[Bug 616809] Re: ifupdown: dhcp behaviour does not comply with RFC 3442

Tue Jul 3 14:35:17 UTC 2012

This bug was fixed in the package isc-dhcp - 4.2.4-1ubuntu1

---------------
isc-dhcp (4.2.4-1ubuntu1) quantal; urgency=low

  * Merge from Debian. Remaining changes:
    (LP: #768171, LP: #841182, LP: #881558, LP: #872929, LP: #616809)
    - Use upstart jobs for isc-dhcp-server and isc-dhcp-relay.
    - Add IPv6 support to udeb dhclient-script (forwarded as Debian #635897).
    - Add an apport hook to isc-dhcp-client and isc-dhcp-server.
    - Add an apparmor profile to isc-dhcp-client and isc-dhcp-server.
    - Update default dhclient.conf to ask for IPv6 configuration.
    - Patches:
      + dhclient-fix-backoff
      + dhclient-more-debug
      + dhclient-onetry-call-clientscript
      + dhclient-safer-timeout
      + dhcpd.conf-subnet-examples
      + multi-ip-addr-per-if
      + onetry_retry_after_initial_success
      + revert-next-server
  * Set fqdn.fqdn to the result of gethostname(); (LP: #991360)
  * Replace old droppriv and deroot patches by use of --enable-paranoia
    and matching -user and -group parameters to dhcpd. (LP: #727837)
  * Allow read access to /etc/dhcp/ddns-keys/* for ddns. (LP: #341817)
    It's expected that people generate one key per zone and have it stored
    in both /etc/bind9 and /etc/dhcp/ddns-keys/ for security reason.
  * Fix apport hook to work with python3.

isc-dhcp (4.2.4-1) unstable; urgency=low

  * New upstream release
  * debian/control: reformatted Uploaders so that dch doesn't think I'm making
    NMUs
  * debian/rules: do a clean between the LDAP-enabled build and the
    non-LDAP-enabled one, so that no LDAP-related artefacts are accidently
    incorporated into the non-LDAP build
  * debian/dhclient-script.*: conditionalise the chown/chmod of the new
    resolv.conf on the existence of the old one (closes: #595400)
  * debian/dhclient-script.linux: comply with RFC 3442 and ignore
    the routers option if the rfc3442-classless-static-routes option is present
    (closes: #592735)
  * debian/dhclient-script.kfreebsd: fix subnet mask handling (closes: #677985)

isc-dhcp (4.2.2.dfsg.1-5) unstable; urgency=medium

  [ Andrew Pollock ]
  * debian/dhclient.conf: send the hostname (closes: #151820)

  [ Michael Gilbert ]
  * Fix cve-2011-4868: error in DDNS handling with IPv6 (closes: #655746)
  * Fix cve-2011-4539: error in regular expression handling
    (closes: #652259)
  * Make dependencies diff-able
  * Add myself to uploaders
  * Remove all automatically generated files in clean rule
  * Medium urgency for security updates

isc-dhcp (4.2.2.dfsg.1-4) unstable; urgency=low

  * The "Zoe woke up at 4am and I couldn't get back to sleep so I had some
    extra time to work on this" release
  * patch the Makefile for the embedded BIND libraries so that autoconf is run
    so that the modification to configure.in to fix the FTBFS on kFreeBSD
    actually does something useful (closes: #643569)

isc-dhcp (4.2.2.dfsg.1-3) unstable; urgency=low

  * debian/control: remove transitional packages
  * debian/rules: apply the intent of Pierre Chifflier's patch to enable
    hardening options (closes: #644413)
  * debian/control: also add inetutils-ping to the dependencies for
    isc-dhcp-client on hurd (closes: #648140)
  * Convert to 3.0 (quilt) source format:
    - debian/control: remove build-dep on dpatch
    - debian/rules: stop including dpatch.make
    - debian/rules: remove dpatch-related target dependencies
    - convert patches from dpatch to pure quilt
    - remove debian/README.source
  * debian/rules: cleaned up the target names a bit to reflect the lack of
    patching going on now
  * repack bind.tar.gz in upstream source tarball to patch configure.in for
    FTBFS on kFreeBSD and remove RFCs (closes: #643569, #645760)
  * debian/watch: add dversionmangle to deal with dfsg upstream tarball
  * Updated Dutch debconf template translation (closes: #651396)
  * Added Polish debconf template translation (closes: #659372)
  * Updated Brazilian Portugeuse debconf template translation (closes: #663494)
  * debian/control: bumped Standards-Version (no changes)

isc-dhcp (4.2.2-2) unstable; urgency=low

  * debian/rules: use dpkg-buildflags to set CFLAGS, and export CFLAGS (closes:
    #643470)
  * debian/dhclient.conf: revert hostname setting behaviour to something
    equivalent to what upstream ships to avoid surprising people with unwanted
    hostname changes when changing networks (closes: #648676)
  * debian/dhclient-script.kfreebsd: apply patch from Robert Millan to resync
    dhclient-script with FreeBSD version (closes: #645502)
  * debian/control: add inetutils-ping to the dependencies for isc-dhcp-client
    on kfreebsd (closes: #648140)
  * Updated German debconf template translation (closes: #641843)
  * added harding-wrapper to build dependencies and invoke it in debian/rules
    (closes: #611192)

