dhclient, dhcp security update

CentOS Errata and Security Advisory CESA-2009:1154

The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows
individual devices on an IP network to get their own network configuration
information, including an IP address, a subnet mask, and a broadcast
address.

The Mandriva Linux Engineering Team discovered a stack-based buffer
overflow flaw in the ISC DHCP client. If the DHCP client were to receive a
malicious DHCP response, it could crash or execute arbitrary code with the
permissions of the client (root). (CVE-2009-0692)

An insecure temporary file use flaw was discovered in the DHCP daemon’s
init script (“/etc/init.d/dhcpd”). A local attacker could use this flaw to
overwrite an arbitrary file with the output of the “dhcpd -t” command via
a symbolic link attack, if a system administrator executed the DHCP init
script with the “configtest”, “restart”, or “reload” option.
(CVE-2009-1893)

Users of DHCP should upgrade to these updated packages, which contain
backported patches to correct these issues.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2009-July/078196.html
https://lists.centos.org/pipermail/centos-announce/2009-July/078197.html

Affected packages:
dhclient
dhcp
dhcp-devel

Upstream details at:
https://access.redhat.com/errata/RHSA-2009:1154