dhcpcd-7.2.1 has been released with the following changes:

  • Solaris: Many more issues fixed
  • OpenBSD: Don't spam syslog when cannot send NA
  • FreeBSD: Fix fetching IPv6 address lifetimes

These security issues are also addressed:

  • auth: Use consttime_memequal to avoid latency attack
    consttime_memequal is supplied if libc does not support it dhcpcd >=6.2 <7.2.1 are vulnerable

  • DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED
    dhcpcd >=4 <7.2.1 are vulnerable

  • DHCPv6: Fix a potential buffer overflow reading NA/TA addresses
    dhcpcd >=7 <7.2.1 are vulnerable

Especially if you are using dhcpcd-7

Patch for dhcpcd-7 if you don't want to upgrade to dhcpcd-7.2.1: https://roy.marples.name/git/dhcpcd.git/patch/?id=23525884a346ed81c808c1ed90e3c56a8bf0cc68

dhcpcd-6.11.6 has been released as well, with the two applicable fixes in. I have no plans to fix earlier versions, heck you shouldn't even be using dhcpcd-6!

Many thanks to Maxime Villard max@m00nbsd.net for discovering these issues.

FTP: ftp://roy.marples.name/pub/dhcpcd/dhcpcd-7.2.1.tar.xz
HTTP: https://roy.marples.name/downloads/dhcpcd/dhcpcd-7.2.1.tar.xz
FTP: ftp://roy.marples.name/pub/dhcpcd/dhcpcd-6.11.6.tar.xz
HTTP: https://roy.marples.name/downloads/dhcpcd/dhcpcd-6.11.6.tar.xz

Add a comment

Next Post Previous Post