Debian Bug report logs -
#896122
isc-dhcp: CVE-2019-6470
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian ISC DHCP maintainers <pkg-dhcp-devel@lists.alioth.debian.org>
:
Bug#896122
; Package isc-dhcp-server
.
(Thu, 19 Apr 2018 19:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Giorgos Skafidas <giorgos.skafidas@gmx.com>
:
New Bug report received and forwarded. Copy sent to Debian ISC DHCP maintainers <pkg-dhcp-devel@lists.alioth.debian.org>
.
(Thu, 19 Apr 2018 19:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: isc-dhcp-server
Version: 4.3.5-4
Severity: important
Tags: ipv6
Dear Maintainer,
I use isc-dhcp-server as a DHCPv6+DHCPv4 server in a home network with mostly Windows and a few Linux and Android clients.
After upgrading to 4.3.5-4, I noticed that the DHCPv6 server would die after a while, with no error messages in syslog. Meanwhile,
DHCPv4 keeps functioning without a problem. Trying to reproduce this today, I found that running the "ipconfig /release6" and "ipconfig /renew6"
commands in Windows, to release and reacquire the lease respectively, is enough to trigger the crash.
I do not have this issue after downgrading to 4.3.5-3.1. Below is the output from running dhcpd in foreground mode.
Thank you!
-------------------------------------------------------------------------------
# /usr/sbin/dhcpd -6 -d -tf dhcpd6-trace -cf /etc/dhcp/dhcpd6.conf eth0_lan eth0.2 eth0.3
Internet Systems Consortium DHCP Server 4.3.5
Copyright 2004-2016 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
lease_id_format is: hex
Config file: /etc/dhcp/dhcpd6.conf
Database file: /var/lib/dhcp/dhcpd6.leases
PID file: /var/run/dhcpd6.pid
Wrote 0 class decls to leases file.
Wrote 0 deleted host decls to leases file.
Wrote 0 new dynamic host decls to leases file.
Wrote 1 NA, 0 TA, 0 PD leases to lease file.
Bound to *:547
Listening on Socket/6/eth0.3/fd11:2358:1321:3403::/64
Sending on Socket/6/eth0.3/fd11:2358:1321:3403::/64
Listening on Socket/6/eth0.2/fd11:2358:1321:3402::/64
Sending on Socket/6/eth0.2/fd11:2358:1321:3402::/64
Listening on Socket/6/eth0_lan/fd11:2358:1321:3401::/64
Sending on Socket/6/eth0_lan/fd11:2358:1321:3401::/64
Server starting service.
Solicit message from fe80::a169:84d:c547:5adb port 546, transaction ID 0x25AA8000
Advertise NA: address fd11:2358:1321:3401:10:c363:685c:6495 to client with duid 00:01:00:01:15:6f:15:33:08:00:27:f1:f0:f0 iaid = 336068647 valid for 604800 seconds
Sending Advertise to fe80::a169:84d:c547:5adb port 546
Request message from fe80::a169:84d:c547:5adb port 546, transaction ID 0x25AA8000
Reply NA: address fd11:2358:1321:3401:10:c363:685c:6495 to client with duid 00:01:00:01:15:6f:15:33:08:00:27:f1:f0:f0 iaid = 336068647 valid for 604800 seconds
Sending Reply to fe80::a169:84d:c547:5adb port 546
Added new forward map from VM-Win7.kantza.lan to fd11:2358:1321:3401:10:c363:685c:6495
Added reverse map from 5.9.4.6.c.5.8.6.3.6.3.c.0.1.0.0.1.0.4.3.1.2.3.1.8.5.3.2.1.1.d.f.ip6.arpa. to VM-Win7.kantza.lan
Release message from fe80::a169:84d:c547:5adb port 546, transaction ID 0x7EC9FB00
Client 00:01:00:01:15:6f:15:33:08:00:27:f1:f0:f0 releases address fd11:2358:1321:3401:10:c363:685c:6495
Sending Reply to fe80::a169:84d:c547:5adb port 546
Removed forward map from VM-Win7.kantza.lan to fd11:2358:1321:3401:10:c363:685c:6495
Removed reverse map on 5.9.4.6.c.5.8.6.3.6.3.c.0.1.0.0.1.0.4.3.1.2.3.1.8.5.3.2.1.1.d.f.ip6.arpa.
Solicit message from fe80::a169:84d:c547:5adb port 546, transaction ID 0x14EE2200
Advertise NA: address fd11:2358:1321:3401:10:c363:685c:6495 to client with duid 00:01:00:01:15:6f:15:33:08:00:27:f1:f0:f0 iaid = 336068647 valid for 604800 seconds
Sending Advertise to fe80::a169:84d:c547:5adb port 546
Request message from fe80::a169:84d:c547:5adb port 546, transaction ID 0x14EE2200
Reply NA: address fd11:2358:1321:3401:10:c363:685c:6495 to client with duid 00:01:00:01:15:6f:15:33:08:00:27:f1:f0:f0 iaid = 336068647 valid for 604800 seconds
../../../lib/isc/heap.c:217: REQUIRE(idx >= 1 && idx <= heap->last) failed, back trace
#0 0x7f8a33c74737 in ??
#1 0x7f8a33c7468a in ??
#2 0x7f8a33c7b6aa in ??
#3 0x563855dda9a2 in ??
#4 0x563855ddadc1 in ??
#5 0x563855dd5fd1 in ??
#6 0x563855dd83d5 in ??
#7 0x563855dd97ba in ??
#8 0x563855dda3cc in ??
#9 0x563855df56e2 in ??
#10 0x563855de4d13 in ??
#11 0x563855e13776 in ??
#12 0x7f8a33cab4bb in ??
#13 0x7f8a33c9adce in ??
#14 0x7f8a33c9fc90 in ??
#15 0x7f8a33ca0155 in ??
#16 0x563855de6f20 in ??
#17 0x563855d9adf9 in ??
#18 0x7f8a338c8a87 in ??
#19 0x563855d9b6ea in ??
Aborted
-------------------------------------------------------------------------------
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.15.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=el_GR.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8), LANGUAGE=el_GR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages isc-dhcp-server depends on:
ii debconf [debconf-2.0] 1.5.66
ii debianutils 4.8.4
ii libc6 2.27-3
ii libdns-export1100 1:9.11.3+dfsg-1
ii libirs-export160 1:9.11.3+dfsg-1
ii libisc-export169 1:9.11.3+dfsg-1
ii lsb-base 9.20170808
Versions of packages isc-dhcp-server recommends:
ii isc-dhcp-common 4.3.5-4
pn policycoreutils <none>
Versions of packages isc-dhcp-server suggests:
pn isc-dhcp-server-ldap <none>
ii policykit-1 0.105-20
-- Configuration Files:
/etc/dhcp/dhcpd.conf changed:
authoritative;
ddns-update-style standard;
update-static-leases true;
update-conflict-detection false;
update-optimization false;
deny client-updates;
echo-client-id true;
lease-id-format hex;
include "/etc/dhcp/ddns.key";
zone kantza.lan. {
primary6 ::1;
key KEY_DDNS;
}
zone kantza-int.lan. {
primary6 ::1;
key KEY_DDNS;
}
zone 10.in-addr.arpa. {
primary6 ::1;
key KEY_DDNS;
}
zone 2.10.in-addr.arpa. {
primary6 ::1;
key KEY_DDNS;
}
max-lease-time 604800;
default-lease-time 604800;
option domain-name-servers 10.1.0.1;
option ntp-servers 10.1.0.1;
option client-arch-type code 93 = unsigned integer 16;
subnet 10.1.0.0 netmask 255.255.0.0 {
range 10.1.10.0 10.1.11.255;
ddns-domainname "kantza.lan";
option domain-name "kantza.lan";
option domain-search "kantza.lan";
option routers 10.1.0.1;
class "pxe" {
match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
switch (extract-int(option client-arch-type, 16)) {
case 0:
filename "bios/pxelinux.0";
break;
case 7:
case 9:
filename "efi64/syslinux.efi";
break;
}
}
}
subnet 10.2.0.0 netmask 255.255.0.0 {
range 10.2.10.0 10.2.11.255;
ddns-domainname "kantza-int.lan";
option domain-name "kantza-int.lan";
option domain-search "kantza-int.lan";
option routers 10.2.0.1;
}
subnet 10.3.0.0 netmask 255.255.0.0 {
range 10.3.10.0 10.3.11.255;
ddns-domainname "kantza.lan";
option domain-name "kantza.lan";
option domain-search "kantza.lan";
option routers 10.3.0.1;
}
