[CentOS] Fwd: Pre-announcement of an ISC DHCP security issue scheduled for disclosure 26 May 2021

Mon May 31 12:32:28 UTC 2021
Leon Fauster <leonfauster at googlemail.com>

On 31.05.21 12:57, centos at niob.at wrote:
> Am 22/05/2021 um 06:15 schrieb Kenneth Porter:
>>
>> -------- Forwarded Message --------
>> Subject:     Pre-announcement of an ISC DHCP security issue scheduled 
>> for disclosure 26 May 2021
>> Date:     Fri, 21 May 2021 11:44:19 -0800
>> From:     Michael McNally <mcnally at isc.org>
>> To:     dhcp-announce at lists.isc.org
>>
>>
>>
>> Hello, dhcp-announce list subscribers,
>>
>> It has been a while since our last post to this list.
>>
>> Since the last time we posted news of a new release of ISC DHCP,
>> Internet Systems Consortium has adopted a practice of pre-announcing
>> expected security disclosures in order to give operators who use our
>> products a little advance warning and planning time.
>>
>> For that reason, I am writing you today to let you know that a 
>> vulnerability
>> in ISC DHCP will be publicly announced next week on Wednesday, 26 May 
>> 2021.
>>
>> Further details about that vulnerability will be publicly disclosed next
>> week, and new releases of ISC DHCP that correct the vulnerability will be
>> made available at that time. It is our hope that this pre-announcement 
>> will
>> aid DHCP operators in preparing for that disclosure when it occurs.
>>
> The released announcement: https://kb.isc.org/docs/cve-2021-25217
> 
> Any updates on this? From the announcement I take it that the version 
> used in C7 (4.2.5) is likely affected - yet there was no update.
> 
> Disclaimer: I did not check if upstream has released anything and I did 
> not check if the preconditions for the crash case are met by the current 
> package. Nevertheless, the "loosing a lease" case is bad enough...
> 


https://access.redhat.com/security/cve/cve-2021-25217


--
Leon