ISC DHCP Users

CVE-2015-8461, a DHCP security vulnerability, was announced today.

Classic

List

Threaded

5 messages Options

Michael McNally

CVE-2015-8461, a DHCP security vulnerability, was announced today.

CVE-2015-8461, a new medium severity DHCP security vulnerability
was announced today.

If you want to be certain to receive future announcements, please
subscribe to dhcp-announce, a low-traffic list which carries only
release announcements and important security information.

https://lists.isc.org/mailman/listinfo/dhcp-announce

Or you can visit the advisory for CVE-2015-8461 directly here:

https://kb.isc.org/article/AA-01334

Software releases which correct the vulnerability are now available from:

http://www.isc.org/downloads
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Apu

Re: CVE-2015-8461, a DHCP security vulnerability, was announced today.

Michael,

The advisory includes this text regarding workarounds

None likely, but in some environments following the advice from
https://kb.isc.org/article/AA-00573/31/Securing-Your-Network-From-DHCP-Risks.html
can substantially reduce the risk by limiting the exposure of a DHCP
server to "controlled" networks and clients.

however the link returns an error requesting a username and password.

Is that article available publicly?

--
Apu

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Brian Conry

Re: CVE-2015-8461, a DHCP security vulnerability, was announced today.

On 2016-01-12 17:13, Apu wrote:

> Michael,
>
> The advisory includes this text regarding workarounds
>
> None likely, but in some environments following the advice from
> https://kb.isc.org/article/AA-00573/31/Securing-Your-Network-From-DHCP-Risks.html
> can substantially reduce the risk by limiting the exposure of a DHCP
> server to "controlled" networks and clients.
>
> however the link returns an error requesting a username and password.
>
> Is that article available publicly?

It was supposed to be before, and it is now.

Thanks for reporting the problem with the link.

Brian Conry
ISC Support

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Apu

Re: CVE-2015-8461, a DHCP security vulnerability, was announced today.

Thanks, Brian.

--
Apu

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Michael McNally

Re: CVE-2015-8461, a DHCP security vulnerability, was announced today.

In reply to this post by Michael McNally

On 1/12/16 6:03 PM, Michael McNally wrote:
> CVE-2015-8461, a new medium severity DHCP security vulnerability
> was announced today.

Please excuse my error. I cited the wrong advisory in the previous
message.

The links in my message were correct but the new DHCP advisory is
CVE-2015-8605, not CVE-2015-8461 as I wrote above.
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users