centos at niob.at
2021-May-31 10:57 UTC
[CentOS] Fwd: Pre-announcement of an ISC DHCP security issue scheduled for disclosure 26 May 2021
Am 22/05/2021 um 06:15 schrieb Kenneth Porter:> > -------- Forwarded Message -------- > Subject:???? Pre-announcement of an ISC DHCP security issue scheduled > for disclosure 26 May 2021 > Date:???? Fri, 21 May 2021 11:44:19 -0800 > From:???? Michael McNally <mcnally at isc.org> > To:???? dhcp-announce at lists.isc.org > > > > Hello, dhcp-announce list subscribers, > > It has been a while since our last post to this list. > > Since the last time we posted news of a new release of ISC DHCP, > Internet Systems Consortium has adopted a practice of pre-announcing > expected security disclosures in order to give operators who use our > products a little advance warning and planning time. > > For that reason, I am writing you today to let you know that a > vulnerability > in ISC DHCP will be publicly announced next week on Wednesday, 26 May > 2021. > > Further details about that vulnerability will be publicly disclosed next > week, and new releases of ISC DHCP that correct the vulnerability will be > made available at that time. It is our hope that this pre-announcement > will > aid DHCP operators in preparing for that disclosure when it occurs. >The released announcement: https://kb.isc.org/docs/cve-2021-25217 Any updates on this? From the announcement I take it that the version used in C7 (4.2.5) is likely affected - yet there was no update. Disclaimer: I did not check if upstream has released anything and I did not check if the preconditions for the crash case are met by the current package. Nevertheless, the "loosing a lease" case is bad enough... peter
Leon Fauster
2021-May-31 12:32 UTC
[CentOS] Fwd: Pre-announcement of an ISC DHCP security issue scheduled for disclosure 26 May 2021
On 31.05.21 12:57, centos at niob.at wrote:> Am 22/05/2021 um 06:15 schrieb Kenneth Porter: >> >> -------- Forwarded Message -------- >> Subject:???? Pre-announcement of an ISC DHCP security issue scheduled >> for disclosure 26 May 2021 >> Date:???? Fri, 21 May 2021 11:44:19 -0800 >> From:???? Michael McNally <mcnally at isc.org> >> To:???? dhcp-announce at lists.isc.org >> >> >> >> Hello, dhcp-announce list subscribers, >> >> It has been a while since our last post to this list. >> >> Since the last time we posted news of a new release of ISC DHCP, >> Internet Systems Consortium has adopted a practice of pre-announcing >> expected security disclosures in order to give operators who use our >> products a little advance warning and planning time. >> >> For that reason, I am writing you today to let you know that a >> vulnerability >> in ISC DHCP will be publicly announced next week on Wednesday, 26 May >> 2021. >> >> Further details about that vulnerability will be publicly disclosed next >> week, and new releases of ISC DHCP that correct the vulnerability will be >> made available at that time. It is our hope that this pre-announcement >> will >> aid DHCP operators in preparing for that disclosure when it occurs. >> > The released announcement: https://kb.isc.org/docs/cve-2021-25217 > > Any updates on this? From the announcement I take it that the version > used in C7 (4.2.5) is likely affected - yet there was no update. > > Disclaimer: I did not check if upstream has released anything and I did > not check if the preconditions for the crash case are met by the current > package. Nevertheless, the "loosing a lease" case is bad enough... >https://access.redhat.com/security/cve/cve-2021-25217 -- Leon