues.

dhcpcd releases from 4.0.0 onwards are vulnerable to the first issue,
6.0.0 onwards for the second issue.
Contact me off list if you need help with patching a specific dhcpcd
version, but I do encourge everyone to upgrade to dhcpcd-6.10.0 which
has a lot of other fixes since those versions as well!

Thanks

Roy
Follow-Ups:
Re: dhcpcd-6.10.0 releasedRoy Marples
Archive administrator: postmaster@marples.name