The remote FreeBSD host is missing a security-related update.
Nico Golde reports : heap overflow via malformed dhcp responses later in print_option (via dhcp_envoption1) due to incorrect option length values. Exploitation is non-trivial, but I'd love to be proven wrong. invalid read/crash via malformed dhcp responses. not exploitable beyond DoS as far as I can judge.