Re: Fwd: Pre-announcement of an ISC DHCP security issue scheduled for disclosure 26 May 2021

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 07.06.21 12:02, Simon Matter wrote:
On 31.05.21 12:57, centos@xxxxxxx wrote:
Am 22/05/2021 um 06:15 schrieb Kenneth Porter:

-------- Forwarded Message --------
Subject:     Pre-announcement of an ISC DHCP security issue scheduled
for disclosure 26 May 2021
Date:     Fri, 21 May 2021 11:44:19 -0800
From:     Michael McNally <mcnally@xxxxxxx>
To:     dhcp-announce@xxxxxxxxxxxxx



Hello, dhcp-announce list subscribers,

It has been a while since our last post to this list.

Since the last time we posted news of a new release of ISC DHCP,
Internet Systems Consortium has adopted a practice of pre-announcing
expected security disclosures in order to give operators who use our
products a little advance warning and planning time.

For that reason, I am writing you today to let you know that a
vulnerability
in ISC DHCP will be publicly announced next week on Wednesday, 26 May
2021.

Further details about that vulnerability will be publicly disclosed
next
week, and new releases of ISC DHCP that correct the vulnerability will
be
made available at that time. It is our hope that this pre-announcement
will
aid DHCP operators in preparing for that disclosure when it occurs.

The released announcement: https://kb.isc.org/docs/cve-2021-25217

Any updates on this? From the announcement I take it that the version
used in C7 (4.2.5) is likely affected - yet there was no update.

Disclaimer: I did not check if upstream has released anything and I did
not check if the preconditions for the crash case are met by the current
package. Nevertheless, the "loosing a lease" case is bad enough...



https://access.redhat.com/security/cve/cve-2021-25217

I'm wondering why this bug is still unfixed in EL[6-8] for more than a
week now while it is mentioned as being a security issue? Since the fixing
patch is just a view lines I'm surprised why it's delayed?



Maybe because it depends on more the one other ticket ...

https://bugzilla.redhat.com/show_bug.cgi?id=1963258

--
Leon

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux