Fedora alert FEDORA-2025-b870671130 (kea)
| From: | updates--- via package-announce <package-announce@lists.fedoraproject.org> | |
| To: | package-announce@lists.fedoraproject.org | |
| Subject: | [SECURITY] Fedora 41 Update: kea-2.6.3-1.fc41 | |
| Date: | Thu, 19 Jun 2025 01:21:54 +0000 | |
| Message-ID: | <20250619012154.F3C842037428@bastion01.iad2.fedoraproject.org> | |
| Archive-link: | Article |
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-b870671130 2025-06-19 01:20:13.177267+00:00 -------------------------------------------------------------------------------- Name : kea Product : Fedora 41 Version : 2.6.3 Release : 1.fc41 URL : http://kea.isc.org Summary : DHCPv4, DHCPv6 and DDNS server from ISC Description : DHCP implementation from Internet Systems Consortium, Inc. that features fully functional DHCPv4, DHCPv6 and Dynamic DNS servers. Both DHCP servers fully support server discovery, address assignment, renewal, rebinding and release. The DHCPv6 server supports prefix delegation. Both servers support DNS Update mechanism, using stand-alone DDNS daemon. -------------------------------------------------------------------------------- Update Information: New version 2.6.3 (rhbz#2368989) Fix for: CVE-2025-32801, CVE-2025-32802, CVE-2025-32803 kea.conf: Remove /tmp/ from socket-name for existing configurations kea.conf: Set pseudo-random password for default config to secure fresh install and allow CA startup without user intervention kea.conf: Restrict directory permissions Sync service files with upstream Fix leases ownership when switching from root to kea user (rhbz#2324168) Release Notes: The new default configuration file, kea-ctrl-agent.conf, introduces an authentication setting, "password-file", which restricts access to the REST API. On Fedora, the kea-api-password file is automatically populated with a pseudo- random password to secure new installations. For system upgrades, it is strongly recommended to update any custom configurations to restrict access to the REST API. For more details, including information on CVE fixes and incompatible changes, refer to the upstream release notes: https://downloads.isc.org/isc/kea/2.6.3/Kea-2.6.3-Release... -------------------------------------------------------------------------------- ChangeLog: * Mon Jun 9 2025 Martin Osvald <mosvald@redhat.com> - 2.6.3-1 - New version 2.6.3 (rhbz#2368989) - Fix for: CVE-2025-32801, CVE-2025-32802, CVE-2025-32803 - kea.conf: Remove /tmp/ from socket-name for existing configurations - kea.conf: Set pseudo-random password for default config to secure fresh install and allow CA startup without user intervention - kea.conf: Restrict directory permissions - Sync service files with upstream - Fix leases ownership when switching from root to kea user (rhbz#2324168) * Mon Jun 9 2025 Yaakov Selkowitz <yselkowi@redhat.com> - 2.6.2-6 - Reconditionalize openssl-devel-engine * Mon Jun 9 2025 Martin Osvald <mosvald@redhat.com> - 2.6.2-5 - kea.spec: remove rhel7 and f40 conditions * Mon Jun 9 2025 Pavol Sloboda <pavol.sloboda02@gmail.com> - 2.6.2-4 - fix: fixed the BuildRequires of mariadb-devel package the mariadb- connector-c-devel package is available for all RHEL versions from version 8 and above, as version 7 is quite old this condition is not necessary and all packages should use the BuildRequires of mariadb-connector-c- devel instead of mariadb-devel if possible * Mon Jun 9 2025 Andrea Bolognani <abologna@redhat.com> - 2.6.2-3 - Use autoreconf more (fixes riscv64 build) * Mon Jun 2 2025 FrantiĊĦek Hrdina <fhrdina@redhat.com> - 2.6.2-2 - Update location of fmf plans -------------------------------------------------------------------------------- References: [ 1 ] Bug #2324168 - System update from F40 to F41: kea-dhcp unusable https://bugzilla.redhat.com/show_bug.cgi?id=2324168 [ 2 ] Bug #2368989 - kea-2.6.3 is available https://bugzilla.redhat.com/show_bug.cgi?id=2368989 [ 3 ] Bug #2369336 - CVE-2025-32803 kea: Insecure file permissions can result in confidential information leakage [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2369336 [ 4 ] Bug #2369380 - CVE-2025-32801 kea: Loading a malicious hook library can lead to local privilege escalation [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2369380 [ 5 ] Bug #2370278 - CVE-2025-32802 kea: Insecure handling of file paths allows multiple local attacks [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2370278 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-b870671130' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgr... All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
Attachment: None (type=text/plain)
-- _______________________________________________ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-cond... List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-ann... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue