Fwd: Pre-announcement of an ISC DHCP security issue scheduled for disclosure 26 May 2021
-------- Forwarded Message -------- Subject: Pre-announcement of an ISC DHCP security issue scheduled for disclosure 26 May 2021 Date: Fri, 21 May 2021 11:44:19 -0800 From: Michael McNally mcnally@isc.org To: dhcp-announce@lists.isc.org
Hello, dhcp-announce list subscribers,
It has been a while since our last post to this list.
Since the last time we posted news of a new release of ISC DHCP, Internet Systems Consortium has adopted a practice of pre-announcing expected security disclosures in order to give operators who use our products a little advance warning and planning time.
For that reason, I am writing you today to let you know that a vulnerability in ISC DHCP will be publicly announced next week on Wednesday, 26 May 2021.
Further details about that vulnerability will be publicly disclosed next week, and new releases of ISC DHCP that correct the vulnerability will be made available at that time. It is our hope that this pre-announcement will aid DHCP operators in preparing for that disclosure when it occurs.
Yours sincerely,
Michael McNally (writing for ISC Security Officer) _______________________________________________ dhcp-announce mailing list dhcp-announce@lists.isc.org https://lists.isc.org/mailman/listinfo/dhcp-announce
Am 22/05/2021 um 06:15 schrieb Kenneth Porter:
-------- Forwarded Message -------- Subject: Pre-announcement of an ISC DHCP security issue scheduled for disclosure 26 May 2021 Date: Fri, 21 May 2021 11:44:19 -0800 From: Michael McNally mcnally@isc.org To: dhcp-announce@lists.isc.org
Hello, dhcp-announce list subscribers,
It has been a while since our last post to this list.
Since the last time we posted news of a new release of ISC DHCP, Internet Systems Consortium has adopted a practice of pre-announcing expected security disclosures in order to give operators who use our products a little advance warning and planning time.
For that reason, I am writing you today to let you know that a vulnerability in ISC DHCP will be publicly announced next week on Wednesday, 26 May 2021.
Further details about that vulnerability will be publicly disclosed next week, and new releases of ISC DHCP that correct the vulnerability will be made available at that time. It is our hope that this pre-announcement will aid DHCP operators in preparing for that disclosure when it occurs.
The released announcement: https://kb.isc.org/docs/cve-2021-25217
Any updates on this? From the announcement I take it that the version used in C7 (4.2.5) is likely affected - yet there was no update.
Disclaimer: I did not check if upstream has released anything and I did not check if the preconditions for the crash case are met by the current package. Nevertheless, the "loosing a lease" case is bad enough...
peter
On 31.05.21 12:57, centos@niob.at wrote:
Am 22/05/2021 um 06:15 schrieb Kenneth Porter:
-------- Forwarded Message -------- Subject: Pre-announcement of an ISC DHCP security issue scheduled for disclosure 26 May 2021 Date: Fri, 21 May 2021 11:44:19 -0800 From: Michael McNally mcnally@isc.org To: dhcp-announce@lists.isc.org
Hello, dhcp-announce list subscribers,
It has been a while since our last post to this list.
Since the last time we posted news of a new release of ISC DHCP, Internet Systems Consortium has adopted a practice of pre-announcing expected security disclosures in order to give operators who use our products a little advance warning and planning time.
For that reason, I am writing you today to let you know that a vulnerability in ISC DHCP will be publicly announced next week on Wednesday, 26 May 2021.
Further details about that vulnerability will be publicly disclosed next week, and new releases of ISC DHCP that correct the vulnerability will be made available at that time. It is our hope that this pre-announcement will aid DHCP operators in preparing for that disclosure when it occurs.
The released announcement: https://kb.isc.org/docs/cve-2021-25217
Any updates on this? From the announcement I take it that the version used in C7 (4.2.5) is likely affected - yet there was no update.
Disclaimer: I did not check if upstream has released anything and I did not check if the preconditions for the crash case are met by the current package. Nevertheless, the "loosing a lease" case is bad enough...
https://access.redhat.com/security/cve/cve-2021-25217
-- Leon
On 31.05.21 12:57, centos@niob.at wrote:
Am 22/05/2021 um 06:15 schrieb Kenneth Porter:
-------- Forwarded Message -------- Subject: Pre-announcement of an ISC DHCP security issue scheduled for disclosure 26 May 2021 Date: Fri, 21 May 2021 11:44:19 -0800 From: Michael McNally mcnally@isc.org To: dhcp-announce@lists.isc.org
Hello, dhcp-announce list subscribers,
It has been a while since our last post to this list.
Since the last time we posted news of a new release of ISC DHCP, Internet Systems Consortium has adopted a practice of pre-announcing expected security disclosures in order to give operators who use our products a little advance warning and planning time.
For that reason, I am writing you today to let you know that a vulnerability in ISC DHCP will be publicly announced next week on Wednesday, 26 May 2021.
Further details about that vulnerability will be publicly disclosed next week, and new releases of ISC DHCP that correct the vulnerability will be made available at that time. It is our hope that this pre-announcement will aid DHCP operators in preparing for that disclosure when it occurs.
The released announcement: https://kb.isc.org/docs/cve-2021-25217
Any updates on this? From the announcement I take it that the version used in C7 (4.2.5) is likely affected - yet there was no update.
Disclaimer: I did not check if upstream has released anything and I did not check if the preconditions for the crash case are met by the current package. Nevertheless, the "loosing a lease" case is bad enough...
I'm wondering why this bug is still unfixed in EL[6-8] for more than a week now while it is mentioned as being a security issue? Since the fixing patch is just a view lines I'm surprised why it's delayed?
Regards, Simon
On 07.06.21 12:02, Simon Matter wrote:
On 31.05.21 12:57, centos@niob.at wrote:
Am 22/05/2021 um 06:15 schrieb Kenneth Porter:
-------- Forwarded Message -------- Subject: Pre-announcement of an ISC DHCP security issue scheduled for disclosure 26 May 2021 Date: Fri, 21 May 2021 11:44:19 -0800 From: Michael McNally mcnally@isc.org To: dhcp-announce@lists.isc.org
Hello, dhcp-announce list subscribers,
It has been a while since our last post to this list.
Since the last time we posted news of a new release of ISC DHCP, Internet Systems Consortium has adopted a practice of pre-announcing expected security disclosures in order to give operators who use our products a little advance warning and planning time.
For that reason, I am writing you today to let you know that a vulnerability in ISC DHCP will be publicly announced next week on Wednesday, 26 May 2021.
Further details about that vulnerability will be publicly disclosed next week, and new releases of ISC DHCP that correct the vulnerability will be made available at that time. It is our hope that this pre-announcement will aid DHCP operators in preparing for that disclosure when it occurs.
The released announcement: https://kb.isc.org/docs/cve-2021-25217
Any updates on this? From the announcement I take it that the version used in C7 (4.2.5) is likely affected - yet there was no update.
Disclaimer: I did not check if upstream has released anything and I did not check if the preconditions for the crash case are met by the current package. Nevertheless, the "loosing a lease" case is bad enough...
I'm wondering why this bug is still unfixed in EL[6-8] for more than a week now while it is mentioned as being a security issue? Since the fixing patch is just a view lines I'm surprised why it's delayed?
Maybe because it depends on more the one other ticket ...
https://bugzilla.redhat.com/show_bug.cgi?id=1963258
-- Leon
On 07.06.21 12:02, Simon Matter wrote:
On 31.05.21 12:57, centos@niob.at wrote:
Am 22/05/2021 um 06:15 schrieb Kenneth Porter:
-------- Forwarded Message -------- Subject: Pre-announcement of an ISC DHCP security issue scheduled for disclosure 26 May 2021 Date: Fri, 21 May 2021 11:44:19 -0800 From: Michael McNally mcnally@isc.org To: dhcp-announce@lists.isc.org
Hello, dhcp-announce list subscribers,
It has been a while since our last post to this list.
Since the last time we posted news of a new release of ISC DHCP, Internet Systems Consortium has adopted a practice of pre-announcing expected security disclosures in order to give operators who use our products a little advance warning and planning time.
For that reason, I am writing you today to let you know that a vulnerability in ISC DHCP will be publicly announced next week on Wednesday, 26 May 2021.
Further details about that vulnerability will be publicly disclosed next week, and new releases of ISC DHCP that correct the vulnerability will be made available at that time. It is our hope that this pre-announcement will aid DHCP operators in preparing for that disclosure when it occurs.
The released announcement: https://kb.isc.org/docs/cve-2021-25217
Any updates on this? From the announcement I take it that the version used in C7 (4.2.5) is likely affected - yet there was no update.
Disclaimer: I did not check if upstream has released anything and I did not check if the preconditions for the crash case are met by the current package. Nevertheless, the "loosing a lease" case is bad enough...
I'm wondering why this bug is still unfixed in EL[6-8] for more than a week now while it is mentioned as being a security issue? Since the fixing patch is just a view lines I'm surprised why it's delayed?
Maybe because it depends on more the one other ticket ...
Not really, I think. They usually create BZs for every distribution affected to track them separately, but it seems to be always the same trivial fix:
https://bugzilla.redhat.com/attachment.cgi?id=1786774&action=diff or https://bugzilla.redhat.com/attachment.cgi?id=1786775&action=diff
That's why my question, what do we NOT know?
Simon
-
centos@niob.at -
Kenneth Porter -
Leon Fauster -
Simon Matter