Bug 64630 - dhcp 3.0 security vulnerability (CA-2002-12)
dhcp 3.0 security vulnerability (CA-2002-12)
Status: CLOSED RAWHIDE
Product: Red Hat Raw Hide
Classification: Retired
Component: dhcp (Show other bugs)
1.0
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Elliot Lee
: Security
Depends On:
Blocks: 67217
  Show dependency treegraph
 
Reported: 2002-05-08 16:32 EDT by Jordan Russell
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-06-21 00:45:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jordan Russell 2002-05-08 16:32:10 EDT
The dhcp-3.0-6 packages currently in rawhide are apparently affected by 
the "Format String Vulnerability" described here:

http://www.cert.org/advisories/CA-2002-12.html

Please roll dhcp-3.0pl1 packages as soon as possible...
Comment 1 Elliot Lee 2002-05-08 17:23:25 EDT
You're incorrectly expecting support for rawhide packages. (No releases have
dhcp 3.x included, so there's no need for an erratum.)

The package will get updated eventually, but it's not a priority...
Comment 2 Jordan Russell 2002-05-08 18:40:54 EDT
First you declined to fix the known-broken dhcp-2.0 package (see #36620) 
because the dhcp-3.0 package in rawhide fixes the problem, and now you're 
saying you won't support dhcp-3.0 because it's in rawhide?

It seems that you're saying "We won't put effort into fixing dhcp-2.0 bugs 
because there's a dhcp-3.0 package available", and at the same time, "We won't 
put effort into fixing dhcp-3.0 bugs because there's a dhcp-2.0 package 
available."

An obvious catch-22.

IMO, one or the other needs to be fixed. Both available dhcp packages shouldn't 
be left broken and unsupported like this.
Comment 3 Elliot Lee 2002-05-08 18:57:28 EDT
Like I said, the dhcp in rawhide will get fixed eventually, but rawhide isn't
something that is supported in any fashion, just a holding pen for development
work. The 36620 issue _is_ solved in rawhide (meaning that the 36620 fix will be
in a future release when people can be expected to actually use it), but that
package-with-security-hole the best I can do given my priorities and the low
priority of rawhide.
Comment 4 Jordan Russell 2002-05-08 20:46:12 EDT
Okay, fair enough. I guess I'll hack up my own package for 3.0pl1 in the 
meantime...
Comment 5 Elliot Lee 2002-06-20 11:46:21 EDT
3.0pl1 packages are being worked on now, should be a week hopefully.
Comment 6 Elliot Lee 2002-06-27 06:28:27 EDT
pl1 in rawhide
Comment 7 Michael Fulbright 2002-12-20 12:38:25 EST
Time tracking values updated

Note You need to log in before you can comment on or make changes to this bug.