[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DHCP 1.0 and 2.0 SECURITY ALERT! (fwd)
If I'm not mistaken, this applies to all versions of ISC dhcpd,
including the ones numbered 5.xx (like what comes with Red Hat 5).
Apparently the betas were numbered up to 5.something, then went back
to 1.0. Real sane version numbering. :-)
----- Forwarded message from Chris Evans -----
Approved-By: aleph1@NATIONWIDE.NET
Message-ID: <Pine.LNX.3.95.980518143759.24183A-100000@ferret.lmh.ox.ac.uk>
Date: Mon, 18 May 1998 15:12:50 +0100
Reply-To: Chris Evans <chris@ferret.lmh.ox.ac.uk>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Chris Evans <chris@ferret.lmh.ox.ac.uk>
Subject: DHCP 1.0 and 2.0 SECURITY ALERT! (fwd)
To: BUGTRAQ@NETSPACE.ORG
Hi,
I found some nasty security problems with dhcpd. They appear to have been
addressed in an official release + patch, so it's time to let the world
know...
It's probably mentioned in the following forwarded announcement, but if
using dhcpd, you really should consider this a mandatory upgrade... :)
Thanks to Alan Cox for co-ordinating things once the problem was
discovered.
Chris
------- Blind-Carbon-Copy
To: dhcp-announce@fugue.com
Subject: DHCP 1.0 and 2.0 SECURITY ALERT!
Date: Sun, 17 May 1998 23:45:15 -0700
From: Ted Lemon <mellon@andare.fugue.com>
There are two bugs in all previous releases of the Internet Software
Consortium DHCP Distribution which can be exploited to crash the DHCP
server, or possibly worse. I have prepared new distributions of
version 1.0 and 2.0 of the DHCP Distribution which correct these
problems.
Patches and for and new distributions of version 1.0 and version 2.0
are available at:
ftp://ftp.isc.org/isc/dhcp/dhcp-1.0.0-1.0pl1.diff.gz
ftp://ftp.isc.org/isc/dhcp/dhcp-2.0b1pl0-2.0b1pl1.diff.gz
ftp://ftp.isc.org/isc/dhcp/dhcp-1.0pl1.tar.gz
ftp://ftp.isc.org/isc/dhcp/dhcp-2.0b1pl1.tar.gz
This is not the long-awaited first snapshot of 3.0, but there are some
additional bug fixes in these releases. Please upgrade at your
earliest convenience. Also, please accept my humble apology for
making one of the oldest, stupidest security mistakes in the book.
Sigh.
BTW, thanks to Chris Evans and Alan Cox of the Linux development team
for finding these bugs.
_MelloN_
------- End of Blind-Carbon-Copy
--
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.