ISC DHCP 3.0.1rc14 is now available.

David W. Hankins David_Hankins at isc.org
Tue Jun 22 18:19:52 UTC 2004 

  *** From dhcp-announce -- To unsubscribe, see the end of this message. ***

ISC DHCP 3.0.1rc14 is now available.  This release candidate fixes a
buffer overflow vulnerability in the ISC DHCP Daemon version 3.0.1
Release Candidates 12 and 13.  If you are using either of these
release candidates, we strongly urge you to upgrade.

More information about this vulnerability is available from :

    http://www.us-cert.gov/cas/techalerts/TA04-174A.html

This release is available now from :

    ftp://ftp.isc.org/isc/dhcp/dhcp-3.0.1rc14.tar.gz


			Changes since 3.0.1rc13

! CAN-2004-0460 - CERT VU#317350: Five stack overflow exploits were closed
  in logging messages with excessively long hostnames provided by the
  clients.  It is highly probable that these could have been used by
  attackers to gain arbitrary root access on systems using ISC DHCP 3.0.1
  release candidates 12 or 13.  Special thanks to Gregory Duchemin for
  both finding and solving the problem.

! CAN-2004-0461 - CERT VU#654390: Once the above was closed, an opening
  in log_*() functions was evidented, on some specific platforms where
  vsnprintf() was not believed to be available and calls were wrapped to
  sprintf() instead.  Again, credit goes to Gregory Duchemin for finding
  the problem.  Calls to snprintf() are now linked to a distribution-local
  snprintf implementation, only in those cases where the architecture is
  not known to provide one (see includes/cf/[arch].h).  If you experience
  linking problems with snprintf/vsnprintf or 'isc_print_' functions, this
  is where to look.  This vulnerability did not exist in any previously
  published version of ISC DHCP.

- Compilation on hpux 11.11 was repaired.

- 'The cross-compile bug fix' was backed out.

-- 
David W. Hankins		"If you don't do it right the first time,
Operations Engineer			you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins
-----------------------------------------------------------------------
To unsubscribe from this list, visit http://www.isc.org/dhcp-lists.html
or send mail to dhcp-announce-request at isc.org with the subject line of
'unsubscribe'.
-----------------------------------------------------------------------

More information about the dhcp-announce mailing list