ISC DHCP 3.0.1rc14 is now available.
David W. Hankins
David_Hankins at isc.org
Tue Jun 22 18:19:52 UTC 2004
*** From dhcp-announce -- To unsubscribe, see the end of this message. ***
ISC DHCP 3.0.1rc14 is now available. This release candidate fixes a
buffer overflow vulnerability in the ISC DHCP Daemon version 3.0.1
Release Candidates 12 and 13. If you are using either of these
release candidates, we strongly urge you to upgrade.
More information about this vulnerability is available from :
http://www.us-cert.gov/cas/techalerts/TA04-174A.html
This release is available now from :
ftp://ftp.isc.org/isc/dhcp/dhcp-3.0.1rc14.tar.gz
Changes since 3.0.1rc13
! CAN-2004-0460 - CERT VU#317350: Five stack overflow exploits were closed
in logging messages with excessively long hostnames provided by the
clients. It is highly probable that these could have been used by
attackers to gain arbitrary root access on systems using ISC DHCP 3.0.1
release candidates 12 or 13. Special thanks to Gregory Duchemin for
both finding and solving the problem.
! CAN-2004-0461 - CERT VU#654390: Once the above was closed, an opening
in log_*() functions was evidented, on some specific platforms where
vsnprintf() was not believed to be available and calls were wrapped to
sprintf() instead. Again, credit goes to Gregory Duchemin for finding
the problem. Calls to snprintf() are now linked to a distribution-local
snprintf implementation, only in those cases where the architecture is
not known to provide one (see includes/cf/[arch].h). If you experience
linking problems with snprintf/vsnprintf or 'isc_print_' functions, this
is where to look. This vulnerability did not exist in any previously
published version of ISC DHCP.
- Compilation on hpux 11.11 was repaired.
- 'The cross-compile bug fix' was backed out.
--
David W. Hankins "If you don't do it right the first time,
Operations Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
-----------------------------------------------------------------------
To unsubscribe from this list, visit http://www.isc.org/dhcp-lists.html
or send mail to dhcp-announce-request at isc.org with the subject line of
'unsubscribe'.
-----------------------------------------------------------------------
More information about the dhcp-announce
mailing list