[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 28 Aug 2019 23:46:31 -0800
From: Michael McNally <mcnally@....org>
To: oss-security@...ts.openwall.com
Subject: Three vulnerabilities in Kea DHCP disclosed by ISC, 28 August 2019
Earlier today (28 Aug 2019) ISC disclosed three vulnerabilities in our
Kea DHCP software.
CVE-2019-6472 affects the Kea DHCPv6 server, which can exit
with an assertion failure if the DHCPv6 server process receives
a request containing DUID value which is too large.
(https://kb.isc.org/docs/cve-2019-6474)
CVE-2019-6473 affects the Kea DHCPv4 server, which can exit with
an assertion failure if it receives a packed containing a malformed
option. (https://kb.isc.org/docs/cve-2019-6473)
CVE-2019-6474 can cause a condition where the server cannot be
restarted without manual operator intervention to correct a problem
that can be deliberately introduced into the stored leases.
CVE-2019-6474 can only affect servers which are using memfile
for lease storage. (https://kb.isc.org/docs/cve-2019-6474)
To correct these vulnerabilities new releases of Kea were issued:
- Kea 1.6.0
- Kea 1.5.0-P1
- Kea 1.4.0-P2
any of which can be downloaded via the ISC downloads page,
https://www.isc.org/downloads.
If you are a distributor of packages based on ISC's Kea DHCP
software, you may consider the issue publicly disclosed and proceed
with your own packages.
Sincerely,
Michael McNally
ISC Security Officer
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
