Bug 811934 - (CVE-2013-2266) VUL-0: CVE-2013-2266: dhcp: DHCP 4.2.5-P1 update to fix one security issue
(CVE-2013-2266)
VUL-0: CVE-2013-2266: dhcp: DHCP 4.2.5-P1 update to fix one security issue
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Marius Tomaschewski
Security Team bot
maint:released:sle11-sp2:51914
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-27 08:31 UTC by Marcus Meissner
Modified: 2015-02-19 00:03 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-03-27 08:31:02 UTC
is public, via isc announce

CVE-2013-2266

ISC DHCP 4.2.5-P1 is now available for download.

This is a security release of DHCP 4.2.5-P1.  It differs
from DHCP 4.2.5 in the version of BIND code included,
BIND 9.8.4-P2, which contains a fix for the BIND
vulnerability disclosed in CVE-2013-2266
(see https://kb.isc.org/article/AA-00871 for more
information.)  There are no code changes to the DHCP source.

A list of the changes in this release has been appended to the end
of this message.  For a complete list of changes from any previous
release, please consult the RELNOTES file within the source
distribution, or on our website:

    http://www.isc.org/software/dhcp/425-p1

This release, and its OpenPGP-signatures are available now from:

    ftp://ftp.isc.org/isc/dhcp/4.2.5-P1/dhcp-4.2.5-P1.tar.gz
    ftp://ftp.isc.org/isc/dhcp/4.2.5-P1/dhcp-4.2.5-P1.tar.gz.sha512.asc
    ftp://ftp.isc.org/isc/dhcp/4.2.5-P1/dhcp-4.2.5-P1.tar.gz.sha256.asc
    ftp://ftp.isc.org/isc/dhcp/4.2.5-P1/dhcp-4.2.5-P1.tar.gz.sha1.asc

ISC's Release Signing Key can be obtained at:

    http://www.isc.org/about/openpgp/

                        Changes since 4.2.5

- A security issue in Bind9 was found and fixed.  This release includes the
  fixed Bind9 code.  There have been no code changes to the DHCP code.
  [ISC-Bugs #32688]
  CVE: CVE-2013-2266
Comment 1 Marcus Meissner 2013-03-27 08:41:27 UTC
can you clarify what distributions are affected?
Comment 2 Marius Tomaschewski 2013-03-27 09:46:23 UTC
SLE-11-SP2:        dhcp-4.2.4-P2/bind/bind-9.8.3-P3
SLE-11-SP3:        dhcp-4.2.4-P2/bind/bind-9.8.3-P3
openSUSE-12.1:     dhcp-4.2.4-P2/bind/bind-9.8.3-P3
openSUSE-12.2:     dhcp-4.2.4-P2/bind/bind-9.8.3-P3
openSUSE-12.3:     dhcp-4.2.5/bind/bind-9.8.4-P1
openSUSE-Factory:  dhcp-4.2.5/bind/bind-9.8.4-P1

Older versions (e.g. SLE-10 or SLE-11-SP1) are using dhcp-3.x,
that does not contain the bind tar ball inside.
Comment 4 Bernhard Wiedemann 2013-03-27 15:00:27 UTC
This is an autogenerated message for OBS integration:
This bug (811934) was mentioned in
https://build.opensuse.org/request/show/161431 Maintenance / 
https://build.opensuse.org/request/show/161432 Factory / dhcp
https://build.opensuse.org/request/show/161433 Maintenance / 
https://build.opensuse.org/request/show/161435 Maintenance /
Comment 6 Marius Tomaschewski 2013-03-27 15:15:55 UTC
SLE-10 and SLE-11-SP1 do not need any fix:
 - they are using dhcp-3.x, that does not contain bind.tgz inside or
   use bind's libdns which is trying to verify regex syntax in RDATA.
 - I didn't found any regex (regcomp|regexec) use in the dhcp sources.
Comment 7 Bernhard Wiedemann 2013-03-27 16:00:33 UTC
This is an autogenerated message for OBS integration:
This bug (811934) was mentioned in
https://build.opensuse.org/request/show/161437 Maintenance / 
https://build.opensuse.org/request/show/161440 Maintenance /
Comment 8 Swamp Workflow Management 2013-03-27 23:00:14 UTC
bugbot adjusting priority
Comment 9 Marius Tomaschewski 2013-03-28 14:14:59 UTC
OK, I think it is fixed -- all relevant packages are submitted for update.
Comment 10 Bernhard Wiedemann 2013-04-02 16:01:42 UTC
This is an autogenerated message for OBS integration:
This bug (811934) was mentioned in
https://build.opensuse.org/request/show/162229 Evergreen:11.2 / dhcp
Comment 11 Swamp Workflow Management 2013-04-04 15:05:00 UTC
openSUSE-SU-2013:0619-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 783002,811934
CVE References: CVE-2013-2266
Sources used:
openSUSE 12.2 (src):    dhcp-4.2.4.P2-0.1.12.1
openSUSE 12.1 (src):    dhcp-4.2.4.P2-0.6.21.1
Comment 12 Swamp Workflow Management 2013-04-04 15:05:30 UTC
openSUSE-SU-2013:0620-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 783002,811934
CVE References: CVE-2013-2266
Sources used:
openSUSE 12.3 (src):    dhcp-4.2.5.P1-0.2.4.1
Comment 13 Swamp Workflow Management 2013-04-04 16:06:34 UTC
openSUSE-SU-2013:0625-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (moderate)
Bug References: 783002,784640,788787,791280,791289,794578,811934
CVE References: CVE-2013-2266
Sources used:
openSUSE 11.4 (src):    dhcp-4.2.4.P2-0.34.1
Comment 14 Bernhard Wiedemann 2013-04-05 14:01:26 UTC
This is an autogenerated message for OBS integration:
This bug (811934) was mentioned in
https://build.opensuse.org/request/show/162839 Evergreen:11.2 / dhcp
Comment 15 Swamp Workflow Management 2013-04-17 15:04:13 UTC
Update released for: dhcp, dhcp-client, dhcp-debuginfo, dhcp-debugsource, dhcp-devel, dhcp-relay, dhcp-server
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 16 Marcus Meissner 2013-07-25 08:26:38 UTC
also got assigned

CVE-2013-2494 via https://kb.isc.org/article/AA-00880/

I think and was fixed by the updates in the 4.2.x series.
Comment 17 Marius Tomaschewski 2013-07-25 12:50:19 UTC
Yes.

CVE-2013-2266 is the bind fix (disabling regex usage), while
CVE-2013-2494 is replacing the bind source tar ball shipped
              inside of the dhcp source tar ball.

We've applied the CVE-2013-2266 fix to bind sources inside of dhcp.
Comment 18 Marcus Meissner 2014-02-20 13:11:15 UTC
We also version updated BIND to 9.9.4P2 in the meantime, meaning this should also be fixed in BIND.

(even though it still checks for regex.h)