Re: Fwd: Pre-announcement of an ISC DHCP security issue scheduled for disclosure 26 May 2021

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

> On 31.05.21 12:57, centos@xxxxxxx wrote:
>> Am 22/05/2021 um 06:15 schrieb Kenneth Porter:
>>>
>>> -------- Forwarded Message --------
>>> Subject:     Pre-announcement of an ISC DHCP security issue scheduled
>>> for disclosure 26 May 2021
>>> Date:     Fri, 21 May 2021 11:44:19 -0800
>>> From:     Michael McNally <mcnally@xxxxxxx>
>>> To:     dhcp-announce@xxxxxxxxxxxxx
>>>
>>>
>>>
>>> Hello, dhcp-announce list subscribers,
>>>
>>> It has been a while since our last post to this list.
>>>
>>> Since the last time we posted news of a new release of ISC DHCP,
>>> Internet Systems Consortium has adopted a practice of pre-announcing
>>> expected security disclosures in order to give operators who use our
>>> products a little advance warning and planning time.
>>>
>>> For that reason, I am writing you today to let you know that a
>>> vulnerability
>>> in ISC DHCP will be publicly announced next week on Wednesday, 26 May
>>> 2021.
>>>
>>> Further details about that vulnerability will be publicly disclosed
>>> next
>>> week, and new releases of ISC DHCP that correct the vulnerability will
>>> be
>>> made available at that time. It is our hope that this pre-announcement
>>> will
>>> aid DHCP operators in preparing for that disclosure when it occurs.
>>>
>> The released announcement: https://kb.isc.org/docs/cve-2021-25217
>>
>> Any updates on this? From the announcement I take it that the version
>> used in C7 (4.2.5) is likely affected - yet there was no update.
>>
>> Disclaimer: I did not check if upstream has released anything and I did
>> not check if the preconditions for the crash case are met by the current
>> package. Nevertheless, the "loosing a lease" case is bad enough...
>>
>
>
> https://access.redhat.com/security/cve/cve-2021-25217

I'm wondering why this bug is still unfixed in EL[6-8] for more than a
week now while it is mentioned as being a security issue? Since the fixing
patch is just a view lines I'm surprised why it's delayed?

Regards,
Simon

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]

  Powered by Linux