[CentOS] Fwd: Pre-announcement of an ISC DHCP security issue scheduled for disclosure 26 May 2021

Mon Jun 7 15:02:44 UTC 2021
Simon Matter <simon.matter at invoca.ch>

> On 07.06.21 12:02, Simon Matter wrote:
>>> On 31.05.21 12:57, centos at niob.at wrote:
>>>> Am 22/05/2021 um 06:15 schrieb Kenneth Porter:
>>>>>
>>>>> -------- Forwarded Message --------
>>>>> Subject:     Pre-announcement of an ISC DHCP security issue scheduled
>>>>> for disclosure 26 May 2021
>>>>> Date:     Fri, 21 May 2021 11:44:19 -0800
>>>>> From:     Michael McNally <mcnally at isc.org>
>>>>> To:     dhcp-announce at lists.isc.org
>>>>>
>>>>>
>>>>>
>>>>> Hello, dhcp-announce list subscribers,
>>>>>
>>>>> It has been a while since our last post to this list.
>>>>>
>>>>> Since the last time we posted news of a new release of ISC DHCP,
>>>>> Internet Systems Consortium has adopted a practice of pre-announcing
>>>>> expected security disclosures in order to give operators who use our
>>>>> products a little advance warning and planning time.
>>>>>
>>>>> For that reason, I am writing you today to let you know that a
>>>>> vulnerability
>>>>> in ISC DHCP will be publicly announced next week on Wednesday, 26 May
>>>>> 2021.
>>>>>
>>>>> Further details about that vulnerability will be publicly disclosed
>>>>> next
>>>>> week, and new releases of ISC DHCP that correct the vulnerability
>>>>> will
>>>>> be
>>>>> made available at that time. It is our hope that this
>>>>> pre-announcement
>>>>> will
>>>>> aid DHCP operators in preparing for that disclosure when it occurs.
>>>>>
>>>> The released announcement: https://kb.isc.org/docs/cve-2021-25217
>>>>
>>>> Any updates on this? From the announcement I take it that the version
>>>> used in C7 (4.2.5) is likely affected - yet there was no update.
>>>>
>>>> Disclaimer: I did not check if upstream has released anything and I
>>>> did
>>>> not check if the preconditions for the crash case are met by the
>>>> current
>>>> package. Nevertheless, the "loosing a lease" case is bad enough...
>>>>
>>>
>>>
>>> https://access.redhat.com/security/cve/cve-2021-25217
>>
>> I'm wondering why this bug is still unfixed in EL[6-8] for more than a
>> week now while it is mentioned as being a security issue? Since the
>> fixing
>> patch is just a view lines I'm surprised why it's delayed?
>>
>
>
> Maybe because it depends on more the one other ticket ...
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1963258

Not really, I think. They usually create BZs for every distribution
affected to track them separately, but it seems to be always the same
trivial fix:

https://bugzilla.redhat.com/attachment.cgi?id=1786774&action=diff
or
https://bugzilla.redhat.com/attachment.cgi?id=1786775&action=diff

That's why my question, what do we NOT know?

Simon