include "/etc/dhcp/host-decls";
/etc/dhcp/dhcpd6.conf changed:
authoritative;
ddns-update-style standard;
update-static-leases true;
update-conflict-detection false;
update-optimization false;
deny client-updates;
dhcpv6-set-tee-times true;
lease-id-format hex;
include "/etc/dhcp/ddns.key";
zone kantza.lan. {
primary6 ::1;
key KEY_DDNS;
}
zone kantza-int.lan. {
primary6 ::1;
key KEY_DDNS;
}
zone 4.3.1.2.3.1.8.5.3.2.1.1.d.f.ip6.arpa. {
primary6 ::1;
key KEY_DDNS;
}
zone 2.0.4.3.1.2.3.1.8.5.3.2.1.1.d.f.ip6.arpa. {
primary6 ::1;
key KEY_DDNS;
}
max-lease-time 604800;
default-lease-time 604800;
preferred-lifetime 432000;
option dhcp6.rapid-commit;
option dhcp6.name-servers fd11:2358:1321:3401::1;
option dhcp6.sntp-servers fd11:2358:1321:3401::1;
subnet6 fd11:2358:1321:3401::/64 {
range6 fd11:2358:1321:3401:10::/80;
ddns-domainname "kantza.lan";
option dhcp6.domain-search "kantza.lan";
class "pxe" {
match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
switch (extract-int(option dhcp6.client-arch-type, 16)) {
case 0:
filename "bios/pxelinux.0";
break;
case 7:
case 9:
option dhcp6.bootfile-url "efi64/syslinux.efi";
break;
}
}
}
subnet6 fd11:2358:1321:3402::/64 {
range6 fd11:2358:1321:3402:10::/80;
ddns-domainname "kantza-int.lan";
option dhcp6.domain-search "kantza-int.lan";
}
subnet6 fd11:2358:1321:3403::/64 {
range6 fd11:2358:1321:3403:10::/80;
ddns-domainname "kantza.lan";
option dhcp6.domain-search "kantza.lan";
}
include "/etc/dhcp/host-decls";
-- debconf information:
isc-dhcp-server/config_warn:
isc-dhcp-server/interfaces: eth0_lan eth0.2 eth0.3
[dhcpd6-trace (application/octet-stream, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian ISC DHCP maintainers <pkg-dhcp-devel@lists.alioth.debian.org>
:
Bug#896122
; Package isc-dhcp-server
.
(Fri, 20 Apr 2018 14:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Giorgos Skafidas <giorgos.skafidas@gmx.com>
:
Extra info received and forwarded to list. Copy sent to Debian ISC DHCP maintainers <pkg-dhcp-devel@lists.alioth.debian.org>
.
Your message did not contain a Subject field. They are recommended and
useful because the title of a Bug is determined using this field.
Please remember to include a Subject field in your messages in future.
(Fri, 20 Apr 2018 14:33:03 GMT) (full text, mbox, link).
Message #10 received at 896122@bugs.debian.org (full text, mbox, reply):
I should probably add that dynamic DNS updates go to a BIND 9.11.3+dfsg-1
server, running on the same machine as the DHCP servers.
Marked as fixed in versions isc-dhcp/4.4.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 11 May 2019 07:00:03 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 11 May 2019 07:00:04 GMT) (full text, mbox, link).
Notification sent
to Giorgos Skafidas <giorgos.skafidas@gmx.com>
:
Bug acknowledged by developer.
(Sat, 11 May 2019 07:00:05 GMT) (full text, mbox, link).
Changed Bug title to 'isc-dhcp: CVE-2019-6470' from 'isc-dhcp-server: DHCPv6 server crashes, DHCPv4 OK'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 11 May 2019 07:00:05 GMT) (full text, mbox, link).
Added tag(s) security and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 11 May 2019 07:00:06 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 08 Jun 2019 07:27:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:09:23 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.