dhcpcd-7.2.1 released

    26 Apr 2019 • 1 min read

    dhcpcd-7.2.1 has been released with the following changes:

    • Solaris: Many more issues fixed
    • OpenBSD: Don't spam syslog when cannot send NA
    • FreeBSD: Fix fetching IPv6 address lifetimes

    These security issues are also addressed:

    • auth: Use consttime_memequal to avoid latency attack
      consttime_memequal is supplied if libc does not support it dhcpcd >=6.2 <7.2.1 are vulnerable

    • DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED
      dhcpcd >=4 <7.2.1 are vulnerable

    • DHCPv6: Fix a potential buffer overflow reading NA/TA addresses
      dhcpcd >=7 <7.2.1 are vulnerable

    Especially if you are using dhcpcd-7

    Patch for dhcpcd-7 if you don't want to upgrade to dhcpcd-7.2.1: https://roy.marples.name/git/dhcpcd.git/patch/?id=23525884a346ed81c808c1ed90e3c56a8bf0cc68

    dhcpcd-6.11.6 has been released as well, with the two applicable fixes in. I have no plans to fix earlier versions, heck you shouldn't even be using dhcpcd-6!

    Many thanks to Maxime Villard max@m00nbsd.net for discovering these issues.

    FTP: ftp://roy.marples.name/pub/dhcpcd/dhcpcd-7.2.1.tar.xz
    HTTP: https://roy.marples.name/downloads/dhcpcd/dhcpcd-7.2.1.tar.xz
    FTP: ftp://roy.marples.name/pub/dhcpcd/dhcpcd-6.11.6.tar.xz
    HTTP: https://roy.marples.name/downloads/dhcpcd/dhcpcd-6.11.6.tar.xz