Simon Matter
2021-Jun-07 10:02 UTC
[CentOS] Fwd: Pre-announcement of an ISC DHCP security issue scheduled for disclosure 26 May 2021
> On 31.05.21 12:57, centos at niob.at wrote: >> Am 22/05/2021 um 06:15 schrieb Kenneth Porter: >>> >>> -------- Forwarded Message -------- >>> Subject:???? Pre-announcement of an ISC DHCP security issue scheduled >>> for disclosure 26 May 2021 >>> Date:???? Fri, 21 May 2021 11:44:19 -0800 >>> From:???? Michael McNally <mcnally at isc.org> >>> To:???? dhcp-announce at lists.isc.org >>> >>> >>> >>> Hello, dhcp-announce list subscribers, >>> >>> It has been a while since our last post to this list. >>> >>> Since the last time we posted news of a new release of ISC DHCP, >>> Internet Systems Consortium has adopted a practice of pre-announcing >>> expected security disclosures in order to give operators who use our >>> products a little advance warning and planning time. >>> >>> For that reason, I am writing you today to let you know that a >>> vulnerability >>> in ISC DHCP will be publicly announced next week on Wednesday, 26 May >>> 2021. >>> >>> Further details about that vulnerability will be publicly disclosed >>> next >>> week, and new releases of ISC DHCP that correct the vulnerability will >>> be >>> made available at that time. It is our hope that this pre-announcement >>> will >>> aid DHCP operators in preparing for that disclosure when it occurs. >>> >> The released announcement: https://kb.isc.org/docs/cve-2021-25217 >> >> Any updates on this? From the announcement I take it that the version >> used in C7 (4.2.5) is likely affected - yet there was no update. >> >> Disclaimer: I did not check if upstream has released anything and I did >> not check if the preconditions for the crash case are met by the current >> package. Nevertheless, the "loosing a lease" case is bad enough... >> > > > https://access.redhat.com/security/cve/cve-2021-25217I'm wondering why this bug is still unfixed in EL[6-8] for more than a week now while it is mentioned as being a security issue? Since the fixing patch is just a view lines I'm surprised why it's delayed? Regards, Simon
Leon Fauster
2021-Jun-07 14:52 UTC
[CentOS] Fwd: Pre-announcement of an ISC DHCP security issue scheduled for disclosure 26 May 2021
On 07.06.21 12:02, Simon Matter wrote:>> On 31.05.21 12:57, centos at niob.at wrote: >>> Am 22/05/2021 um 06:15 schrieb Kenneth Porter: >>>> >>>> -------- Forwarded Message -------- >>>> Subject:???? Pre-announcement of an ISC DHCP security issue scheduled >>>> for disclosure 26 May 2021 >>>> Date:???? Fri, 21 May 2021 11:44:19 -0800 >>>> From:???? Michael McNally <mcnally at isc.org> >>>> To:???? dhcp-announce at lists.isc.org >>>> >>>> >>>> >>>> Hello, dhcp-announce list subscribers, >>>> >>>> It has been a while since our last post to this list. >>>> >>>> Since the last time we posted news of a new release of ISC DHCP, >>>> Internet Systems Consortium has adopted a practice of pre-announcing >>>> expected security disclosures in order to give operators who use our >>>> products a little advance warning and planning time. >>>> >>>> For that reason, I am writing you today to let you know that a >>>> vulnerability >>>> in ISC DHCP will be publicly announced next week on Wednesday, 26 May >>>> 2021. >>>> >>>> Further details about that vulnerability will be publicly disclosed >>>> next >>>> week, and new releases of ISC DHCP that correct the vulnerability will >>>> be >>>> made available at that time. It is our hope that this pre-announcement >>>> will >>>> aid DHCP operators in preparing for that disclosure when it occurs. >>>> >>> The released announcement: https://kb.isc.org/docs/cve-2021-25217 >>> >>> Any updates on this? From the announcement I take it that the version >>> used in C7 (4.2.5) is likely affected - yet there was no update. >>> >>> Disclaimer: I did not check if upstream has released anything and I did >>> not check if the preconditions for the crash case are met by the current >>> package. Nevertheless, the "loosing a lease" case is bad enough... >>> >> >> >> https://access.redhat.com/security/cve/cve-2021-25217 > > I'm wondering why this bug is still unfixed in EL[6-8] for more than a > week now while it is mentioned as being a security issue? Since the fixing > patch is just a view lines I'm surprised why it's delayed? >Maybe because it depends on more the one other ticket ... https://bugzilla.redhat.com/show_bug.cgi?id=1963258 -- Leon