Red Hat Bugzilla – Bug 928011
CVE-2013-2494 dhcp: bind/libdns CVE-2013-2266 regular expressions excessive resource consumption DoS
Last modified: 2013-03-27 06:37:36 EDT
A denial of service flaw was found in the way libdns library implementation of BIND processed certain requests. A DHCP client could issue a specially-crafted DHCP protocol request that, when processed would lead to excessive memory consumption (memory exhaustion) at the side of the DHCP server process, possibly leading to its crash.
Release notes indicate:
- A security issue in Bind9 was found and fixed. This release includes the
fixed Bind9 code. There have been no code changes to the DHCP code.
DHCP update upgrades used Bind version to fix CVE-2013-2266 (bug 928027). There should be no separate CVE id assigned for DHCP just because it's different application that uses/embeds vulnerable Bind code.
Fedora dhcp builds remove embed bind source and link against system libdns:
Not Vulnerable. This issue does not affect the version of dhcp as shipped with Red Hat Enterprise Linux 5 and 6.
*** This bug has been marked as a duplicate of bug 928027 ***
This issue does not affect the version of dhcp as shipped with Fedora 17 and Fedora 18. More details in comment #7