[CentOS] Fwd: Pre-announcement of an ISC DHCP security issue scheduled for disclosure 26 May 2021

Mon May 31 10:57:20 UTC 2021
centos at niob.at <centos at niob.at>

Am 22/05/2021 um 06:15 schrieb Kenneth Porter:
>
> -------- Forwarded Message --------
> Subject:     Pre-announcement of an ISC DHCP security issue scheduled 
> for disclosure 26 May 2021
> Date:     Fri, 21 May 2021 11:44:19 -0800
> From:     Michael McNally <mcnally at isc.org>
> To:     dhcp-announce at lists.isc.org
>
>
>
> Hello, dhcp-announce list subscribers,
>
> It has been a while since our last post to this list.
>
> Since the last time we posted news of a new release of ISC DHCP,
> Internet Systems Consortium has adopted a practice of pre-announcing
> expected security disclosures in order to give operators who use our
> products a little advance warning and planning time.
>
> For that reason, I am writing you today to let you know that a 
> vulnerability
> in ISC DHCP will be publicly announced next week on Wednesday, 26 May 
> 2021.
>
> Further details about that vulnerability will be publicly disclosed next
> week, and new releases of ISC DHCP that correct the vulnerability will be
> made available at that time. It is our hope that this pre-announcement 
> will
> aid DHCP operators in preparing for that disclosure when it occurs.
>
The released announcement: https://kb.isc.org/docs/cve-2021-25217

Any updates on this? From the announcement I take it that the version 
used in C7 (4.2.5) is likely affected - yet there was no update.

Disclaimer: I did not check if upstream has released anything and I did 
not check if the preconditions for the crash case are met by the current 
package. Nevertheless, the "loosing a lease" case is bad enough...


peter