Public bug reported: This is a security release to fix CVE-2026-3608.
Here is the relevant snippet of the upstream release notes at https://downloads.isc.org/isc/kea/3.0.3/Kea-3.0.3-ReleaseNotes.txt ``` Welcome to Kea 3.0.3, a vulnerability release of the stable 3.0 series. This supersedes the previous release, version 3.0.2. ... The following changes and bug fixes have been implemented since the previous release: 1. **Vulnerability**: We addressed an issue, which was assigned CVE-2026-3608, where a large number of bracket pairs in a JSON payload directed to any endpoint would result in a stack overflow, due to recursive calls when parsing the JSON [#4275, #4288, #4387]. Since the exploit does not require the JSON request to have the full syntax of a valid command, it bypasses RBAC and the command filters on the High-Availability endpoints. 2. **Security**: A null dereference is now no longer possible when configuring the Control Agent with a socket that lacks the mandatory socket-name entry [#4388, #4365]. 3. **Permissions**: UNIX sockets are now created as group-writable [#4398, #4260]. This allows users belonging to the group to send commands to the UNIX sockets. In particular, it allows Stork 2.4.0 and above to detect the Kea daemon. ## Incompatible Changes There are no incompatible changes. ## Known Issues There are no significant known issues. ``` $ seeded-in-ubuntu isc-kea kea-dev (from isc-kea) is seeded in: ubuntu-budgie: supported ubuntu: supported kea-doc (from isc-kea) is seeded in: ubuntu-budgie: supported ubuntu: supported ** Affects: isc-kea (Ubuntu) Importance: Undecided Status: New ** Tags: server-todo ** Description changed: This is a security release to fix CVE-2026-3608. Here is the relevant snippet of the upstream release notes at https://downloads.isc.org/isc/kea/3.0.3/Kea-3.0.3-ReleaseNotes.txt ``` Welcome to Kea 3.0.3, a vulnerability release of the stable 3.0 series. This supersedes the previous release, version 3.0.2. ... The following changes and bug fixes have been implemented since the previous release: 1. **Vulnerability**: We addressed an issue, which was assigned CVE-2026-3608, where a large number of bracket pairs in a JSON payload directed to any endpoint would result in a stack overflow, due to recursive calls when parsing the JSON [#4275, #4288, #4387]. Since the exploit does not require the JSON request to have the full syntax of a valid command, it bypasses RBAC and the command filters on the High-Availability endpoints. 2. **Security**: A null dereference is now no longer possible when configuring the Control Agent with a socket that lacks the mandatory socket-name entry [#4388, #4365]. 3. **Permissions**: UNIX sockets are now created as group-writable [#4398, #4260]. This allows users belonging to the group to send commands to the UNIX sockets. In particular, it allows Stork 2.4.0 and above to detect the Kea daemon. ## Incompatible Changes There are no incompatible changes. ## Known Issues There are no significant known issues. ``` + + $ seeded-in-ubuntu isc-kea + kea-dev (from isc-kea) is seeded in: + ubuntu-budgie: supported + ubuntu: supported + kea-doc (from isc-kea) is seeded in: + ubuntu-budgie: supported + ubuntu: supported ** Tags added: server-todo ** Changed in: isc-kea (Ubuntu) Milestone: None => ubuntu-26.04-beta -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2146307 Title: Sync isc-kea 3.0.3 from Debian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-kea/+bug/2146307/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
