Multiple domains in domain-search not working after CVE-2011-0997 patch

Bug #777785 reported by Alk on 2011-05-05
This bug affects 1 person
Affects Status Importance Assigned to Milestone
isc-dhcp (Ubuntu)

Bug Description

What you expected to happen:
Add domains-search domains from /etc/dhcp/dhclient.conf to search line in /etc/resolv.conf

What happened instead:
After upgrading to natty multiple domain search in /etc/resolv.conf stopped working.

Example entry in /etc/dhcp/dhclient.conf -> append domain-search "";

Error message in /var/log/syslog -> dhclient: suspect value in domain_search option - discarded

Repackaging isc-dhcp without the CVE-2011-0997 solves the domain search issue, but leaves the system with a known security vulnerability.

Version: isc-dhcp-client_4.1.1-P1-15ubuntu9
Arch: amd64

lsb_release -rd
Description: Ubuntu 11.04
Release: 11.04

CVE References

Alk (allank-bluebottle) on 2011-05-05
description: updated
Marc Deslauriers (mdeslaur) wrote :

That's not the right way to format that option. Try this:

append domain-search "", "", "";

I'm marking this bug as invalid. Please feel free to reopen it if adding the right option doesn't work. Thanks.

Changed in isc-dhcp (Ubuntu):
status: New → Invalid
Alk (allank-bluebottle) wrote :

Tried that. Then it is only the last domain in the list that is appended.

The documentation about the format is not clear, but I have used the current format for years.

I think the issue is with the CVE-2011-0997 patch. Maybe that is does not allow white space inside quotes.

Reopened the issue.

Changed in isc-dhcp (Ubuntu):
status: Invalid → New
Marc Deslauriers (mdeslaur) wrote :

append domain-search "", "", ""; is the format that works. I get the following in resolv.conf:


If I remove the security patch, and use the append line you suggest, I get the following in resolv.conf:


Which is obviously wrong.

The documentation is pretty clear: option domain-search "", "", "";

What release were you using that worked with the append line you've been using for years? What did the resolv.conf file look like?

Changed in isc-dhcp (Ubuntu):
status: New → Incomplete
Alk (allank-bluebottle) wrote :

Thanks for the link, was looking at

In maverick the dhcp client package is: dhcp3-client

After uninstalling and reinstalling the isc-dhcp packages a few times I cannot replicate the issue with the comma separated domains anymore. It now works as expected :)

Closing bug.

Changed in isc-dhcp (Ubuntu):
status: Incomplete → Invalid

I tried the setting that Marc Deslauriers suggested above, and DHCP is still not setting my search domains. I restarted NetworkManager, and even rebooted the machine. Still nothing. I made sure /etc/dhcp/dhclient.conf and /etc/dhcp3/dhclient.conf both had the same information, as I don't know which one the system will be reading. Nothing. Still broken.

I'm having the same issue. I suspect the problem is that I'm using an older version of dhcpd that does not have the "domain-search" option available. Instead, I'm using the prior notation of:

option domain-name-search code 119 = text;
option domain-name-search "";

This works for all other hosts except Natty, which presents the same error as above. For compatibility reasons, I cannot upgrade the DHCP server on that host. A Natty system should be able to handle the historic specification without errors.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers