Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <e0737f7c-7572-b3ac-bdd2-39ec72fd78c4@isc.org>
Date: Wed, 28 Feb 2018 15:29:55 -0500
From: Michael McNally <mcnally@....org>
To: oss-security@...ts.openwall.com, isc-os-security@...ts.isc.org
Cc: "security-officer@....org" <security-officer@....org>
Subject: Multiple CVEs announced by ISC (ISC DHCP: CVE-2018-5732 &
 CVE-2018-5733, BIND CVE-2018-5734)

Today ISC publicly disclosed three CVEs, two in ISC DHCP and a third
in BIND Supported Preview Edition [which is a customer-only non-public
version of BIND, but since the disclosure is public we wish to be
clear about it here so as not to confuse those who are following the
public open source version of the product.]

All three vulnerabilities are now public.  Thank you, to those who were
informed in advance, for cooperating with our disclosure schedule.

The two DHCP vulnerabilities are:

   CVE-2018-5732: A specially constructed response from a
   malicious server can cause a buffer overflow in dhclient
   https://kb.isc.org/article/AA-01565/75/CVE-2018-5732

   CVE-2018-5733: A malicious client can overflow a
   reference counter in ISC dhcpd
   https://kb.isc.org/article/AA-01567/75/CVE-2018-5733

And the (Supported Preview Edition-only) BIND vulnerability is:

   CVE-2018-5734: A malformed request can trigger an
   assertion failure in badcache.c
   https://kb.isc.org/article/AA-01562/74/CVE-2018-5734

If you have questions about these announcements please direct
them to security-officer@....org


Michael McNally
ISC Security Officer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.