[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Three vulnerabilities in Kea DHCP disclosed by ISC, 28 August 2019
From:       Michael McNally <mcnally () isc ! org>
Date:       2019-08-29 7:46:31
Message-ID: d8544143-4a18-ef44-b4bd-b2efc1c3aa60 () isc ! org
[Download RAW message or body]

Earlier today (28 Aug 2019) ISC disclosed three vulnerabilities in our
Kea DHCP software.

   CVE-2019-6472 affects the Kea DHCPv6 server, which can exit
   with an assertion failure if the DHCPv6 server process receives
   a request containing DUID value which is too large.
   (https://kb.isc.org/docs/cve-2019-6474)

   CVE-2019-6473 affects the Kea DHCPv4 server, which can exit with
   an assertion failure if it receives a packed containing a malformed
   option.  (https://kb.isc.org/docs/cve-2019-6473)

   CVE-2019-6474 can cause a condition where the server cannot be
   restarted without manual operator intervention to correct a problem
   that can be deliberately introduced into the stored leases.
   CVE-2019-6474 can only affect servers which are using memfile
   for lease storage.  (https://kb.isc.org/docs/cve-2019-6474)

To correct these vulnerabilities new releases of Kea were issued:

   -  Kea 1.6.0
   -  Kea 1.5.0-P1
   -  Kea 1.4.0-P2

any of which can be downloaded via the ISC downloads page,
https://www.isc.org/downloads.

If you are a distributor of packages based on ISC's Kea DHCP
software, you may consider the issue publicly disclosed and proceed
with your own packages.

Sincerely,

Michael McNally
ISC Security Officer
[prev in list] [next in list] [prev in thread] [next in thread]