oss-sec mailing list archives
Three vulnerabilities in Kea DHCP disclosed by ISC, 28 August 2019
From: Michael McNally <mcnally () isc org>
Date: Wed, 28 Aug 2019 23:46:31 -0800
Earlier today (28 Aug 2019) ISC disclosed three vulnerabilities in our Kea DHCP software. CVE-2019-6472 affects the Kea DHCPv6 server, which can exit with an assertion failure if the DHCPv6 server process receives a request containing DUID value which is too large. (https://kb.isc.org/docs/cve-2019-6474) CVE-2019-6473 affects the Kea DHCPv4 server, which can exit with an assertion failure if it receives a packed containing a malformed option. (https://kb.isc.org/docs/cve-2019-6473) CVE-2019-6474 can cause a condition where the server cannot be restarted without manual operator intervention to correct a problem that can be deliberately introduced into the stored leases. CVE-2019-6474 can only affect servers which are using memfile for lease storage. (https://kb.isc.org/docs/cve-2019-6474) To correct these vulnerabilities new releases of Kea were issued: - Kea 1.6.0 - Kea 1.5.0-P1 - Kea 1.4.0-P2 any of which can be downloaded via the ISC downloads page, https://www.isc.org/downloads. If you are a distributor of packages based on ISC's Kea DHCP software, you may consider the issue publicly disclosed and proceed with your own packages. Sincerely, Michael McNally ISC Security Officer
Current thread:
- Three vulnerabilities in Kea DHCP disclosed by ISC, 28 August 2019 Michael McNally (Aug 29)