Three vulnerabilities in Kea DHCP disclosed by ISC, 28 August 2019

[Michael McNally <mcnally () isc org>]

Earlier today (28 Aug 2019) ISC disclosed three vulnerabilities in our
Kea DHCP software.

   CVE-2019-6472 affects the Kea DHCPv6 server, which can exit
   with an assertion failure if the DHCPv6 server process receives
   a request containing DUID value which is too large.
   (https://kb.isc.org/docs/cve-2019-6474)

   CVE-2019-6473 affects the Kea DHCPv4 server, which can exit with
   an assertion failure if it receives a packed containing a malformed
   option.  (https://kb.isc.org/docs/cve-2019-6473)

   CVE-2019-6474 can cause a condition where the server cannot be
   restarted without manual operator intervention to correct a problem
   that can be deliberately introduced into the stored leases.
   CVE-2019-6474 can only affect servers which are using memfile
   for lease storage.  (https://kb.isc.org/docs/cve-2019-6474)

To correct these vulnerabilities new releases of Kea were issued:

   -  Kea 1.6.0
   -  Kea 1.5.0-P1
   -  Kea 1.4.0-P2

any of which can be downloaded via the ISC downloads page,
https://www.isc.org/downloads.

If you are a distributor of packages based on ISC's Kea DHCP
software, you may consider the issue publicly disclosed and proceed
with your own packages.

Sincerely,

Michael McNally
ISC Security Officer