Security 10797 Published by

Two new security updates for Debian GNU/Linux has been released

DSA-245-1 dhcp3 -- ignored counter boundary



Florian Lohoff discovered a bug in the dhcrelay causing it to send a continuing packet storm towards the configured DHCP server(s) in case of a malicious BOOTP packet, such as sent from buggy Cisco switches.

When the dhcp-relay receives a BOOTP request it forwards the request to the DHCP server using the broadcast MAC address ff:ff:ff:ff:ff:ff which causes the network interface to reflect the packet back into the socket. To prevent loops the dhcrelay checks whether the relay-address is its own, in which case the packet would be dropped. In combination with a missing upper boundary for the hop counter an attacker can force the dhcp-relay to send a continuing packet storm towards the configured dhcp server(s).

This patch introduces a new command line switch -c maxcount and people are advised to start the dhcp-relay with dhcrelay -c 10 or a smaller number, which will only create that many packets.
Read more

DSA-244-1 noffle -- buffer overflows