-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0830
                         isc-dhcp security update
                               23 March 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           isc-dhcp
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-5733 CVE-2018-5732 

Reference:         ESB-2018.0724
                   ESB-2018.0704
                   ESB-2018.0669
                   ESB-2018.0605

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/03/msg00015.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : isc-dhcp
Version        : 4.2.2.dfsg.1-5+deb70u9
CVE ID         : CVE-2018-5732 CVE-2018-5733


Several vulnerabilities have been discovered in the ISC DHCP client,
relay and server. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2018-5732

     Felix Wilhelm of the Google Security Team discovered that the DHCP
     client is prone to an out-of-bound memory access vulnerability when
     processing specially constructed DHCP options responses, resulting
     in potential execution of arbitrary code by a malicious DHCP server.

CVE-2018-5733

     Felix Wilhelm of the Google Security Team discovered that the DHCP
     server does not properly handle reference counting when processing
     client requests. A malicious client can take advantage of this flaw
     to cause a denial of service (dhcpd crash) by sending large amounts
     of traffic.


For Debian 7 "Wheezy", these problems have been fixed in version
4.2.2.dfsg.1-5+deb70u9.

We recommend that you upgrade your isc-dhcp packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJatB2SXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHUW0QAJdaL1FwEhuEL1oMECi9nEPT
dsQw1cwdJMWd61p7QMG0p4W5/XFJxZ+KU6uDX2nTw/q6CCjIF10RIPXC3ka3kkC2
mH/Db1yFzA9jhCryYZz+EEIdsAajdy5CZmU0LBWVYicWnqeE8GKOYUjJMNf/49Lr
0DrI0Vgon7VnUQU8cnbggz1Tn9BpWFphDtM6VVO1pniV4IDtLNQnUIijqRcYkfQj
jcKvqyUh8p+Jk3dJY5FM+eQxlCpjDSwH7v1801o0kqvZtgnquWR+XNkK9OQvPqIY
38dWhRisWSLN5YCWa0BEAp25pmWRxKTVLriKNfu8DByG63TVhLRxYQYmcl2jw2Oz
ed+xzXLLudl/4Ruuu1Rrts+mKdQYT+QLMDFyAUooNdJyxrxgn2F3QJkTdd8G33E7
o70MN45hgtd6JFd7Sa9nFVhm0D0mGsf1Z0F/TUbxLxzGvzpIh6YUzJGfzIEgHrGp
LEyxXnSh5a/KdPt5YIpMBKgDvXJebWuYNvhplRCAbigXwxf1Y5DcgOyWObTttkti
BUOFntQC3ePTX5EbmGr/qKKEnMtLQB3Ca2XHR1AZ1znncIAuk1RO0IzMqfzLLwjQ
ThGXvRVkTxJEJflKkAyxpIVqToSS3sltTSGwVzdFRAky12fZWakmFBCK/G/N7fcG
Rrx5h5ivQ7fUBuMqbM+F
=OQ+P
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWrRQd4x+lLeg9Ub1AQg6ow/+L0cO7m51BsDpjF41CYScaemRm1CnwgVi
ss+QPKUoGgtKti5wnppY1t6U9qSrw7AqJYNwT/2gzZcF772/DzVZ3zFW0FXX3nx6
yvlnMbH6cr0upj+0fibtINuqRz/uNeTTa8eRcsgeYkI1hwZ5VN8FTryDjAlrCmnh
aFw4CQyAo1ovJMbVaz/wZjnFx+8TY9XPJxxBYkuz8nE/yT95/3v/L4qdFniyANMZ
ED0ec2Tyqc7SVnhSN4BT6tH6KyTCuMDfQEaFmKT5FDFH2skcCh7P7F17tkXEaw2S
5uZDpxllB1FjIvuM6TjKqCLaGXGgTgcy0QTQtoYVinN298h37EdAR/SvZtZkjcFb
b/uT0Uf3wzmf2a4+l6vCfirtwRlGl6OUtHJWxljYwB2kviOV4x4aVmzxj0DRgNcO
gQtOxX7vMwYoW1vD89eQW7unDAJHebCzRF+3nvqpPRe5I3+MTNApxcz5WTfZ3Rad
baTW1xb53dc8Frl8s1cfBRec0G62+pWjUkPdFvc+AGGgmNTbNUSCzD4VIMWyX+wO
wDYuE4wp0VOaVhUZPuuuiExCd+7JbnoEJjgVwMkhAqxTyEGPTpFG/MZ9o7yt+i0X
ZY4loi8ozc6tt9o0P6l4s/omf4tqUEDlHdS4Qv9MoOyuv4Ew8QPRPHtavEp3Avxn
JeoScNnjnlc=
=8wcz
-----END PGP SIGNATURE-----