ISC DHCP 4.2.1b1 is now available for download

Larissa Shapiro larissas at
Wed Jan 26 20:52:39 UTC 2011

Hash: SHA1

	ISC DHCP 4.2.1b1 is now available for download.

This is a beta release of ISC DHCP 4.2.1. This release is also a
security patch release for 4.2.x. The security advisory is included below.

A list of the changes in this release has been appended to the end
of this message.  For a complete list of changes from any previous
release, please consult the RELNOTES file within the source
distribution, or on our website:

This release, and its OpenPGP-signatures are available now from:

ISC's Release Signing Key can be obtained at:

	      Internet Systems Consortium DHCP Distribution
			     Version 4.2.1b1
			     25 January 2011

			      Release Notes


ISC DHCP 4.2.x includes features that were not included in DHCP 4.1.x.
These include:

Processing the DHCP to DNS server transactions in an asynchronous
fashion. The DHCP server or client can now continue with it's processing
while awaiting replies from the DNS server.

There are a number of DHCPv6 limitations and features missing in this
release, which will be addressed in the future:

- - - Only Solaris, Linux, FreeBSD, NetBSD, and OpenBSD are supported.

- - - DHCPv6 includes human-readable text in status code messages, in
  English.  A method to reconfigure or support other languages would
  be preferable.

- - - The "host-identifier" option is limited to a simple token.

- - - The client and server can only operate DHCPv4 or DHCPv6 at a time,
  not both.  To use both protocols simultaneously, two instances of the
  relevant daemon are required, one with the '-6' command line option.

For information on how to install, configure and run this software, as
well as how to find documentation and report bugs, please consult the
README file.

ISC DHCP uses standard GNU configure for installation. Please review the
output of "./configure --help" to see what options are available.

The system has only been tested on Linux, FreeBSD, and Solaris, and may
not work on other platforms. Please report any problems and suggested
fixes to <dhcp-users at>.

			Changes since 4.2.0

- - - 'get-host-names true;' now also works even if 'use-host-decl-names
  was also configured.  The nature of this repair also fixes another
  error; the host-name supplied by a client is no longer overridden by a
  reverse lookup of the lease address.  Thanks to a patch from Wilco Baan
  Hofman supplied to us by the Debian package maintenance team.
  [ISC-Bugs #21691] {Debian Bug#509445}

- - - The .TH tag for the dhcp-options manpage was typo repaired
  thanks to a report from jidanni and the Debian package maintenance
  team.  [ISC-Bugs #21676] {Debian Bug#563613}

- - - More documentation changes - primarily to put the options in the
  and dhcpd man pages into the standard form.  Thanks in part to a patch
  from David Cantrell at Red Hat.
  [ISC-Bugs #20264] and parts of [ISC-Bugs #17744] dhclient.8 changes

- - - Add code to clear the pointer to an object in an OMAPI handle when the
  object is freed due to a dereference.  [ISC-Bugs #21306]

- - - Fixed a bug that leaks host record references onto lease structures,
  causing the server to apply configuration intended for one host to any
  other innocent clients that come along later.  [ISC-Bugs #22018]

- - - Minor code fixes
  [ISC-Bugs #19566] When trying to find the zone for a name for ddns allow
  the name to be at the apex of the zone.
  [ISC-Bugs #19617] Restrict length of interface name read from command line
  in dhcpd - based on a patch from David Cantrell at Red Hat.
  [ISC-Bugs #20039] Correct some error messages in dhcpd.c
  [ISC-Bugs #20070] Better range check on values when creating a DHCID.
  [ISC-Bugs #20198] Avoid writing past the end of the field when adding
  overly long file or server names to a packet and add a log message
  if the configuration supplied overly long names for these fields.
  Thanks to Martin Pala.
  [ISC-Bugs #21497] Add a little more randomness to rng seed in client
  thanks to a patch from Jeremiah Jinno.

- - - Correct error handling in DLPI [ISC-Bugs #20378]

- - - Remove __sun__ and __hpux__ typedefs in osdep.h as they are now being
  checked in configure.  [ISC-Bugs #20443]

- - - Modify how the cmsg header is allocated the v6 send and received
  to compile on more compilers.  [ISC-Bugs #20524]

- - - When parsing a domain name free the memory for the name after we are
  done with it.  [ISC-Bugs #20824]

- - - Add an elapsed time option to the release message and refactor the
  code to move most of the common code to a single routine.
  [ISC-Bugs #21171].

- - - Parse date strings more properly - the code now handles semi-colons in
  date strings correctly.  Thanks to a patch from Jiri Popelka at Red Hat.
  [ISC-Bugs #21501, #20598]

- - - Fixes to lease input and output.
  [ISC-Bugs #20418] - Some systems don't support the "%s" argument to
  strftime, paste together the same string using mktime instead.
  [ISC-Bugs #19596] - When parsing iaid values accept printable
  [ISC-Bugs #21585] - Always print time values in omshell as hex
  instead of ascii if the values happen to be printable characters.

