Package: dhcpcd5 Version: 7.1.0-1 Severity: serious Tags: security upstream fixed-upstream
Dear Maintainer, another week - another bug ;) Upstream released version 7.2.2 of dhcpcd5 fixing another potential security issue in DHCPv6. All versions currently supported in Debian (jessie, stretch, buster, sid) seem to be vulnerable [1]. The following issue has been fixed (copied from upstream's announcement): * DHCPv6: Fix a potential read overflow with D6_OPTION_PD_EXCLUDE Upstream provides two patches for version 7 which would be relevant for buster and sid [2][3]. In addition, version 6.10.7 was released addressing the same issue. The patches from this release might be useful for backporting to stretch and jessie [4][5]. Please consider applying/backporting those patches in your next round of uploads. Thanks and regards, Timo [1] https://roy.marples.name/archives/dhcpcd-discuss/0002428.html [2] https://roy.marples.name/cgit/dhcpcd.git/commit/?h=dhcpcd-7&id=c1ebeaafeb324bac997984abdcee2d4e8b61a8a8 [3] https://roy.marples.name/cgit/dhcpcd.git/commit/?h=dhcpcd-7&id=896ef4a54b0578985e5e1360b141593f1d62837b [4] https://roy.marples.name/cgit/dhcpcd.git/commit/?h=dhcpcd-6&id=c8887c666aacd01bc8f420d617d538cb9fef54f3 [5] https://roy.marples.name/cgit/dhcpcd.git/commit/?h=dhcpcd-6&id=eb7aee47581bea64a93080abbde06bd6714321e6
