Source: isc-kea Version: 2.6.1-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for isc-kea. CVE-2025-32801[0]: | Kea configuration and API directives can be used to load a malicious | hook library. Many common configurations run Kea as root, leave the | API entry points unsecured by default, and/or place the control | sockets in insecure paths. This issue affects Kea versions 2.4.0 | through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8. CVE-2025-32802[1]: | Kea configuration and API directives can be used to overwrite | arbitrary files, subject to permissions granted to Kea. Many common | configurations run Kea as root, leave the API entry points unsecured | by default, and/or place the control sockets in insecure paths. This | issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, | and 2.7.0 through 2.7.8. CVE-2025-32803[2]: | In some cases, Kea log files or lease files may be world-readable. | This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through | 2.6.2, and 2.7.0 through 2.7.8. While at least CVE-2025-32801 is a nonissue in Debian context as the daemon does not as root, cf. the detailed writeup at [3], it might be still a good idea to have isc-kea patched/rebased to 2.6.2 for Debian trixie. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-32801 https://www.cve.org/CVERecord?id=CVE-2025-32801 [1] https://security-tracker.debian.org/tracker/CVE-2025-32802 https://www.cve.org/CVERecord?id=CVE-2025-32802 [2] https://security-tracker.debian.org/tracker/CVE-2025-32803 https://www.cve.org/CVERecord?id=CVE-2025-32803 [3] https://www.openwall.com/lists/oss-security/2025/05/28/8 Regards, Salvatore
