Mageia alert MGASA-2016-0034 (dhcpcd)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2016-0034: Updated dhcpcd packages fix security vulnerability 
Date:
    	     
 
Thu, 21 Jan 2016 22:39:24 +0100
Message-ID:
    	     
 
<20160121213924.92CD121E93D@valstar.mageia.org>
MGASA-2016-0034 - Updated dhcpcd packages fix security vulnerability

Publication date: 21 Jan 2016
URL: http://advisories.mageia.org/MGASA-2016-0034.html
Type: security
Affected Mageia releases: 5
CVE: CVE-2016-1503,
     CVE-2016-1504

Description:
Possible heap overflow in dhcpcd before 6.10.0 caused by malformed dhcp
responses due to incorrect option length values (CVE-2016-1503).

Possible invalid read in dhcpcd before 6.10.0 caused by malformed dhcp
responses can lead to a crash (CVE-2016-1504).

The dhcpcd package has been updated to version 6.10.0 which fixes these
issues and has several other bug fixes and enhancements.

References:
- https://bugs.mageia.org/show_bug.cgi?id=17462
- http://roy.marples.name/archives/dhcpcd-discuss/2015/1001...
- http://roy.marples.name/archives/dhcpcd-discuss/2015/1004...
- http://roy.marples.name/archives/dhcpcd-discuss/2015/1012...
- http://roy.marples.name/archives/dhcpcd-discuss/2015/1018...
- http://roy.marples.name/archives/dhcpcd-discuss/2015/1058...
- http://roy.marples.name/archives/dhcpcd-discuss/2015/1089...
- http://roy.marples.name/archives/dhcpcd-discuss/2015/1093...
- http://roy.marples.name/archives/dhcpcd-discuss/2015/1129...
- http://roy.marples.name/archives/dhcpcd-discuss/2016/1143...
- http://openwall.com/lists/oss-security/2016/01/07/4
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1503
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1504

SRPMS:
- 5/core/dhcpcd-6.10.0-1.mga5