- - - Minor changes for scripts, and Makefiles
  [ISC-Bugs #19147] Use domain-search instead of domain-name in manual and
                    example conf file.  Thanks to a patch from David
                    at Red Hat.
  [ISC-Bugs #19761] Restore address when doing a rebind in DHCPv6
  [ISC-Bugs #19945] Properly close the quote on some arguments.
  [ISC-Bugs #20952] Add 64 bit types to
  [ISC-Bugs #21308] Add "PATH=" to CLIENT_PATH envrionment variable

- - - Update the code to parse dhcpv6 lease files to accept a semi-colon at
  the end of the max-life and preferred-life clauses.  In order to be
  backwards compatible with older lease files not finding a semi-colon
  is also accepted.  [ISC-Bugs #22303].

! Handle a relay forward message with an unspecified address in the
  link address field.  Previously such a message would cause the
  server to crash.  Thanks to a report from John Gibbons.  [ISC-Bugs #21992]
  CERT: VU#102047 CVE: CVE-2010-3611

- - - ./configure on longer searches for -lcrypto to explicitly link
  This fixes a bug where 'dhclient' would have shared library dependencies
  on '/usr/lib'.  [ISC-Bugs #21967]

- - - Handle pipe failures more gracefully.  Some OSes pass a SIGPIPE
  signal to a process and will kill the process if the signal isn't
  caught.  This patch adds code to turn off the SIGPIPE signal via
  a setsockopt() call.  The signal is already being ignored as part
  of the ISC library.  [ISC-Bugs #22269]

- - - Restore printing of values in omshell to the style pre 21585.  For
  21585 we changed the print routines to always display time values
  as a hex list.  This had a side effect of printing all data strings
  as a hex list.  We shall investigate other ways of displaying time
  values more usefully.  [ISC-Bugs #22626]

! Fix the handling of connection requests on the failover port.
  Previously a connection request from a source that wasn't
  listed as a failover peer would cause the server to become
  non-responsive.  Thanks to a report from Brad Bendily, brad at
  [ISC-Bugs #22679]
  CERT: VU#159528 CVE: CVE-2010-3616

- - - Don't pass the ISC_R_INPROGRESS status to the omapi signal handlers.
  Passing it through to the handlers caused the omshell program to fail
  to connect to the server.  [ISC-Bugs #21839]

- - - Fix the paranthesis in the code to process configuration statements
  beginning with "auth".  The previous arrangement caused
  "auto-partner-down" to be processed incorrectly.  [ISC-Bugs #21854]

- - - Limit the timeout period allowed in the dispatch code to 2^^32-1
  Thanks to a report from Jiri Popelka at Red Hat.
  [ISC-Bugs #22033], [Red Hat Bug #628258]

- - - When processing the format flags for a given option consume the
  flag indicating an optional value correctly.  A symptom of this
  bug was an infinite loop when trying to parse the slp-service-scope
  option.  Thanks to a patch from Marius Tomaschewski.
  [ISC-Bugs #22055]

- - - Disable the use of kqueue in the ISC library.  This avoids a problem
  between the fork and socket code that caused the dhcpd process to
  use all available cpu if the program daemonized itself.
  [ISC-Bugs #21911]

! When processing a request in the DHCPv6 server code that specifies
  an address that is tagged as abandoned (meaning we received a
  decline request for it previously) don't attempt to move it from
  the inactive to active pool as doing so can result in the server
  crashing on an assert failure.  Also retag the lease as active
  and reset it's timeout value.
  [ISC-Bugs #21921]

	Internet Systems Consortium Security Advisory
    DHCP May Crash After Processing a DHCPv6 Decline Message
			26 January 2011

Title: DHCP May Crash After Processing a DHCPv6 Decline Message

CVE#: 2011-0413

VU#: 686084

CVSS: 6.1
Vector Equation: (AV:A/AC:L/Au:N/C:N/I:N/A:C)

For more information on CVSS scores, visit

Posting date: 2011-01-26

Program Impacted: DHCP

Versions affected: 4.0.x-4.2.x

Severity: moderate

Exploitable: remotely

Description and Impact:

When the DHCPv6 server code processes a message for an address that was
previously declined and internally tagged as abandoned it can trigger an
assert failure resulting in the server crashing. This could be used to
crash DHCPv6 servers remotely. This issue only affects DHCPv6 servers.
DHCPv4 servers are unaffected.

Workarounds: No direct workaround.

Exposure to the vulnerability can be limited by a review of the filters
and access to the DHCP server. It is highly recommended to limit access
to those devices which require DHCP server, management access, and
systems monitoring.

Active exploits: None known.

Solution: Upgrade to 4.1.2-P1, 4.1-ESV-R1, or 4.2.1b1.

Questions regarding this advisory or ISC's Support services should be
sent to dhcp-bugs at

Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla -


More information about the dhcp-users mailing list