ISC DHCP 4.1.2 is now available!

Larissa Shapiro larissas at isc.org
Tue Nov 2 23:22:52 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		ISC DHCP 4.1.2 is now available for download.

This is a maintenance release of ISC DHCP 4.1, which fixes many bugs
including a security related bug.  The security advisory is included below.

A list of the changes in this release has been appended to the end
of this message.  For a complete list of changes from any previous
release, please consult the RELNOTES file within the source
distribution, or on our website:

    http://www.isc.org/software/dhcp

This release, and its OpenPGP-signatures are available now from:

    ftp://ftp.isc.org/isc/dhcp/dhcp-4.1.2.tar.gz
    ftp://ftp.isc.org/isc/dhcp/dhcp-4.1.2.tar.gz.sha512.asc
    ftp://ftp.isc.org/isc/dhcp/dhcp-4.1.2.tar.gz.sha256.asc
    ftp://ftp.isc.org/isc/dhcp/dhcp-4.1.2.tar.gz.sha1.asc

ISC's Release Signing Key can be obtained at:

    http://www.isc.org/about/openpgp/

			Changes since 4.1.2rc1

! Handle a relay forward message with an unspecified address in the
  link address field.  Previously such a message would cause the
  server to crash.  Thanks to a report from John Gibbons.  [ISC-Bugs
#21992] CERT: VU#102047 CVE: CVE-2010-3611

			Changes since 4.1.2b1

- - Update the code to parse dhcpv6 lease files to accept a semi-colon at
  the end of the max-life and preferred-life clauses.  In order to be
  backwards compatible with older lease files not finding a semi-colon
  is also accepted.  [ISC-Bugs #22303].

                        Changes since 4.1.1

- - Cleaned up some compiler warnings

- - Prohibit including lease time information in a response to a DHCP
INFORM Bug ticket 21092.

! Accept a client id of length 0 while hashing.  Previously the server
would exit if it attempted to hash a zero length client id, providing
attackers with a simple denial of service attack.  Bug ticket 21253.
  CERT: VU#541921 - CVE: CVE-2010-2156

- - A bug was fixed that could cause the DHCPv6 server to advertise/assign
a previously allocated (active) lease to a client that has changed
subnets, despite being on different shared networks.  Dynamic prefixes
specifically allocated in shared networks also now are not offered if
the client has moved.  [ISC-Bugs #21152]

- - Add declaration for variable in debug code in alloc.c.  [ISC-Bugs
#21472]

- - Documentation cleanup covering multiple tickets
  [ISC-Bugs #20265] [ISC-Bugs #20259] [ISC-Bugs #19536] minor cleanup
  [ISC-Bugs #20263] add text describing some default values
  [ISC-Bugs #20193] single quotes at the start of a line indicate a control
  line to nroff, escape them if we actually want a quote.
  [ISC-Bugs #18916] sync the pointer to web pages amongst the different docs
  [ISC-Bugs #20107] clarify description of ia-pd and ia-prefix.
  [ISC-Bugs #20245] clarify editing the failover state in a lease file
to put a server into the PARTNER-DOWN state.

- - 'get-host-names true;' now also works even if 'use-host-decl-names
true;' was also configured.  The nature of this repair also fixes
another error; the host-name supplied by a client is no longer
overridden by a reverse lookup of the lease address.  Thanks to a patch
from Wilco Baan Hofman supplied to us by the Debian package maintenance
team. [ISC-Bugs #21691] {Debian Bug#509445}

- - The .TH tag for the dhcp-options manpage was typo repaired
  thanks to a report from jidanni and the Debian package maintenance
  team.  [ISC-Bugs #21676] {Debian Bug#563613}

- - More documentation changes - primarily to put the options in the
dhclient and dhcpd man pages into the standard form.  Thanks in part to
a patch from David Cantrell at Red Hat. [ISC-Bugs #20264] and parts of
[ISC-Bugs #17744] dhclient.8 changes

- - Minor compilation errors - type mismatches, extra semi-colons after
macros [ISC-Bugs #20884] [ISC-Bugs #20953] [ISC-Bugs #20955]

- - Add code to clear the pointer to an object in an OMAPI handle when the
  object is freed due to a dereference.  [ISC-Bugs #21306]

- - Fixed a bug that leaks host record references onto lease structures,
  causing the server to apply configuration intended for one host to any
  other innocent clients that come along later.  [ISC-Bugs #22018]

- - Minor code fixes
  [ISC-Bugs #19566] When trying to find the zone for a name for ddns
allow the name to be at the apex of the zone.
  [ISC-Bugs #19617] Restrict length of interface name read from command
line in dhcpd - based on a patch from David Cantrell at Red Hat.
  [ISC-Bugs #20039] Correct some error messages in dhcpd.c
  [ISC-Bugs #20070] Better range check on values when creating a DHCID.
  [ISC-Bugs #20198] Avoid writing past the end of the field when adding
  overly long file or server names to a packet and add a log message
  if the configuration supplied overly long names for these fields.
  Thanks to Martin Pala.
  [ISC-Bugs #21497] Add a little more randomness to rng seed in client
  thanks to a patch from Jeremiah Jinno.

- - Correct error handling in DLPI [ISC-Bugs #20378]

- - Remove __sun__ and __hpux__ typedefs in osdep.h as they are now being
  checked in configure.  [ISC-Bugs #20443]

- - Modify how the cmsg header is allocated the v6 send and received
routines
  to compile on more compilers.  [ISC-Bugs #20524]

- - When parsing a domain name free the memory for the name after we are
  done with it.  [ISC-Bugs #20824]

- - Add an elapsed time option to the release message and refactor the
  code to move most of the common code to a single routine.
  [ISC-Bugs #21171].

- - Parse date strings more properly - the code now handles semi-colons in
  date strings correctly.  Thanks to a patch from Jiri Popelka at Red Hat.
  [ISC-Bugs #21501, #20598]

- - Fixes to lease input and output.
  [ISC-Bugs #20418] - Some systems don't support the "%s" argument to
  strftime, paste together the same string using mktime instead.
  [ISC-Bugs #19596] - When parsing iaid values accept printable
  characters.
  [ISC-Bugs #21585] - Always print time values in omshell as hex
  instead of ascii if the values happen to be printable characters.

- - Minor changes for scripts, configure.ac and Makefiles
  [ISC-Bugs #19147] Use domain-search instead of domain-name in manual
and example conf file.  Thanks to a patch from David Cantrell at Red Hat.
  [ISC-Bugs #19761] Restore address when doing a rebind in DHCPv6
  [ISC-Bugs #19945] Properly close the quote on some arguments.
  [ISC-Bugs #20952] Add 64 bit types to configure.ac
  [ISC-Bugs #21308] Add "PATH=" to CLIENT_PATH envrionment variable

! Handle pipe failures more gracefully.  Some OSes pass a SIGPIPE
  signal to a process and will kill the process if the signal isn't
  caught.  This patch adds code to turn off the SIGPIPE signal via
  a setsockopt() call and to ignore the SIGPIPE signal in case the
  OS doesn't support the necessary setsockopt() option.  This problem
  was found during internal testing when the two servers in a failover
  pair were repeatedly unable to communicate for longer than the
  max-response-delay value.  Eventually one of the pair attempted a
  write() call at just the same time as the other server killed the
  connection and caused an uncaught SIGPIPE signal which caused the
  OS to kill the server.
  This is a minor security issue.  It is a security issue as it can
  cause a server to stop.  It is minor as the attacker would need to
  be able to interrupt traffic between the partners in a failover
  pair for max-response-delay seconds at will - in which case the
  defender has bigger problems than the DHCP server being killed.
  Using the NIST CVSS security vulnerability rating system this
  issue scored 1.2, meaning it is not a major risk for users.
  [ISC-Bugs #22269]


                Internet Systems Consortium Security Advisory
              DHCP: Server Crash with Empty Link-Address Field
                                 2 Nov 2010

CVE-2010-3611
VU# 102047
Posting date: November 2, 2010
Program Impacted: DHCP
Versions affected: 4.0 through 4.2
Severity:  High
Exploitable:  remotely
CVSS: 4.2 (for more on CVSS scores and to calculate your environment's
specific risk, please visit: http://nvd.nist.gov/cvss.cfm?calculator)

Description: If the server receives a DHCPv6 packet containing one or
more Relay-Forward messages, and none of them supply an address in the
Relay-Forward link-address field, then the server will crash.  This
can be used as a single packet crash attack vector.

Impact and Risk Assessment: This can be used as a single packet crash
attack vector if the  server was explicitly configured to serve DHCPv6.

Workarounds: None.

Active exploits: None known.

Solution: Upgrade DHCP to 4.0.3, 4.1.2, or 4.2.0-P1

Acknowledgment: John Gibbons, for finding issue and testing patch.

Revision History: Added acknowledgment to John Gibbins
Changed date to Nov 2nd

For more information please contact dhcp-bugs at isc.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJM0J1GAAoJEBOIp87tasiUnkAIAIZnABSeHKB2Ve+mfK5qcZQt
Jo5nZjlBk5VgGXrolsO2ENiWqFyEb7Ow9d4guLW9J/dIbD+AquRjFfQ6+XG84Raj
2lvZOhf02iKnN7LI3QQ9m7l92mSIuExKgeIkVek3DAqGYMADoJlq79+NHpMNlxJT
FntNM2/LqcwVHCI1DQgYrJv3nJa4rIY3RmWtkW4RQsxFySsThCgiP1weuThbkeNu
FoOEqODK1qfCHTF8KNfBXyUGSdz1Gt+qmBbk/OqxjyjhY0sK3zkXyKqAYSAQ0reN
KOQQUDqR6o+X5//tPFTZL0eGI+NmJFnTKLguWQCW4LRdXVv3U8VGxajSu2sqD8A=
=OH9p
-----END PGP SIGNATURE-----

More information about the dhcp-announce mailing list