dhcpcd-7.2.1 released

Published: Friday, April 26, 2019

dhcpcd-7.2.1 has been released with the following changes:

Solaris: Many more issues fixed
OpenBSD: Don’t spam syslog when cannot send NA
FreeBSD: Fix fetching IPv6 address lifetimes

These security issues are also addressed:

auth: Use consttime_memequal to avoid latency attack
consttime_memequal is supplied if libc does not support it dhcpcd >=6.2 <7.2.1 are vulnerable
DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED
dhcpcd >=4 <7.2.1 are vulnerable
DHCPv6: Fix a potential buffer overflow reading NA/TA addresses
dhcpcd >=7 <7.2.1 are vulnerable

IT IS HIGHLY RECOMMENDED YOU UPGRADE DHCPCD!
Especially if you are using dhcpcd-7

Patch for dhcpcd-7 if you don’t want to upgrade to dhcpcd-7.2.1: https://roy.marples.name/git/dhcpcd.git/patch/?id=23525884a346ed81c808c1ed90e3c56a8bf0cc68

dhcpcd-6.11.6 has been released as well, with the two applicable fixes in. I have no plans to fix earlier versions, heck you shouldn’t even be using dhcpcd-6!

Many thanks to Maxime Villard max@m00nbsd.net for discovering these issues.

FTP: ftp://roy.marples.name/pub/dhcpcd/dhcpcd-7.2.1.tar.xz
HTTP: https://roy.marples.name/downloads/dhcpcd/dhcpcd-7.2.1.tar.xz
FTP: ftp://roy.marples.name/pub/dhcpcd/dhcpcd-6.11.6.tar.xz
HTTP: https://roy.marples.name/downloads/dhcpcd/dhcpcd-6.11.6.tar.xz