isc-dhcp (4.2.2-1) unstable; urgency=low

  * New upstream release, includes security fixes for CVE-2011-2748 and
    CVE-2011-2749 (closes: #638404)
  * Remove obsolete patches, refit remaining patches
  * Remove LDAP patch, it's finally upstream now (yay!)
  * debian/rules: adjust double build for the non-existence of the LDAP patch
  * debian/isc-dhcp-server-ldap.docs: update for new location of documentation
  * debian/rules: added build-arch and build-indep targets
  * debian/rules: applied patch from Kees Cook to call dh_link (closes: #614992)
  * debian/dhclient-script.linux: applied patch from Colin Watson to make
    dhclient-script support stateless DHCPv6 (closes: #632888)
  * debian/dhclient-script.linux: fix regression for MTU <= 576 handling
    (closes: #638267)
  * Apply patch from Peter Marschall to split the rfc3442-classless-routes hook
    into a Linux and a kFreeBSD variant, so that the Linux one can use iproute
    (closes: #630519)
  * debian/isc-dhcp-server.postinst: apply patch from Peter Marschall to
    document new variables in /etc/default/isc-dhcp-server
  * debian/isc-dhcp-server.init.d: apply patch from Peter Marschall to
    - make the name of the default file configurable
    - make the name of the server configuration file configurable (closes:
      #590158, #565650)
    - allow passing additional options to dhcpd (closes: #613734)
    - read PID from config file
  * Add Catalan debconf template translation (closes: #628372)
  * debian/isc-dhcp-client,dhcp3-client}.links: apply patch from Peter
    Marschall to move old compatibility links to the old compatibility package
    (closes: #614992)
  * debian/isc-dhcp-server.postinst: apply patch from Peter Marschall to fix
    comment in /etc/default/isc-dhcp-server (closes: #616417)
  * debian/control: apply patch from Peter Marschall to add a Provides:
    dhcp-client to isc-dhcp-client (closes: #236001)
  * debian/dhclient-script.{linux,kfreebsd}: apply patch from Peter Marschall
    to fix metric calculation (closes: #629632)
  * debian/dhclient-script.linux: apply patches from Peter Marschall to support
    IPv6 link-local resolvers
  * debian/dhclient-script.{linux,kfreebsd}: applied patch from Peter Marschall
    to factor out the hostname setting to a separate function
  * debian/dhclient-script.{linux,kfreebsd}: applied patch from Peter Marschall
    to harmonize the logic for setting the hostname (closes: #246155)
  * apply patch from Peter Marschall to use one common script for the debug
    hooks
  * debian/rfc3442-classless-routes.{linux,kfreebsd}: applied patch from Peter
    Marschall to take care of link-local routes (closes: #521024)
  * debian/dhclient-script.*: apply patch from Peter Marschall to use alternate
    value expansion
  * debian/isc-dhcp-server.postinst: eliminate an error message from sed if no
    interfaces are provided
 -- Stephane Graber <stgraber at ubuntu.com>   Tue, 03 Jul 2012 09:54:00 -0400

** Changed in: isc-dhcp (Ubuntu)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-2748

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-2749

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/616809

Title:
  ifupdown: dhcp behaviour does not comply with RFC 3442

Status in “isc-dhcp” package in Ubuntu:
  Fix Released
Status in “isc-dhcp” package in Debian:
  Fix Released

Bug description:
  Binary package hint: ifupdown

  Situation: the client is configured *not* to use network-manager, but instead eth0 is added to the "auto" line in /etc/network/interfaces. The dhcp-server has configured several options including:
  * option 3 (Router)
  * option 121 (Classless Static Routes)

  According to RFC 3442, clients that receive and support option 121
  MUST ignore option 3 if present.

  Problem: the routes from *both* option 121 and option 3 are added to
  the kernel routing table, the client ends up with 2 default gateways.

  Additional info:
  * Tested with dhcp server on Windows 2008 R2
  * Windows clients are found to contain the same bug.
  * Debian GNU/Linux 5.0.5 (Lenny) is found to contain the same bug. This bug is probably present in multiple versions of Debian and derived distributions.
  * When using network-manager, option 3 is used and option 121 is not (correct behaviour according to RFC 3442)
  * Using dhcpcd instead of dhclient (dhcp3-client), option 121 is used and option 3 is ignored, like it should.

  -- System information:
  Ubuntu 10.04.1 LTS
  Kernel: Linux 2.6.32-24-generic #39-Ubuntu SMP Wed Jul 28 06:07:29 UTC 2010 i686 GNU/Linux

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/616809/+subscriptions