Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Fedora 41: 2025-b870671130 important: kea local attack risk

fedora
Calendar Grey June 19, 2025
Dist Fedora Esm H88
Explore crucial security updates for kea on Fedora 41 addressing multiple vulnerabilities for enhanced security.
New version 2.6.3 (rhbz#2368989) Fix for: CVE-2025-32801, CVE-2025-32802, CVE-2025-32803 kea.conf: Remove /tmp/ from socket-name for existing configurations kea.conf: Set pseudo-ra...

Summary

DHCP implementation from Internet Systems Consortium, Inc. that features fully

functional DHCPv4, DHCPv6 and Dynamic DNS servers.

Both DHCP servers fully support server discovery, address assignment, renewal,

rebinding and release. The DHCPv6 server supports prefix delegation. Both

servers support DNS Update mechanism, using stand-alone DDNS daemon.

Update Information:

New version 2.6.3 (rhbz#2368989) Fix for: CVE-2025-32801, CVE-2025-32802, CVE-2025-32803 kea.conf: Remove /tmp/ from socket-name for existing configurations kea.conf: Set pseudo-random password for default config to secure fresh install and allow CA startup without user intervention kea.conf: Restrict directory permissions Sync service files with upstream Fix leases ownership when switching from root to kea user (rhbz#2324168) Release Notes: The new default configuration file, kea-ctrl-agent.conf, introduces an authentication setting, "password-file", which restricts access to the REST API. On Fedora, the kea-api-password file is automatically populated with a pseudo- random password to secure new installations. For system upgrades, it is strongly recommended to update any custom configurations to restrict access to the REST API. For more details, including information on CVE fixes and incompatible changes, refer to the upstream release notes: https://downloads.isc.org/isc/kea/2.6...

Topics%20covered

Topics Covered

security advisory fedora important local attack confidentiality kea

Change Log

* Mon Jun 9 2025 Martin Osvald - 2.6.3-1 - New version 2.6.3 (rhbz#2368989) - Fix for: CVE-2025-32801, CVE-2025-32802, CVE-2025-32803 - kea.conf: Remove /tmp/ from socket-name for existing configurations - kea.conf: Set pseudo-random password for default config to secure fresh install and allow CA startup without user intervention - kea.conf: Restrict directory permissions - Sync service files with upstream - Fix leases ownership when switching from root to kea user (rhbz#2324168) * Mon Jun 9 2025 Yaakov Selkowitz - 2.6.2-6 - Reconditionalize openssl-devel-engine * Mon Jun 9 2025 Martin Osvald - 2.6.2-5 - kea.spec: remove rhel7 and f40 conditions * Mon Jun 9 2025 Pavol Sloboda - 2.6.2-4 - fix: fixed the BuildRequires of mariadb-devel package the mariadb- connector-c-devel package is available for all RHEL versions from version 8 and above, as version 7 is quite old this condition is not necessary and all packages should use the BuildRequires of mariadb-connector-c- devel instead of mariadb-devel if possible * Mon Jun 9 2025 Andrea Bolognani - 2.6.2-3 - Use autoreconf more (fixes riscv64 build) * Mon Jun 2 2025 František Hrdina - 2.6.2-2 - Update location of fmf plans

References


[ 1 ] Bug #2324168 - System update from F40 to F41: kea-dhcp unusable https://bugzilla.redhat.com/show_bug.cgi?id=2324168 [ 2 ] Bug #2368989 - kea-2.6.3 is available https://bugzilla.redhat.com/show_bug.cgi?id=2368989 [ 3 ] Bug #2369336 - CVE-2025-32803 kea: Insecure file permissions can result in confidential information leakage [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2369336 [ 4 ] Bug #2369380 - CVE-2025-32801 kea: Loading a malicious hook library can lead to local privilege escalation [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2369380 [ 5 ] Bug #2370278 - CVE-2025-32802 kea: Insecure handling of file paths allows multiple local attacks [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2370278

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-b870671130' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
important
Lowest
Low
Medium
High
Critical

Name: kea
Product: Fedora 41
Version: 2.6.3
Release: 1.fc41
URL: http://kea.isc.org
Summary: DHCPv4, DHCPv6 and DDNS server from ISC

Topics%20covered

Topics Covered

security advisory fedora important local attack confidentiality kea

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here