> On 07.06.21 12:02, Simon Matter wrote:
>>> On 31.05.21 12:57, centos@xxxxxxx wrote:
>>>> Am 22/05/2021 um 06:15 schrieb Kenneth Porter:
>>>>>
>>>>> -------- Forwarded Message --------
>>>>> Subject: Pre-announcement of an ISC DHCP security issue scheduled
>>>>> for disclosure 26 May 2021
>>>>> Date: Fri, 21 May 2021 11:44:19 -0800
>>>>> From: Michael McNally <mcnally@xxxxxxx>
>>>>> To: dhcp-announce@xxxxxxxxxxxxx
>>>>>
>>>>>
>>>>>
>>>>> Hello, dhcp-announce list subscribers,
>>>>>
>>>>> It has been a while since our last post to this list.
>>>>>
>>>>> Since the last time we posted news of a new release of ISC DHCP,
>>>>> Internet Systems Consortium has adopted a practice of pre-announcing
>>>>> expected security disclosures in order to give operators who use our
>>>>> products a little advance warning and planning time.
>>>>>
>>>>> For that reason, I am writing you today to let you know that a
>>>>> vulnerability
>>>>> in ISC DHCP will be publicly announced next week on Wednesday, 26 May
>>>>> 2021.
>>>>>
>>>>> Further details about that vulnerability will be publicly disclosed
>>>>> next
>>>>> week, and new releases of ISC DHCP that correct the vulnerability
>>>>> will
>>>>> be
>>>>> made available at that time. It is our hope that this
>>>>> pre-announcement
>>>>> will
>>>>> aid DHCP operators in preparing for that disclosure when it occurs.
>>>>>
>>>> The released announcement: https://kb.isc.org/docs/cve-2021-25217
>>>>
>>>> Any updates on this? From the announcement I take it that the version
>>>> used in C7 (4.2.5) is likely affected - yet there was no update.
>>>>
>>>> Disclaimer: I did not check if upstream has released anything and I
>>>> did
>>>> not check if the preconditions for the crash case are met by the
>>>> current
>>>> package. Nevertheless, the "loosing a lease" case is bad enough...
>>>>
>>>
>>>
>>> https://access.redhat.com/security/cve/cve-2021-25217
>>
>> I'm wondering why this bug is still unfixed in EL[6-8] for more than a
>> week now while it is mentioned as being a security issue? Since the
>> fixing
>> patch is just a view lines I'm surprised why it's delayed?
>>
>
>
> Maybe because it depends on more the one other ticket ...
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1963258
Not really, I think. They usually create BZs for every distribution
affected to track them separately, but it seems to be always the same
trivial fix:
https://bugzilla.redhat.com/attachment.cgi?id=1786774&action=diff
or
https://bugzilla.redhat.com/attachment.cgi?id=1786775&action=diff
That's why my question, what do we NOT know?
Simon
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
