4.46. dhcp

Security Fix

CVE-2011-4539

A denial of service flaw was found in the way the dhcpd daemon handled DHCP request packets when regular expression matching was used in "/etc/dhcp/dhcpd.conf". A remote attacker could use this flaw to crash dhcpd.

BZ#694798

Previously, when multiple DHCP clients were launched at the same time to handle multiple virtual interfaces on the same network interface card (NIC), the clients used the same seed to choose when to renew their leases. Consequently, these virtual interfaces for some clients could have been removed over time. With this update, the dhclient utility uses the Process Identifier (PID) for seeding the random number generator, which fixes the bug.

BZ#694799

If a system was rebooted while a network switch was inoperative, the network connection would recover successfully. However, it was no longer configured to use DHCP even if the dhclient utility had been running in persistent mode. With this update, the dhclient-script file has been modified to refresh the ARP (Address Resolution Protocol) table and the routing table instead of bringing the interface down, which fixes the bug.

BZ#731990

If the system included network interfaces with no hardware address, the dhcpd scan could have experienced a segmentation fault when scanning such an interface. As a consequence, the dhcpd daemon unexpectedly terminated. To prevent this issue, dhcpd now tests a pointer which represents the hardware address of the interface for the NULL value. The dhcp daemon no longer crashes.

BZ#736999

Previously, all source files were compiled with the "-fpie" or "fPIE" flag. As a consequence, the libraries used by dhcp could not have been used to build Perl modules. To fix this problem, all respective dhcp Makefiles have been modified to compile libraries with the "-fpic" or "-fPIC" flag. The libraries used by dhcp are now built without the previous restrictions.

BZ#736194

Previously, both dhcp and dhclient packages included the dhcp-options(5) and dhcp-eval(5) man pages. As a consequence, a conflict could have occurred when any of these man pages were updated, because dhcp and dhclient packages could have been upgraded separately. To prevent the problem from occurring in future updates, shared files of dhcp and dhclient packages have been moved to the dhcp-common package that is required by both dhcp and dhclient as a dependency.

BZ#706974

A feature has been backported from dhcp version 4.2.0. This feature allows the DHCPv6 server to be configured to identify DHCPv6 clients in accordance with their link-layer address and their network hardware type. With this update, it is now possible to define a static IPv6 address for the DHCPv6 client with a known link-layer address.

BZ#693381

Previously, the dhcpd daemon ran as root. With this update, new "-user" and "-group" options can be used with dhcpd. These options allow dhcpd to change the effective user and group ID after it starts. The dhcpd and dhcpd6 services now run the dhcpd daemon with the "-user dhcpd -group dhcpd" parameters, which means that the dhcpd daemon runs as the dhcpd user and group instead root.