Dhclient versions 3.0.x to 4.2.x are affected. The ISC has released an update. Alternatively, users can deactivate host name evaluation or add an additional line to dhclient-script. Instructions for doing so can be found in the ISC's advisory.
Alongside dhclient-script, X.org's 'X server resource database utility' (xrdb) is also affected, as it also evaluates host names transferred via DHCP. Crafted host names can also prove the undoing of X.Org servers where the X Display Manager Control Protocol (XDMCP) is used. Updating to xrdb 1.0.9 fixes the vulnerabilities. Some Linux distributors are already distributing new packages.
Source for DHCP is available to download (direct download), under the terms of the ISC License, a BSD-style licence.