Debian Security Advisory
dhcp client -- remote root exploit in dhcp client
- Date Reported:
- 28 Jul 2000
- Affected Packages:
- dhcp-client-beta, dhcp-client
- Vulnerable:
- Yes
- Security database references:
- No other external database security references currently available.
- More information:
- The versions of the ISC DHCP client in Debian GNU/Linux 2.1 (slink)
and Debian GNU/Linux 2.2 (potato) are vulnerable to a root exploit. The OpenBSD team
reports that the client inappropriately executes commands embedded in replies
sent from a dhcp server. This means that a malicious dhcp server can execute
commands on the client with root privileges. A previous Debian security
advisory addressed this issue with package versions 2.0b1pl6-0.3 and
2.0-3potato1, but ISC has released a newer patch since the original advisory.
You should install the latest packages even if you upgraded when the last
advisory was released.
The reported vulnerability is fixed in the package dhcp-client-beta 2.0b1pl6-0.4 for the current stable release (Debian GNU/Linux 2.1) and in dhcp-client 2.0-3potato2 for the frozen pre-release (Debian GNU/Linux 2.2). The dhcp server and relay agents are built from the same source as the client; however, the server and relay agents are not vulnerable to this issue and do not need to be upgraded. We recommend upgrading your dhcp-client-beta and dhcp-client immediately.
- Fixed in:
-
Debian GNU/Linux 2.1 (slink):
- Source:
- http://security.debian.org/dists/stable/updates/source/dhcp-beta_2.0b1pl6-0.4.diff.gz
- http://security.debian.org/dists/stable/updates/source/dhcp-beta_2.0b1pl6-0.4.dsc
- http://security.debian.org/dists/stable/updates/source/dhcp-beta_2.0b1pl6.orig.tar.gz
- http://security.debian.org/dists/stable/updates/source/dhcp-beta_2.0b1pl6-0.4.dsc
- alpha:
- http://security.debian.org/dists/stable/updates/binary-alpha/dhcp-client-beta_2.0b1pl6-0.4_alpha.deb
- i386:
- http://security.debian.org/dists/stable/updates/binary-i386/dhcp-client-beta_2.0b1pl6-0.4_i386.deb
- m68k:
- http://security.debian.org/dists/stable/updates/binary-m68k/dhcp-client-beta_2.0b1pl6-0.4_m68k.deb
- sparc:
- http://security.debian.org/dists/stable/updates/binary-sparc/dhcp-client-beta_2.0b1pl6-0.4_sparc.deb
Debian GNU/Linux 2.2 (potato)
- Source:
- http://security.debian.org/dists/potato/updates/main/source/dhcp_2.0-3potato2.diff.gz
- http://security.debian.org/dists/potato/updates/main/source/dhcp_2.0-3potato2.dsc
- http://security.debian.org/dists/potato/updates/main/source/dhcp_2.0.orig.tar.gz
- http://security.debian.org/dists/potato/updates/main/source/dhcp_2.0-3potato2.dsc
- alpha:
- http://security.debian.org/dists/potato/updates/main/binary-alpha/dhcp-client_2.0-3potato2_alpha.deb
- arm:
- http://security.debian.org/dists/potato/updates/main/binary-arm/dhcp-client_2.0-3potato2_arm.deb
- i386:
- http://security.debian.org/dists/potato/updates/main/binary-i386/dhcp-client_2.0-3potato2_i386.deb
- m68k:
- http://security.debian.org/dists/potato/updates/main/binary-m68k/dhcp-client_2.0-3potato2_m68k.deb
- powerpc:
- http://security.debian.org/dists/potato/updates/main/binary-powerpc/dhcp-client_2.0-3potato2_powerpc.deb
- sparc:
- http://security.debian.org/dists/potato/updates/main/binary-sparc/dhcp-client_2.0-3potato2_sparc.deb