> On 07.06.21 12:02, Simon Matter wrote: >>> On 31.05.21 12:57, centos at niob.at wrote: >>>> Am 22/05/2021 um 06:15 schrieb Kenneth Porter: >>>>> >>>>> -------- Forwarded Message -------- >>>>> Subject: Pre-announcement of an ISC DHCP security issue scheduled >>>>> for disclosure 26 May 2021 >>>>> Date: Fri, 21 May 2021 11:44:19 -0800 >>>>> From: Michael McNally <mcnally at isc.org> >>>>> To: dhcp-announce at lists.isc.org >>>>> >>>>> >>>>> >>>>> Hello, dhcp-announce list subscribers, >>>>> >>>>> It has been a while since our last post to this list. >>>>> >>>>> Since the last time we posted news of a new release of ISC DHCP, >>>>> Internet Systems Consortium has adopted a practice of pre-announcing >>>>> expected security disclosures in order to give operators who use our >>>>> products a little advance warning and planning time. >>>>> >>>>> For that reason, I am writing you today to let you know that a >>>>> vulnerability >>>>> in ISC DHCP will be publicly announced next week on Wednesday, 26 May >>>>> 2021. >>>>> >>>>> Further details about that vulnerability will be publicly disclosed >>>>> next >>>>> week, and new releases of ISC DHCP that correct the vulnerability >>>>> will >>>>> be >>>>> made available at that time. It is our hope that this >>>>> pre-announcement >>>>> will >>>>> aid DHCP operators in preparing for that disclosure when it occurs. >>>>> >>>> The released announcement: https://kb.isc.org/docs/cve-2021-25217 >>>> >>>> Any updates on this? From the announcement I take it that the version >>>> used in C7 (4.2.5) is likely affected - yet there was no update. >>>> >>>> Disclaimer: I did not check if upstream has released anything and I >>>> did >>>> not check if the preconditions for the crash case are met by the >>>> current >>>> package. Nevertheless, the "loosing a lease" case is bad enough... >>>> >>> >>> >>> https://access.redhat.com/security/cve/cve-2021-25217 >> >> I'm wondering why this bug is still unfixed in EL[6-8] for more than a >> week now while it is mentioned as being a security issue? Since the >> fixing >> patch is just a view lines I'm surprised why it's delayed? >> > > > Maybe because it depends on more the one other ticket ... > > https://bugzilla.redhat.com/show_bug.cgi?id=1963258 Not really, I think. They usually create BZs for every distribution affected to track them separately, but it seems to be always the same trivial fix: https://bugzilla.redhat.com/attachment.cgi?id=1786774&action=diff or https://bugzilla.redhat.com/attachment.cgi?id=1786775&action=diff That's why my question, what do we NOT know? Simon