[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Three vulnerabilities in Kea DHCP disclosed by ISC, 28 August 2019
From: Michael McNally <mcnally () isc ! org>
Date: 2019-08-29 7:46:31
Message-ID: d8544143-4a18-ef44-b4bd-b2efc1c3aa60 () isc ! org
[Download RAW message or body]
Earlier today (28 Aug 2019) ISC disclosed three vulnerabilities in our
Kea DHCP software.
CVE-2019-6472 affects the Kea DHCPv6 server, which can exit
with an assertion failure if the DHCPv6 server process receives
a request containing DUID value which is too large.
(https://kb.isc.org/docs/cve-2019-6474)
CVE-2019-6473 affects the Kea DHCPv4 server, which can exit with
an assertion failure if it receives a packed containing a malformed
option. (https://kb.isc.org/docs/cve-2019-6473)
CVE-2019-6474 can cause a condition where the server cannot be
restarted without manual operator intervention to correct a problem
that can be deliberately introduced into the stored leases.
CVE-2019-6474 can only affect servers which are using memfile
for lease storage. (https://kb.isc.org/docs/cve-2019-6474)
To correct these vulnerabilities new releases of Kea were issued:
- Kea 1.6.0
- Kea 1.5.0-P1
- Kea 1.4.0-P2
any of which can be downloaded via the ISC downloads page,
https://www.isc.org/downloads.
If you are a distributor of packages based on ISC's Kea DHCP
software, you may consider the issue publicly disclosed and proceed
with your own packages.
Sincerely,
Michael McNally
ISC Security Officer
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic