Re: Fwd: Pre-announcement of an ISC DHCP security issue scheduled for disclosure 26 May 2021

[Leon Fauster via CentOS <centos@xxxxxxxxxx>]

On 07.06.21 12:02, Simon Matter wrote:
> > On 31.05.21 12:57, centos@xxxxxxx wrote:
> > > Am 22/05/2021 um 06:15 schrieb Kenneth Porter:
> > > > -------- Forwarded Message --------
> > > > Subject:     Pre-announcement of an ISC DHCP security issue scheduled
> > > > for disclosure 26 May 2021
> > > > Date:     Fri, 21 May 2021 11:44:19 -0800
> > > > From:     Michael McNally <mcnally@xxxxxxx>
> > > > To:     dhcp-announce@xxxxxxxxxxxxx
> > > >
> > > >
> > > >
> > > > Hello, dhcp-announce list subscribers,
> > > >
> > > > It has been a while since our last post to this list.
> > > >
> > > > Since the last time we posted news of a new release of ISC DHCP,
> > > > Internet Systems Consortium has adopted a practice of pre-announcing
> > > > expected security disclosures in order to give operators who use our
> > > > products a little advance warning and planning time.
> > > >
> > > > For that reason, I am writing you today to let you know that a
> > > > vulnerability
> > > > in ISC DHCP will be publicly announced next week on Wednesday, 26 May
> > > > 2021.
> > > >
> > > > Further details about that vulnerability will be publicly disclosed
> > > > next
> > > > week, and new releases of ISC DHCP that correct the vulnerability will
> > > > be
> > > > made available at that time. It is our hope that this pre-announcement
> > > > will
> > > > aid DHCP operators in preparing for that disclosure when it occurs.
> > > The released announcement: https://kb.isc.org/docs/cve-2021-25217
> > >
> > > Any updates on this? From the announcement I take it that the version
> > > used in C7 (4.2.5) is likely affected - yet there was no update.
> > >
> > > Disclaimer: I did not check if upstream has released anything and I did
> > > not check if the preconditions for the crash case are met by the current
> > > package. Nevertheless, the "loosing a lease" case is bad enough...
> >
> >
> > https://access.redhat.com/security/cve/cve-2021-25217
>
> I'm wondering why this bug is still unfixed in EL[6-8] for more than a
> week now while it is mentioned as being a security issue? Since the fixing
> patch is just a view lines I'm surprised why it's delayed?


Maybe because it depends on more the one other ticket ...

https://bugzilla.redhat.com/show_bug.cgi?id=1963258

--
Leon

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos