From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-announce+bounces-1677-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 76ABE13877A
	for <garchives@archives.gentoo.org>; Wed,  3 Sep 2014 16:10:30 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 0A3C2E0940;
	Wed,  3 Sep 2014 16:09:35 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 0C9F4E081D
	for <gentoo-announce@lists.gentoo.org>; Wed,  3 Sep 2014 15:34:26 +0000 (UTC)
Received: from [192.168.1.33] (95-86-235-30.pppoe.yaroslavl.ru [95.86.235.30])
	(using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: zlogene)
	by smtp.gentoo.org (Postfix) with ESMTPSA id B2E6033BDE9
	for <gentoo-announce@gentoo.org>; Wed,  3 Sep 2014 15:34:25 +0000 (UTC)
Message-ID: <540734A7.8070502@gentoo.org>
Date: Wed, 03 Sep 2014 19:32:55 +0400
From: Mikle Kolyada <zlogene@gentoo.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.7.0
Precedence: bulk
List-Post: <mailto:gentoo-announce@lists.gentoo.org>
List-Help: <mailto:gentoo-announce+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-announce+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-announce+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-announce.gentoo.org>
X-BeenThere: gentoo-announce@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-announce@gentoo.org
Subject: [gentoo-announce] [ GLSA 201409-03 ] dhcpcd: Denial of service
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="bao7Bj2wAMCSCnRLOiJFaXRKSGJDe2nf9"
X-Archives-Salt: e3f39d77-5d92-4f53-be67-ce2f8af7a720
X-Archives-Hash: 32e41c85138ae0d5a5a594d40521227b

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--bao7Bj2wAMCSCnRLOiJFaXRKSGJDe2nf9
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 201409-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: dhcpcd: Denial of service
     Date: September 03, 2014
     Bugs: #518596
       ID: 201409-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=3D=3D=3D=3D=3D=3D=3D=3D

A vulnerability in dhcpcd can lead to a Denial of Service condition.

Background
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

dhcpcd is a fully featured, yet light weight RFC2131 compliant DHCP
client.=20

Affected packages
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  net-misc/dhcpcd              < 6.4.3                    >=3D 6.4.3=20

Description
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

A vulnerability has been discovered in dhcpcd. A malicious dhcp server
can set flags as part of the dhcp reply that can cause a Denial of
Service condition.

Impact
=3D=3D=3D=3D=3D=3D

A remote attacker can cause a Denial of Service condition.

Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

There is no known workaround at this time.

Resolution
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

All dhcpcd users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=3Dnet-misc/dhcpcd-6.4.3"

References
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

[ 1 ] CVE-2014-6060
      http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2014-6060

Availability
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-201409-03.xml

Concerns?
=3D=3D=3D=3D=3D=3D=3D=3D=3D

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=3D=3D=3D=3D=3D=3D=3D

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



--bao7Bj2wAMCSCnRLOiJFaXRKSGJDe2nf9
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iJwEAQECAAYFAlQHNLMACgkQG9wOWsQutdbBsQQAikn150n71Y2X4EgMkQ3ExK0R
81Bp7fwG3hiyMOXI7eL36jn53xSp7mWJIeawmUXiMhHFKGN7KlFM0gQ+eOo/evQW
UYIaEJDJ8BwEGBMPS9Th5vB8GAmQN9R9FnuK4McC5oyPDox3gbl155q5ObAqG6Dk
OSVxVloDcRvGjnEQuQc=
=QSQu
-----END PGP SIGNATURE-----

--bao7Bj2wAMCSCnRLOiJFaXRKSGJDe2nf9--