dhcpcd-7.2.1 has been released with the following changes:
- Solaris: Many more issues fixed
- OpenBSD: Don’t spam syslog when cannot send NA
- FreeBSD: Fix fetching IPv6 address lifetimes
These security issues are also addressed:
auth: Use consttime_memequal to avoid latency attack
consttime_memequal is supplied if libc does not support it dhcpcd >=6.2 <7.2.1 are vulnerableDHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED
dhcpcd >=4 <7.2.1 are vulnerableDHCPv6: Fix a potential buffer overflow reading NA/TA addresses
dhcpcd >=7 <7.2.1 are vulnerable
IT IS HIGHLY RECOMMENDED YOU UPGRADE DHCPCD!
Especially if you are using dhcpcd-7
Patch for dhcpcd-7 if you don’t want to upgrade to dhcpcd-7.2.1: https://roy.marples.name/git/dhcpcd.git/patch/?id=23525884a346ed81c808c1ed90e3c56a8bf0cc68
dhcpcd-6.11.6 has been released as well, with the two applicable fixes in. I have no plans to fix earlier versions, heck you shouldn’t even be using dhcpcd-6!
Many thanks to Maxime Villard max@m00nbsd.net for discovering these issues.
FTP: ftp://roy.marples.name/pub/dhcpcd/dhcpcd-7.2.1.tar.xz
HTTP: https://roy.marples.name/downloads/dhcpcd/dhcpcd-7.2.1.tar.xz
FTP: ftp://roy.marples.name/pub/dhcpcd/dhcpcd-6.11.6.tar.xz
HTTP: https://roy.marples.name/downloads/dhcpcd/dhcpcd-6.11.6.tar.xz