131 lines
4.6 KiB
Text
131 lines
4.6 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-EN-16:10.dhclient Errata Notice
|
|
The FreeBSD Project
|
|
|
|
Topic: Better handle unknown options received from a DHCP server
|
|
|
|
Category: core
|
|
Module: dhclient
|
|
Announced: 2016-08-12
|
|
Credits: Microsoft OSTC
|
|
Affects: FreeBSD 10.3
|
|
Corrected: 2016-05-06 05:44:12 UTC (stable/10, 10.3-STABLE)
|
|
2016-08-12 04:01:16 UTC (releng/10.3, 10.3-RELEASE-p7)
|
|
|
|
For general information regarding FreeBSD Errata Notices and Security
|
|
Advisories, including descriptions of the fields above, security
|
|
branches, and the following sections, please visit
|
|
<URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The dhclient(8) utility is used to request an IP address from a DHCP server.
|
|
Some implemenations of DHCP servers can use "options" to pass extra
|
|
information to dhclient.
|
|
|
|
II. Problem Description
|
|
|
|
In Azure, the DHCP server adds a private option (id 0xf5), which contains
|
|
binary form of an IPv4 address. Once this option is converted to string
|
|
form, it could contain '$', for example:
|
|
|
|
IPv4 address: 100.72.36.54
|
|
binary form: 0x64 0x48 0x24 0x36
|
|
string form: "dH$6"
|
|
|
|
In this case, dhclient(8) exits upon "illegal" options as shown above, thus
|
|
the an Azure virtual machine will fail to obtain an IP address, and fail to
|
|
start.
|
|
|
|
III. Impact
|
|
|
|
The virtual machine in Azure may not set IP address properly and becomes
|
|
inaccessible.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available, however it is presumed this issue only affects
|
|
FreeBSD running in Azure.
|
|
|
|
V. Solution
|
|
|
|
1) Upgrade your system to a supported FreeBSD stable or release / security
|
|
branch (releng) dated after the correction date.
|
|
Afterward, reboot the system or restart dhclient(8).
|
|
|
|
2) To update your system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
Afterward, reboot the system or restart dhclient(8).
|
|
|
|
3) To update your system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
# fetch https://security.FreeBSD.org/patches/EN-16:10/dhclient.patch
|
|
# fetch https://security.FreeBSD.org/patches/EN-16:10/dhclient.patch.asc
|
|
# gpg --verify dhclient.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile the operating system using buildworld and installworld as
|
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
|
|
|
Restart the applicable daemons, or reboot the system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/10/ r299156
|
|
releng/10.3/ r303984
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:10.dhclient.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQIcBAEBCgAGBQJXrUsbAAoJEO1n7NZdz2rnXk4P/jrIiXpu7f2ueB9qZNGE8I31
|
|
OYFLJcv7xnSy9FRm1t7FxJJ+rJLG8dSCVtvMuyOExgQ+ZuWKg8kgumRG5/MW081O
|
|
r0IXmvyFZgYnmRu34m13ZcH7b0qE+i8HhYqd22yoSnceOEodRMJG1X1urbcFRywO
|
|
UfJz64pqndFYGT0I7lG0Bvt5FwAN3oo8WefaD+eq7kIwnZGLujJHx5cIaG91xLBo
|
|
chfjPkjVgbF2/IC+rcJd2asKsXRxsBLloTh4NvTMLPSvmgItsUImU5H3YWlL5yDm
|
|
GbCA2GLY0C50OEMDnMS2GjKUVzMK76TWgtN3fWBAGRRQYyiZh2be9BOR9ypbG6W3
|
|
dHGSCiVILKgIoFRUMqT3KkR4oE7cxcSj6yD8xo8Nws4cV3nuC4ityBm6Gn5awzkG
|
|
PriRg7SYF3mr7cSGa+L7LG7bvL34E/cKL8gkY/LbTa4ZKLFuprMyx3cOs+8Q6ezp
|
|
u3d51NNPmmprxsFFWKqVIw0yNA6PN6c07v9pFGjUpsPk91+CD6Pgc+UumKI/tsIu
|
|
BxEhEw3Iucf8YB/qfEJReDdDM7NgjXXeYASq6PI7Ag4uBx+6lNqYomZsmwcGO+6w
|
|
JtQAxid2fg3srMjA2ZdryJ0DskQn2B+ff1Z7Zf4h58zGmL16CUfA7qhLweAy//GV
|
|
GBduTyY36OwgkBs5i7wh
|
|
=y0LS
|
|
-----END PGP SIGNATURE-----
|