Security Release: DHCP 4.2.0-P2 is now available.
larissas at isc.org
Fri Dec 10 21:04:08 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
ISC DHCP 4.2-P2 is now available for download.
This is a SECURITY release of ISC DHCP 4.2, and fixes one security
related bug. The security advisory is included below.
A list of the changes in this release has been appended to the end
of this message. For a complete list of changes from any previous
release, please consult the RELNOTES file within the source
distribution, or on our website:
This release, and its OpenPGP-signatures are available now from:
ISC's Release Signing Key can be obtained at:
Changes since 4.2.0-P1
! Fix the handling of connection requests on the failover port.
Previously a connection request from a source that wasn't
listed as a failover peer would cause the server to become
non-responsive. [ISC-Bugs #22679]
CERT: VU#159528 CVE: CVE-2010-3616
DHCP: Server Hangs with TCP to Failover Peer Port
If a server receives a TCP connection on a port that has been configured
for communication with a failover peer, this can cause it to become
non-responsive to all normal DHCP protocol traffic.
Posting date: 10 Dec 2010
Program Impacted: DHCP
Versions affected: 4.2
If a TCP connection is established to the server on a port which has
been configured for communication with a failover peer, this can cause
it to become non-responsive to all normal DHCP protocol traffic. The
server will progress to a communications-interrupted state - but in
addition will also cease to provide DHCP services to clients. The
server must be restarted to resume normal operation.
CVSS: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
(for more on CVSS scores and to calculate your environment's
specific risk, please visit:
Impact and Risk Assessment: This can be used as an attack vector against
servers that are configured for failover partnerships
Users running DHCP servers in failover configurations may be able to
minimise the risk to TCP ports used for peer-peer DHCP server
communication by careful packet filtering on the hosts and network
gateways that limits access to traffic between the configured failover
peers - but ideally they should upgrade. (Regardless of which version
of DHCP is deployed, users are advised that it is good security practice
to limit traffic to their omapi and failover ports via packet filters,
None known at this time. Issue found by a user and reported via the
dhcp-users community mailing list, therefore consider this vulnerability
Upgrade DHCP to 4.2.0-P2.
Acknowledgment: Brad Bendily, for finding and testing
For more information please check the latest advisory update here:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the dhcp-announce