Bug 64630 - dhcp 3.0 security vulnerability (CA-2002-12)
Summary: dhcp 3.0 security vulnerability (CA-2002-12)
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Raw Hide
Classification: Retired
Component: dhcp   
(Show other bugs)
Version: 1.0
Hardware: i386
OS: Linux
high
medium
Target Milestone: ---
Assignee: Elliot Lee
QA Contact:
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks: 67217
TreeView+ depends on / blocked
 
Reported: 2002-05-08 20:32 UTC by Jordan Russell
Modified: 2008-05-01 15:38 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-06-21 04:45:36 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Jordan Russell 2002-05-08 20:32:10 UTC
The dhcp-3.0-6 packages currently in rawhide are apparently affected by 
the "Format String Vulnerability" described here:

http://www.cert.org/advisories/CA-2002-12.html

Please roll dhcp-3.0pl1 packages as soon as possible...

Comment 1 Elliot Lee 2002-05-08 21:23:25 UTC
You're incorrectly expecting support for rawhide packages. (No releases have
dhcp 3.x included, so there's no need for an erratum.)

The package will get updated eventually, but it's not a priority...

Comment 2 Jordan Russell 2002-05-08 22:40:54 UTC
First you declined to fix the known-broken dhcp-2.0 package (see #36620) 
because the dhcp-3.0 package in rawhide fixes the problem, and now you're 
saying you won't support dhcp-3.0 because it's in rawhide?

It seems that you're saying "We won't put effort into fixing dhcp-2.0 bugs 
because there's a dhcp-3.0 package available", and at the same time, "We won't 
put effort into fixing dhcp-3.0 bugs because there's a dhcp-2.0 package 
available."

An obvious catch-22.

IMO, one or the other needs to be fixed. Both available dhcp packages shouldn't 
be left broken and unsupported like this.

Comment 3 Elliot Lee 2002-05-08 22:57:28 UTC
Like I said, the dhcp in rawhide will get fixed eventually, but rawhide isn't
something that is supported in any fashion, just a holding pen for development
work. The 36620 issue _is_ solved in rawhide (meaning that the 36620 fix will be
in a future release when people can be expected to actually use it), but that
package-with-security-hole the best I can do given my priorities and the low
priority of rawhide.

Comment 4 Jordan Russell 2002-05-09 00:46:12 UTC
Okay, fair enough. I guess I'll hack up my own package for 3.0pl1 in the 
meantime...

Comment 5 Elliot Lee 2002-06-20 15:46:21 UTC
3.0pl1 packages are being worked on now, should be a week hopefully.

Comment 6 Elliot Lee 2002-06-27 10:28:27 UTC
pl1 in rawhide

Comment 7 Michael Fulbright 2002-12-20 17:38:25 UTC
Time tracking values updated


Note You need to log in before you can comment on or make changes to this bug.