[CentOS] Fwd: Pre-announcement of an ISC DHCP security issue scheduled for disclosure 26 May 2021

Mon Jun 7 14:52:50 UTC 2021
Leon Fauster <leonfauster at googlemail.com>

On 07.06.21 12:02, Simon Matter wrote:
>> On 31.05.21 12:57, centos at niob.at wrote:
>>> Am 22/05/2021 um 06:15 schrieb Kenneth Porter:
>>>> -------- Forwarded Message --------
>>>> Subject:     Pre-announcement of an ISC DHCP security issue scheduled
>>>> for disclosure 26 May 2021
>>>> Date:     Fri, 21 May 2021 11:44:19 -0800
>>>> From:     Michael McNally <mcnally at isc.org>
>>>> To:     dhcp-announce at lists.isc.org
>>>> Hello, dhcp-announce list subscribers,
>>>> It has been a while since our last post to this list.
>>>> Since the last time we posted news of a new release of ISC DHCP,
>>>> Internet Systems Consortium has adopted a practice of pre-announcing
>>>> expected security disclosures in order to give operators who use our
>>>> products a little advance warning and planning time.
>>>> For that reason, I am writing you today to let you know that a
>>>> vulnerability
>>>> in ISC DHCP will be publicly announced next week on Wednesday, 26 May
>>>> 2021.
>>>> Further details about that vulnerability will be publicly disclosed
>>>> next
>>>> week, and new releases of ISC DHCP that correct the vulnerability will
>>>> be
>>>> made available at that time. It is our hope that this pre-announcement
>>>> will
>>>> aid DHCP operators in preparing for that disclosure when it occurs.
>>> The released announcement: https://kb.isc.org/docs/cve-2021-25217
>>> Any updates on this? From the announcement I take it that the version
>>> used in C7 (4.2.5) is likely affected - yet there was no update.
>>> Disclaimer: I did not check if upstream has released anything and I did
>>> not check if the preconditions for the crash case are met by the current
>>> package. Nevertheless, the "loosing a lease" case is bad enough...
>> https://access.redhat.com/security/cve/cve-2021-25217
> I'm wondering why this bug is still unfixed in EL[6-8] for more than a
> week now while it is mentioned as being a security issue? Since the fixing
> patch is just a view lines I'm surprised why it's delayed?

Maybe because it depends on more the one other ticket ...