Debian Package Tracker
Register | Log in
Subscribe

dhcpcd

DHCPv4 and DHCPv6 dual-stack client (init.d script & systemd unit)

Choose email to subscribe with

general
  • source: dhcpcd (main)
  • version: 1:10.3.2-4
  • maintainer: Martin-Éric Racine (DMD) (DM)
  • arch: all any
  • std-ver: 4.7.4
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • old-bpo: 1:10.1.0-11~bpo12+3
  • stable: 1:10.1.0-11+deb13u2
  • stable-bpo: 1:10.3.2-4~bpo13+1
  • stable-p-u: 1:10.1.0-11+deb13u3
  • testing: 1:10.3.2-4
  • unstable: 1:10.3.2-4
versioned links
  • 1:10.1.0-11~bpo12+3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:10.1.0-11+deb13u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:10.1.0-11+deb13u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:10.3.2-3~bpo13+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:10.3.2-4~bpo13+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:10.3.2-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • dhcpcd (1 bugs: 0, 1, 0, 0)
  • dhcpcd-base (4 bugs: 0, 3, 1, 0)
  • dhcpcd5
action needed
1 new commit since last upload, is it time to release? normal
vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:
commit 7241a2167a3f793fde289445c34675ab348c1f38
Author: Martin-Éric Racine <martin-eric.racine@iki.fi>
Date:   Thu Jul 2 12:17:12 2026 +0300

    Build-Depends: on generic time-daemon [hurd-any] instead of openntpd.
Created: 2026-07-02 Last update: 2026-07-02 11:32
1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:
  • CVE-2026-14258: (needs triaging) A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass validation during packet storage and later be reparsed without adequate validation, causing the parser to enter a non-advancing loop. Successful exploitation may result in excessive CPU consumption, leading to a denial of service.

You can find information about how to handle this issue in the security team's documentation.

5 issues that should be fixed with the next stable update:
  • CVE-2025-70102: A NULL pointer dereference occurs in Roy Marples NetworkConfiguration/dhcpcd 10.3.0 while parsing configuration options. In parse_option() (src/if-options.c:1886), the code performs a member access on a NULL pointer of type 'struct dhcp_opt' when an unexpected/invalid option token or parsing state causes the lookup to yield NULL. The instrumented fuzzing build reports 'runtime error: member access within null pointer of type struct dhcp_opt' and aborts.
  • CVE-2026-56113: dhcpcd through 10.3.2, fixed in commit 5733d3c, contains a heap use-after-free vulnerability that allows unauthenticated same-link attackers to crash the daemon by sending a crafted DHCPv6 RENEW reply with RFC6603 OPTION_PD_EXCLUDE and both preferred and valid lifetimes set to zero. Attackers acting as or impersonating a DHCPv6 server can trigger dhcp6_deprecatedele() to free a delegated child address while an outer TAILQ_FOREACH_SAFE iterator in dhcp6_deprecateaddrs() still holds the freed pointer, causing a use-after-free when TAILQ_REMOVE is reached.
  • CVE-2026-56114: dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 to trigger the out-of-bounds write and potentially corrupt adjacent stack memory.
  • CVE-2026-56116: dhcpcd through 10.3.2, fixed in commit 708b4a5, contains a memory leak vulnerability in the IPv6 Router Advertisement route information handling that allows an unauthenticated same-link attacker to cause denial of service by sending crafted Router Advertisements. Attackers can repeatedly send Router Advertisements containing Route Information options with a lifetime of zero, triggering unfreed allocations in routeinfo_findalloc() that cause linear memory exhaustion and eventual daemon crash.
  • CVE-2026-56117: dhcpcd through 10.3.2, fixed in commit 78ea09e, contains a heap use-after-free vulnerability in the control socket handling within src/control.c that allows local unprivileged attackers to trigger memory corruption when privilege separation is disabled. Attackers can connect to the control socket and send a privileged command such as -x, causing control_recvdata() to free the client object while the same READ+HANGUP event subsequently reaches control_hangup() with the stale pointer, resulting in a use-after-free condition exploitable in deployments using --disable-privsep or where privsep initialization has failed with the control socket operating in mode 0666.
Created: 2026-07-02 Last update: 2026-07-02 21:30
debian/patches: 4 patches to forward upstream low

Among the 5 debian patches available in version 1:10.3.2-4 of the package, we noticed the following issues:

  • 4 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2026-06-27 Last update: 2026-06-27 06:30
testing migrations
  • This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
news
[rss feed]
  • [2026-07-02] Accepted dhcpcd 1:10.3.2-4~bpo13+1 (source) into stable-backports (Martin-Éric Racine)
  • [2026-07-02] dhcpcd 1:10.3.2-4 MIGRATED to testing (Debian testing watch)
  • [2026-06-30] Accepted dhcpcd 1:10.1.0-11+deb13u3 (source) into proposed-updates (Debian FTP Masters) (signed by: Martin-Éric Racine)
  • [2026-06-26] Accepted dhcpcd 1:10.3.2-4 (source) into unstable (Martin-Éric Racine)
  • [2026-05-07] Accepted dhcpcd 1:10.3.2-3~bpo13+1 (source) into stable-backports (Martin-Éric Racine)
  • [2026-05-07] dhcpcd 1:10.3.2-3 MIGRATED to testing (Debian testing watch)
  • [2026-05-02] Accepted dhcpcd 1:10.3.2-3 (source) into unstable (Martin-Éric Racine)
  • [2026-05-01] Accepted dhcpcd 1:10.3.2-2 (source) into unstable (Martin-Éric Racine)
  • [2026-04-30] Accepted dhcpcd 1:10.3.1-5~bpo13+1 (source) into stable-backports (Martin-Éric Racine)
  • [2026-04-30] Accepted dhcpcd 1:10.3.2-1 (source) into unstable (Martin-Éric Racine)
  • [2026-04-28] dhcpcd 1:10.3.1-5 MIGRATED to testing (Debian testing watch)
  • [2026-04-23] Accepted dhcpcd 1:10.3.1-5 (source) into unstable (Martin-Éric Racine)
  • [2026-04-23] dhcpcd 1:10.3.1-4 MIGRATED to testing (Debian testing watch)
  • [2026-04-18] Accepted dhcpcd 1:10.3.1-4 (source) into unstable (Martin-Éric Racine)
  • [2026-04-18] Accepted dhcpcd 1:10.3.1-3 (source) into unstable (Martin-Éric Racine)
  • [2026-04-16] dhcpcd 1:10.3.1-2 MIGRATED to testing (Debian testing watch)
  • [2026-04-11] Accepted dhcpcd 1:10.3.1-2 (source) into unstable (Martin-Éric Racine)
  • [2026-03-21] Accepted dhcpcd 1:10.3.1-1~bpo13+1 (source) into stable-backports (Martin-Éric Racine)
  • [2026-03-21] dhcpcd 1:10.3.1-1 MIGRATED to testing (Debian testing watch)
  • [2026-03-16] Accepted dhcpcd 1:10.3.1-1 (source) into unstable (Martin-Éric Racine)
  • [2026-01-13] dhcpcd 1:10.3.0-7 MIGRATED to testing (Debian testing watch)
  • [2026-01-12] Accepted dhcpcd 1:10.3.0-7~bpo13+1 (source) into stable-backports (Martin-Éric Racine)
  • [2026-01-06] Accepted dhcpcd 1:10.3.0-7 (source) into unstable (Martin-Éric Racine)
  • [2026-01-04] Accepted dhcpcd 1:10.3.0-6 (source) into unstable (Martin-Éric Racine)
  • [2026-01-03] Accepted dhcpcd 1:10.3.0-5 (source) into unstable (Martin-Éric Racine)
  • [2026-01-03] Accepted dhcpcd 1:10.3.0-4 (source) into unstable (Martin-Éric Racine)
  • [2025-12-30] dhcpcd 1:10.3.0-3 MIGRATED to testing (Debian testing watch)
  • [2025-12-29] Accepted dhcpcd 1:10.3.0-3~bpo13+1 (source) into stable-backports (Martin-Éric Racine)
  • [2025-12-26] Accepted dhcpcd 1:10.1.0-11~bpo12+3 (source) into oldstable-backports (Martin-Éric Racine)
  • [2025-12-26] Accepted dhcpcd 1:10.1.0-11+deb13u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Martin-Éric Racine)
  • 1
  • 2
bugs [bug history graph]
  • all: 5
  • RC: 0
  • I&N: 4
  • M&W: 1
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • other distros
  • security tracker
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 1:10.3.2-3

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing