FEDORA-2018-5051dbd15e created by landgraf 6 years ago for Fedora 27

Security fix for CVE-2018-5732 CVE-2018-5733

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2018-5051dbd15e

This update has been submitted for testing by landgraf. This critical path update has not yet been approved for pushing to the stable repository. It must first reach a karma of 2, consisting of 0 positive karma from proventesters, along with 2 additional karma from the community. Or, it must spend 14 days in testing without any negative feedback Additionally, it must pass automated tests..

6 years ago

This update has been pushed to testing.

6 years ago
User Icon filiperosset commented & provided feedback 6 years ago

no regressions noted

User Icon hreindl commented & provided feedback 6 years ago

works for me

User Icon cserpentis commented & provided feedback 6 years ago

works for me

This update has been submitted for batched by bodhi.

6 years ago

This update has been submitted for stable by landgraf.

6 years ago

This update has been pushed to stable.

6 years ago

@landgraf: was this update originally labelled as security/urgent? I see that it went through batched and spent two days there, which shouldn't have happened if it was marked as urgent.

@zbyszek "security update in Fedora 27 for dhcp". Does it answer your question?

No really. "security" is the "type", but I'm asking about the "severity" field. It is now "urgent", but was it so when the update was initially submitted?

@zbyszek, Well you've asked if the update was marked as security and the answer is "yes it was" fedpkg update template doesn't have severity field in default template nor in one suggested by security team and not everybody uses bodhi UI. I hope it answers your questions. Even more all information available at the right side of this page ( ) and it says :

Update Type security Update Severity urgent

So I don't understand why you keep asking for information you can find yourself very easily.

Just to make thing clear. I've not change neither type nor update after update was submitted.

OK, thanks. So that looks like a bug. Karma threshold is +3, and it was reached 6 days ago, according to the log above, and the package was submitted to batched. But it should have been submitted to stable automatically. For some reason that didn't happen, until you did that three days later.

@zbyszek, I've seen discussion in f-devel@ Right, I was wondering as well but didn't have time to investigate/report this taking into account two more CVEs in mailman. Is it possible that Critpath flag affects it somehow?

@zbyszek The answer about the Severity field: It was not set when the update was filed, I have updated this to Urgent after looking at the security teams' assessment of the attached security bugs to make sure it went out.

Please login to add feedback.

Content Type
Test Gating
Unstable by Karma
Stable by Karma
Stable by Time
6 years ago
in testing
6 years ago
in stable
6 years ago
BZ#1549960 CVE-2018-5732 dhcp: Buffer overflow in dhclient possibly allowing code execution triggered by malicious server
BZ#1549961 CVE-2018-5733 dhcp: Reference count overflow in dhcpd allows denial of service
BZ#1550246 CVE-2018-5732 CVE-2018-5733 dhcp: various flaws [fedora-all]

Automated Test Results