DHCP 1.0 and 2.0 SECURITY ALERT! (fwd)

[chris () ferret lmh ox ac uk (Chris Evans)]

Hi,

I found some nasty security problems with dhcpd. They appear to have been
addressed in an official release + patch, so it's time to let the world
know...

It's probably mentioned in the following forwarded announcement, but if
using dhcpd, you really should consider this a mandatory upgrade... :)

Thanks to Alan Cox for co-ordinating things once the problem was
discovered.

Chris


------- Blind-Carbon-Copy

To: dhcp-announce () fugue com
Subject: DHCP 1.0 and 2.0 SECURITY ALERT!
Date: Sun, 17 May 1998 23:45:15 -0700
From: Ted Lemon <mellon () andare fugue com>


There are two bugs in all previous releases of the Internet Software
Consortium DHCP Distribution which can be exploited to crash the DHCP
server, or possibly worse.  I have prepared new distributions of
version 1.0 and 2.0 of the DHCP Distribution which correct these
problems.

Patches and for and new distributions of version 1.0 and version 2.0
are available at:

        ftp://ftp.isc.org/isc/dhcp/dhcp-1.0.0-1.0pl1.diff.gz
        ftp://ftp.isc.org/isc/dhcp/dhcp-2.0b1pl0-2.0b1pl1.diff.gz
        ftp://ftp.isc.org/isc/dhcp/dhcp-1.0pl1.tar.gz
        ftp://ftp.isc.org/isc/dhcp/dhcp-2.0b1pl1.tar.gz

This is not the long-awaited first snapshot of 3.0, but there are some
additional bug fixes in these releases.   Please upgrade at your
earliest convenience.   Also, please accept my humble apology for
making one of the oldest, stupidest security mistakes in the book.
Sigh.

BTW, thanks to Chris Evans and Alan Cox of the Linux development team
for finding these bugs.

                               _MelloN_

------- End of Blind-Carbon-Copy