Bugzilla – Bug 811934
VUL-0: CVE-2013-2266: dhcp: DHCP 4.2.5-P1 update to fix one security issue
Last modified: 2015-02-19 00:03:20 UTC
is public, via isc announce CVE-2013-2266 ISC DHCP 4.2.5-P1 is now available for download. This is a security release of DHCP 4.2.5-P1. It differs from DHCP 4.2.5 in the version of BIND code included, BIND 9.8.4-P2, which contains a fix for the BIND vulnerability disclosed in CVE-2013-2266 (see https://kb.isc.org/article/AA-00871 for more information.) There are no code changes to the DHCP source. A list of the changes in this release has been appended to the end of this message. For a complete list of changes from any previous release, please consult the RELNOTES file within the source distribution, or on our website: http://www.isc.org/software/dhcp/425-p1 This release, and its OpenPGP-signatures are available now from: ftp://ftp.isc.org/isc/dhcp/4.2.5-P1/dhcp-4.2.5-P1.tar.gz ftp://ftp.isc.org/isc/dhcp/4.2.5-P1/dhcp-4.2.5-P1.tar.gz.sha512.asc ftp://ftp.isc.org/isc/dhcp/4.2.5-P1/dhcp-4.2.5-P1.tar.gz.sha256.asc ftp://ftp.isc.org/isc/dhcp/4.2.5-P1/dhcp-4.2.5-P1.tar.gz.sha1.asc ISC's Release Signing Key can be obtained at: http://www.isc.org/about/openpgp/ Changes since 4.2.5 - A security issue in Bind9 was found and fixed. This release includes the fixed Bind9 code. There have been no code changes to the DHCP code. [ISC-Bugs #32688] CVE: CVE-2013-2266
can you clarify what distributions are affected?
SLE-11-SP2: dhcp-4.2.4-P2/bind/bind-9.8.3-P3 SLE-11-SP3: dhcp-4.2.4-P2/bind/bind-9.8.3-P3 openSUSE-12.1: dhcp-4.2.4-P2/bind/bind-9.8.3-P3 openSUSE-12.2: dhcp-4.2.4-P2/bind/bind-9.8.3-P3 openSUSE-12.3: dhcp-4.2.5/bind/bind-9.8.4-P1 openSUSE-Factory: dhcp-4.2.5/bind/bind-9.8.4-P1 Older versions (e.g. SLE-10 or SLE-11-SP1) are using dhcp-3.x, that does not contain the bind tar ball inside.
This is an autogenerated message for OBS integration: This bug (811934) was mentioned in https://build.opensuse.org/request/show/161431 Maintenance / https://build.opensuse.org/request/show/161432 Factory / dhcp https://build.opensuse.org/request/show/161433 Maintenance / https://build.opensuse.org/request/show/161435 Maintenance /
SLE-10 and SLE-11-SP1 do not need any fix: - they are using dhcp-3.x, that does not contain bind.tgz inside or use bind's libdns which is trying to verify regex syntax in RDATA. - I didn't found any regex (regcomp|regexec) use in the dhcp sources.
This is an autogenerated message for OBS integration: This bug (811934) was mentioned in https://build.opensuse.org/request/show/161437 Maintenance / https://build.opensuse.org/request/show/161440 Maintenance /
bugbot adjusting priority
OK, I think it is fixed -- all relevant packages are submitted for update.
This is an autogenerated message for OBS integration: This bug (811934) was mentioned in https://build.opensuse.org/request/show/162229 Evergreen:11.2 / dhcp
openSUSE-SU-2013:0619-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 783002,811934 CVE References: CVE-2013-2266 Sources used: openSUSE 12.2 (src): dhcp-4.2.4.P2-0.1.12.1 openSUSE 12.1 (src): dhcp-4.2.4.P2-0.6.21.1
openSUSE-SU-2013:0620-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 783002,811934 CVE References: CVE-2013-2266 Sources used: openSUSE 12.3 (src): dhcp-4.2.5.P1-0.2.4.1
openSUSE-SU-2013:0625-1: An update that solves one vulnerability and has 6 fixes is now available. Category: security (moderate) Bug References: 783002,784640,788787,791280,791289,794578,811934 CVE References: CVE-2013-2266 Sources used: openSUSE 11.4 (src): dhcp-4.2.4.P2-0.34.1
This is an autogenerated message for OBS integration: This bug (811934) was mentioned in https://build.opensuse.org/request/show/162839 Evergreen:11.2 / dhcp
Update released for: dhcp, dhcp-client, dhcp-debuginfo, dhcp-debugsource, dhcp-devel, dhcp-relay, dhcp-server Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
also got assigned CVE-2013-2494 via https://kb.isc.org/article/AA-00880/ I think and was fixed by the updates in the 4.2.x series.
Yes. CVE-2013-2266 is the bind fix (disabling regex usage), while CVE-2013-2494 is replacing the bind source tar ball shipped inside of the dhcp source tar ball. We've applied the CVE-2013-2266 fix to bind sources inside of dhcp.
We also version updated BIND to 9.9.4P2 in the meantime, meaning this should also be fixed in BIND. (even though it still checks for regex.h)