Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20090716003900.GA22187@openwall.com>
Date: Thu, 16 Jul 2009 04:39:00 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: DHCP suite update

Hi,

We've just updated the dhcp package (dhcp-* binary subpackages) in
Owl-current to version 3.0.7 with an additional potentially security
relevant fix.  This update is mostly due to work by Dmitry V. Levin.

2009/07/15	Package: dhcp
SECURITY FIX	Severity: none to low, remote, active
Updated to 3.0.7.  Fixed the DHCP server premature termination bug when
receiving certain well-formed DHCP requests, provided that the server
configuration mixes host definitions using "dhcp-client-identifier" and
"hardware ethernet".  It has not been fully researched whether the bug
had any impact on versions 3.0.x of the DHCP server, and there is a
specific reason why it might not have had any impact, yet we're fixing
the underlying bug.  Discovery and patch by Christoph Biedl.
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1892

This is not in Owl 2.0-stable yet, although the packages should install
and work on 2.0-stable as well.  I'd like to ask those who use this
package (the DHCP server and/or relay) to please install and test this
update, then report back, such that we can roll it into 2.0-stable once
it receives some more testing.

Additionally, some of you may have noticed that many distros are
releasing updates fixing a DHCP client (not server) bug these days, and
the client bug is far more severe:

https://www.isc.org/node/468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692

We do not officially support the DHCP client because it is rather
complicated, yet it runs entirely as root, which we find an unacceptable
and unjustified security risk.  Thus, we have the DHCP client build
disabled in our dhcp.spec file (and we always had it that way).  Yet,
for those brave enough to enable the DHCP client build, we have included
a patch for the client security bug in the native tree in Owl-current.
For our official builds, this is a no-op, and we do not promise any kind
of support for the DHCP client in the future.  We also do not claim that
the included patch works, it just happens to be there. ;-)

We're considering replacing or significantly modifying the DHCP client
to introduce privilege separation, though, at which point we'd support
it, but we're not there yet.

Once again, the desired feedback to this posting is test results for
the DHCP server and/or relay functionality of dhcp-3.0.7-owl1.

Thanks,

Alexander

-- 
To unsubscribe, e-mail owl-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.