Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in dhcp
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in dhcp
ID: MDVSA-2009:312
Distribution: Mandriva
Plattformen: Mandriva 2008.0
Datum: Fr, 4. Dezember 2009, 01:54
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0062
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1892
Applikationen: ISC DHCP

Originalnachricht

This is a multi-part message in MIME format...

------------=_1259888071-24326-1587


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:312
http://www.mandriva.com/security/
_______________________________________________________________________

Package : dhcp
Date : December 3, 2009
Affected: 2008.0
_______________________________________________________________________

Problem Description:

A vulnerability has been found and corrected in ISC DHCP:

Integer overflow in the ISC dhcpd 3.0.x before 3.0.7 and 3.1.x before
3.1.1; and the DHCP server in EMC VMware Workstation before 5.5.5 Build
56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455
and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and
ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528;
allows remote attackers to cause a denial of service (daemon crash)
or execute arbitrary code via a malformed DHCP packet with a large
dhcp-max-message-size that triggers a stack-based buffer overflow,
related to servers configured to send many DHCP options to clients
(CVE-2007-0062).

Stack-based buffer overflow in the script_write_params method in
client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0
before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP
servers to execute arbitrary code via a crafted subnet-mask option
(CVE-2009-0692).

ISC DHCP Server is vulnerable to a denial of service, caused by the
improper handling of DHCP requests. If the host definitions are mixed
using dhcp-client-identifier and hardware ethernet, a remote attacker
could send specially-crafted DHCP requests to cause the server to
stop responding (CVE-2009-1892).

Packages for 2008.0 are being provided due to extended support for
Corporate products.

This update provides fixes for this vulnerability.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0062
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1892
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.0:
3081299715b66778098307681861d6d7
2008.0/i586/dhcp-client-3.0.7-0.1mdv2008.0.i586.rpm
65893c30e369cb54df581508c0a278ce
2008.0/i586/dhcp-common-3.0.7-0.1mdv2008.0.i586.rpm
c7891651d44f4c66967789a594cb494f
2008.0/i586/dhcp-devel-3.0.7-0.1mdv2008.0.i586.rpm
6ddeab5add9a44c4c0d97fc98e98b48f
2008.0/i586/dhcp-doc-3.0.7-0.1mdv2008.0.i586.rpm
2c3e9e31d4c99a3622ce4c029ce7d5f9
2008.0/i586/dhcp-relay-3.0.7-0.1mdv2008.0.i586.rpm
e9271dcc129000708f9537a5ad3a926f
2008.0/i586/dhcp-server-3.0.7-0.1mdv2008.0.i586.rpm
2a2e6cca8ab0d7c62e14aa19116ac860 2008.0/SRPMS/dhcp-3.0.7-0.1mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
137eaf194b2faa3a8de3b90453c47793
2008.0/x86_64/dhcp-client-3.0.7-0.1mdv2008.0.x86_64.rpm
79a273d98b5ef2f51c93c0f4d49ab82a
2008.0/x86_64/dhcp-common-3.0.7-0.1mdv2008.0.x86_64.rpm
4e1ca48b749ef04f4aff6dd6d9d34bde
2008.0/x86_64/dhcp-devel-3.0.7-0.1mdv2008.0.x86_64.rpm
df97bbd0680f5b82417be5fb448a3493
2008.0/x86_64/dhcp-doc-3.0.7-0.1mdv2008.0.x86_64.rpm
daa25b01f8fd36eeeedc2cb4c0e2c119
2008.0/x86_64/dhcp-relay-3.0.7-0.1mdv2008.0.x86_64.rpm
1d283afe24bb93f3c155a2b762e50988
2008.0/x86_64/dhcp-server-3.0.7-0.1mdv2008.0.x86_64.rpm
2a2e6cca8ab0d7c62e14aa19116ac860 2008.0/SRPMS/dhcp-3.0.7-0.1mdv2008.0.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLGDHfmqjQ0CJFipgRAhxkAJ9Hi8PHKRM/bBVsFI7ZX1xpSrfcBACfS+L+
jLmws+7KhLHXB/1Rh2rDXXw=
=QOvE
-----END PGP SIGNATURE-----


------------=_1259888071-24326-1587
Content-Type: text/plain; name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com
_______________________________________________________

------------=_1259888071-24326-1587--
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung