dhcpcd-discuss

dhcpcd-7.2.1 has been released

Roy Marples

Fri Apr 26 15:29:28 2019

Hi List!

dhcpcd-7.2.1 has been released with the following changes:
  *  Solaris: Many more issues fixed
  *  OpenBSD: Don't spam syslog when cannot send NA
  *  FreeBSD: Fix fetching IPv6 address lifetimes

These security issues are also addressed:
  *  auth: Use consttime_memequal to avoid latency attack
     consttime_memequal is supplied if libc does not support it
     dhcpcd >=6.2 <7.2.1 are vulnerable

  *  DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED
     dhcpcd >=4 <7.2.1 are vulnerable

  *  DHCPv6: Fix a potential buffer overflow reading NA/TA addresses
     dhcpcd >=7 <7.2.1 are vulnerable

IT IS HIGHLY RECOMMENDED YOU UPGRADE DHCPCD!
Especially if you are using dhcpcd-7

Patch for dhcpcd-7 if you don't want to upgrade to dhcpcd-7.2.1:
https://roy.marples.name/git/dhcpcd.git/patch/?id=23525884a346ed81c808c1ed90e3c56a8bf0cc68

dhcpcd-6.11.6 has been released as well, with the two applicable fixes in. I have no plans to fix earlier versions, heck you shouldn't even be using dhcpcd-6!

Many thanks to Maxime Villard <max@xxxxxxxxxxx> for discovering these issues.

Roy

FTP: ftp://roy.marples.name/pub/dhcpcd/dhcpcd-7.2.1.tar.xz
HTTP: https://roy.marples.name/downloads/dhcpcd/dhcpcd-7.2.1.tar.xz
FTP: ftp://roy.marples.name/pub/dhcpcd/dhcpcd-6.11.6.tar.xz
HTTP: https://roy.marples.name/downloads/dhcpcd/dhcpcd-6.11.6.tar.xz

Archive administrator: postmaster@marples.name