Updated: February 05, 2003
Not Affected
Mac OS X and Mac OS X Server do not contain the vulnerability described in this report.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: February 13, 2003
Not Affected
Cisco Systems products are not affected by this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: April 07, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000616.
Updated: February 04, 2003
Affected
See http://www.debian.org/security/2003/dsa-245.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: February 04, 2003 Updated: February 05, 2003
Not Affected
Source: Hewlett-Packard Company Software Security Response Team HP-UX - not vulnerable HP-MPE/ix - not vulnerable HP Tru64 UNIX - not vulnerable HP OpenVMS - not vulnerable HP NonStop Servers - not vulnerable To report potential security vulnerabilities in HP software, send an E-mail message to: mailto:security-alert@hp.com
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: February 04, 2003 Updated: February 05, 2003
Not Affected
Ingrian platforms are not succeptable to VU149953.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: February 04, 2003 Updated: February 05, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: February 05, 2003
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Lotus does not distribute a dhcrelay server.
Updated: February 04, 2003
Not Affected
NetApp products are not affected by this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: February 26, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-security@openpkg.org openpkg@openpkg.org
OpenPKG-SA-2003.012 19-Feb-2003 Package: dhcpd
Vulnerability: denial of service (packet storm)
OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= dhcpd-3.0.1rc11-20030116 >= dhcpd-3.0.1rc11-20030219
OpenPKG 1.2 <= dhcpd-3.0.1rc11-1.2.0 >= dhcpd-3.0.1rc11-1.2.1
OpenPKG 1.1 <= dhcpd-3.0.1rc9-1.1.1 >= dhcpd-3.0.1rc9-1.1.2 Affected Releases: Dependent Packages: none Description: Florian Lohoff discovered a bug [0] in dhcrelay which is part of the
ISC DHCP Distribution [1]. The bug is causing the relay agent to
send a continuing packet storm towards the configured DHCP server(s)
in case of a malicious BOOTP packet. The Common Vulnerabilities and
Exposures (CVE) project assigned the id CAN-2003-0039 [2] to the
problem. Our update does not ultimately fix the root cause of the problem. However, it improves dhcrelay's compliance to RFC1542 [10] by
rigorously supporting the requirements listed in section "4.1.1
BOOTREQUEST Messages" and thus limiting havoc wreaked to the network: "The relay agent MUST silently discard BOOTREQUEST messages whose
'hops' field exceeds the value 16. A configuration option SHOULD be
provided to set this threshold to a smaller value if desired by the
network manager. The default setting for a configurable threshold
SHOULD be 4." The added configuration option is named "-c". Its default value to 4
and the allowed range of the value is between 0 and 16. Please check whether you are affected by running "
Updated: April 01, 2003
Affected
Red Hat Linux 8.0 shipped with a dhcp package vulnerable to these issues. Updated dhcp packages are now available along with our advisory at the URL below. Other distributions of Red Hat Linux and Red Hat Enterprise Linux are not vulnerable to this issue. Users of the Red Hat Network can update their systems using the 'up2date' tool. Red Hat Linux: http://rhn.redhat.com/errata/RHSA-2003-034.html
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: May 30, 2003
Not Affected
A response to this advisory is available from our web site: http://www.xerox.com/security
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.