SUSE alert openSUSE-SU-2026:20452-1 (kea)
| From: | null@suse.de | |
| To: | security-announce@lists.opensuse.org | |
| Subject: | openSUSE-SU-2026:20452-1: important: Security update for kea | |
| Date: | Thu, 02 Apr 2026 14:50:26 +0200 | |
| Message-ID: | <20260402125026.06F86FD57@maintenance.suse.de> | |
| Archive-link: | Article |
openSUSE security update: security update for kea ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20452-1 Rating: important References: * bsc#1252863 * bsc#1260380 Cross-References: * CVE-2025-11232 * CVE-2026-3608 CVSS scores: * CVE-2025-11232 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2025-11232 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-3608 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-3608 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed. Description: This update for kea fixes the following issues: Update to 3.0.3: - CVE-2025-11232: invalid characters cause assert (bsc#1252863). - CVE-2026-3608: stack overflow via maliciously crafted message (bsc#1260380). Changelog: * A large number of bracket pairs in a JSON payload directed to any endpoint would result in a stack overflow, due to recursive calls when parsing the JSON. This has been fixed. (CVE-2026-3608) [bsc#1260380] * When a hostname or FQDN received from a client is reduced to an empty string by hostname sanitizing, kea-dhcp4 and kea-dhcp6 will now drop the option. (CVE-2025-11232) [bsc#1252863] * A null dereference is now no longer possible when configuring the Control Agent with a socket that lacks the mandatory socket-name entry. * UNIX sockets are now created as group-writable. * Removed logging an error in ping check hook library if using lease cache treshold. * Fixed deadlock in ping-check hooks library. * Fixed a data race in ping-check hooks library. Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-470=1 Package List: - openSUSE Leap 16.0: kea-3.0.3-160000.1.1 kea-devel-3.0.3-160000.1.1 kea-doc-3.0.3-160000.1.1 kea-hooks-3.0.3-160000.1.1 libkea-asiodns62-3.0.3-160000.1.1 libkea-asiolink88-3.0.3-160000.1.1 libkea-cc83-3.0.3-160000.1.1 libkea-cfgrpt3-3.0.3-160000.1.1 libkea-config84-3.0.3-160000.1.1 libkea-cryptolink64-3.0.3-160000.1.1 libkea-d2srv63-3.0.3-160000.1.1 libkea-database76-3.0.3-160000.1.1 libkea-dhcp109-3.0.3-160000.1.1 libkea-dhcp_ddns68-3.0.3-160000.1.1 libkea-dhcpsrv131-3.0.3-160000.1.1 libkea-dns71-3.0.3-160000.1.1 libkea-eval84-3.0.3-160000.1.1 libkea-exceptions45-3.0.3-160000.1.1 libkea-hooks121-3.0.3-160000.1.1 libkea-http87-3.0.3-160000.1.1 libkea-log-interprocess3-3.0.3-160000.1.1 libkea-log75-3.0.3-160000.1.1 libkea-mysql88-3.0.3-160000.1.1 libkea-pgsql88-3.0.3-160000.1.1 libkea-process91-3.0.3-160000.1.1 libkea-stats53-3.0.3-160000.1.1 libkea-tcp33-3.0.3-160000.1.1 libkea-util-io12-3.0.3-160000.1.1 libkea-util102-3.0.3-160000.1.1 python3-kea-3.0.3-160000.1.1 References: * https://www.suse.com/security/cve/CVE-2025-11232.html * https://www.suse.com/security/cve/CVE-2026-3608.html