The Internet Software Consortium (ISC) has warned of several buffer
overflows in its reference implementation of the DHCP (define) protocol
that could allows hackers to execute malicious code on vulnerable systems.
The Dynamic Host Configuration Protocol (DHCP) provides a framework for
assigning dynamic IP addresses to devices on a network. With dynamic
addressing, a device can have a different IP address every time it connects
to the network. In addition to supplying hosts with network configuration
data, the ISC's implementation allows the DHCP server to dynamically update
a DNS server, eliminating the need for manual updates to the name server
configuration. The ISC's DHCP is the de facto standard for all UNIX and UNIX-like
systems, including Linux and BSD. FreeBSD/sparc64 5.2-RELEASE Release Notes::
Four separate security flaws in OpenSSL, which could allow a remote attacker to The ISC DHCP client has been updated from 3.0.1rc11 to 3.0.1rc12.
http://www.freebsd.org/releases/5.2R/relnotes-sparc64.htmlHOME |
An advisory
from the CERT Coordination Center Thursday said the security holes were detected during an internal source code audit by the ISC, a non-profit group that develops production quality Open Source reference implementations of core Internet protocols. bugtraq: By Date::
Re: Two security flaws in Bajie Webserver labs@MDMA.ZA.NET (Thu Jan 01 1970 - 00: SANS Flash: Most dangerous flaw found in Windows workstations, Fix
http://www.dataguard.no/bugtraq/2000_3/date.htmlHOME |
Techworld.com - Linux vendors tackle security holes::
In January of 2003, a version of ISCs DHCP 3 included in Red Hat and Suse Linux The flaw found by E-Matters allows a user to exploit a heap overflow that
http://www.techworld.com/security/news/index.cfm?NewsID=1789&Page=1&pagePos=14HOME |
During that audit, ISC developers found bugs in the error handling
routines of the minires library, which is used by NSUPDATE to resolve
hostnames. "These vulnerabilities are stack-based buffer overflows that may
be exploitable by sending a DHCP message containing a large hostname value,"
CERT/CC warned. CERT Warns Of New Security Flaw -- security -- InformationWeek::
late Wednesday, is in the way the DHCP server processes an acknowledgement More information can be found in CERT Advisory CA-2002-12. More Software Insights
http://www.informationweek.com/news/software/showArticle.jhtml?articleID=6502494HOME |
NEOHAPSIS - Peace of Mind Through Integrity and Insight::
[CLA-2003:616] Conectiva Security Announcement - dhcp Conectiva Updates (Fri Apr Buffer Overflow Vulnerability Found in MailMax Version 5 Dennis Rand (Fri Apr 11
http://www.security-express.com/archives/bugtraq/2003-04/HOME |
Although the minires library is derived from the BIND 8 resolver
library, these vulnerabilities do not affect any current versions of BIND,
the Center added.
The Consortium has released fixes in versions 3.0pl2 and 3.0.1RC11 of its
DHCP implementation (Download locations here). In the interim, CERT/CC
has urged IT administrators to disable the NSUPDATE feature on affected DHCP
servers, blocking external access to DHCP server ports or disabling DHCP
altogether.
According to the alert, Red Hat distributes a
vulnerable version of ISC DHCP in Red Hat Linux 8.0. Red Hat said new DHCP
packages are available and urged users of its network to update their
systems (See Red Hat advisory).
 Sun to Simplify Java
 MandrakeSoft Files for Bankruptcy
| 
HOME