Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 28 Aug 2019 23:46:31 -0800
From: Michael McNally <>
Subject: Three vulnerabilities in Kea DHCP disclosed by ISC, 28 August 2019

Earlier today (28 Aug 2019) ISC disclosed three vulnerabilities in our
Kea DHCP software.

   CVE-2019-6472 affects the Kea DHCPv6 server, which can exit
   with an assertion failure if the DHCPv6 server process receives
   a request containing DUID value which is too large.

   CVE-2019-6473 affects the Kea DHCPv4 server, which can exit with
   an assertion failure if it receives a packed containing a malformed
   option.  (

   CVE-2019-6474 can cause a condition where the server cannot be
   restarted without manual operator intervention to correct a problem
   that can be deliberately introduced into the stored leases.
   CVE-2019-6474 can only affect servers which are using memfile
   for lease storage.  (

To correct these vulnerabilities new releases of Kea were issued:

   -  Kea 1.6.0
   -  Kea 1.5.0-P1
   -  Kea 1.4.0-P2

any of which can be downloaded via the ISC downloads page,

If you are a distributor of packages based on ISC's Kea DHCP
software, you may consider the issue publicly disclosed and proceed
with your own packages.


Michael McNally
ISC Security Officer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.