Security update for dhcp SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:2341-1 Final 1 1 2019-10-19T22:19:29Z current 2019-10-19T22:19:29Z 2019-10-19T22:19:29Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for dhcp This update for dhcp fixes the following issues: Secuirty issue fixed: - CVE-2019-6470: Fixed DHCPv6 server crashes (bsc#1134078). Bug fixes: - Add compile option --enable-secs-byteorder to avoid duplicate lease warnings (bsc#1089524). - Use IPv6 when called as dhclient6, dhcpd6, and dhcrelay6 (bsc#1136572). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-2341 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/J2L7BAA63TTF4QK6OBDKINRL6LAEUZIE/#J2L7BAA63TTF4QK6OBDKINRL6LAEUZIE E-Mail link for openSUSE-SU-2019:2341-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1089524 SUSE Bug 1089524 https://bugzilla.suse.com/1134078 SUSE Bug 1134078 https://bugzilla.suse.com/1136572 SUSE Bug 1136572 https://www.suse.com/security/cve/CVE-2019-6470/ SUSE CVE CVE-2019-6470 page openSUSE Leap 15.1 dhcp-4.3.5-lp151.6.3.1 dhcp-client-4.3.5-lp151.6.3.1 dhcp-devel-4.3.5-lp151.6.3.1 dhcp-doc-4.3.5-lp151.6.3.1 dhcp-relay-4.3.5-lp151.6.3.1 dhcp-server-4.3.5-lp151.6.3.1 dhcp-4.3.5-lp151.6.3.1 as a component of openSUSE Leap 15.1 dhcp-client-4.3.5-lp151.6.3.1 as a component of openSUSE Leap 15.1 dhcp-devel-4.3.5-lp151.6.3.1 as a component of openSUSE Leap 15.1 dhcp-doc-4.3.5-lp151.6.3.1 as a component of openSUSE Leap 15.1 dhcp-relay-4.3.5-lp151.6.3.1 as a component of openSUSE Leap 15.1 dhcp-server-4.3.5-lp151.6.3.1 as a component of openSUSE Leap 15.1 There had existed in one of the ISC BIND libraries a bug in a function that was used by dhcpd when operating in DHCPv6 mode. There was also a bug in dhcpd relating to the use of this function per its documentation, but the bug in the library function prevented this from causing any harm. All releases of dhcpd from ISC contain copies of this, and other, BIND libraries in combinations that have been tested prior to release and are known to not present issues like this. Some third-party packagers of ISC software have modified the dhcpd source, BIND source, or version matchup in ways that create the crash potential. Based on reports available to ISC, the crash probability is large and no analysis has been done on how, or even if, the probability can be manipulated by an attacker. Affects: Builds of dhcpd versions prior to version 4.4.1 when using BIND versions 9.11.2 or later, or BIND versions with specific bug fixes backported to them. ISC does not have access to comprehensive version lists for all repackagings of dhcpd that are vulnerable. In particular, builds from other vendors may also be affected. Operators are advised to consult their vendor documentation. CVE-2019-6470 openSUSE Leap 15.1:dhcp-4.3.5-lp151.6.3.1 openSUSE Leap 15.1:dhcp-client-4.3.5-lp151.6.3.1 openSUSE Leap 15.1:dhcp-devel-4.3.5-lp151.6.3.1 openSUSE Leap 15.1:dhcp-doc-4.3.5-lp151.6.3.1 openSUSE Leap 15.1:dhcp-relay-4.3.5-lp151.6.3.1 openSUSE Leap 15.1:dhcp-server-4.3.5-lp151.6.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/J2L7BAA63TTF4QK6OBDKINRL6LAEUZIE/#J2L7BAA63TTF4QK6OBDKINRL6LAEUZIE https://www.suse.com/security/cve/CVE-2019-6470.html CVE-2019-6470 https://bugzilla.suse.com/1134078 SUSE Bug 1134078