Date: Wed, 28 Aug 2019 23:46:31 -0800 From: Michael McNally <mcnally@....org> To: oss-security@...ts.openwall.com Subject: Three vulnerabilities in Kea DHCP disclosed by ISC, 28 August 2019 Earlier today (28 Aug 2019) ISC disclosed three vulnerabilities in our Kea DHCP software. CVE-2019-6472 affects the Kea DHCPv6 server, which can exit with an assertion failure if the DHCPv6 server process receives a request containing DUID value which is too large. (https://kb.isc.org/docs/cve-2019-6474) CVE-2019-6473 affects the Kea DHCPv4 server, which can exit with an assertion failure if it receives a packed containing a malformed option. (https://kb.isc.org/docs/cve-2019-6473) CVE-2019-6474 can cause a condition where the server cannot be restarted without manual operator intervention to correct a problem that can be deliberately introduced into the stored leases. CVE-2019-6474 can only affect servers which are using memfile for lease storage. (https://kb.isc.org/docs/cve-2019-6474) To correct these vulnerabilities new releases of Kea were issued: - Kea 1.6.0 - Kea 1.5.0-P1 - Kea 1.4.0-P2 any of which can be downloaded via the ISC downloads page, https://www.isc.org/downloads. If you are a distributor of packages based on ISC's Kea DHCP software, you may consider the issue publicly disclosed and proceed with your own packages. Sincerely, Michael McNally ISC Security Officer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.