Arch Linux Security Advisory ASA-201601-7 ========================================= Severity: Medium Date : 2016-01-11 CVE-ID : CVE-2016-1503 CVE-2016-1504 Package : dhcpcd Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package dhcpcd before version 6.10.0-1 is vulnerable to denial of service. Resolution ========== Upgrade to 6.10.0-1. # pacman -Syu "dhcpcd>=6.10.0-1" The problem has been fixed upstream in version 6.10.0. Workaround ========== None. Description =========== - CVE-2016-1503 (denial of service) An issue has been discovered that can lead to a heap overflow via malformed dhcp responses later in print_option (via dhcp_envoption1) due to incorrect option length values. - CVE-2016-1504 (denial of service) A malformed dhcp response can lead to an invalid read/crash leading to denial of service. Impact ====== A remote attacker is able to send specially crafted packets leading to application crash resulting in denial of service. References ========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1503 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1504 http://article.gmane.org/gmane.comp.security.oss.general/18516