Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <d8544143-4a18-ef44-b4bd-b2efc1c3aa60@isc.org>
Date: Wed, 28 Aug 2019 23:46:31 -0800
From: Michael McNally <mcnally@....org>
To: oss-security@...ts.openwall.com
Subject: Three vulnerabilities in Kea DHCP disclosed by ISC, 28 August 2019

Earlier today (28 Aug 2019) ISC disclosed three vulnerabilities in our
Kea DHCP software.

   CVE-2019-6472 affects the Kea DHCPv6 server, which can exit
   with an assertion failure if the DHCPv6 server process receives
   a request containing DUID value which is too large.
   (https://kb.isc.org/docs/cve-2019-6474)

   CVE-2019-6473 affects the Kea DHCPv4 server, which can exit with
   an assertion failure if it receives a packed containing a malformed
   option.  (https://kb.isc.org/docs/cve-2019-6473)

   CVE-2019-6474 can cause a condition where the server cannot be
   restarted without manual operator intervention to correct a problem
   that can be deliberately introduced into the stored leases.
   CVE-2019-6474 can only affect servers which are using memfile
   for lease storage.  (https://kb.isc.org/docs/cve-2019-6474)

To correct these vulnerabilities new releases of Kea were issued:

   -  Kea 1.6.0
   -  Kea 1.5.0-P1
   -  Kea 1.4.0-P2

any of which can be downloaded via the ISC downloads page,
https://www.isc.org/downloads.

If you are a distributor of packages based on ISC's Kea DHCP
software, you may consider the issue publicly disclosed and proceed
with your own packages.

Sincerely,

Michael McNally
ISC Security Officer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.