1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1106737: isc-kea: CVE-2025-32801 CVE-2025-32802 CVE-2025-32803

    From Salvatore Bonaccorso@21:1/5 to Paride Legovini on Sun Jun 1 21:00:01 2025
    Hi,

    On Sun, Jun 01, 2025 at 08:14:24PM +0200, Paride Legovini wrote:
    On 2025-05-28 23.34, Salvatore Bonaccorso wrote:
    The following vulnerabilities were published for isc-kea.

    [...]

    While at least CVE-2025-32801 is a nonissue in Debian context as the
    daemon does not as root, cf. the detailed writeup at [3], it might be
    still a good idea to have isc-kea patched/rebased to 2.6.2 for Debian trixie.

    This is on my radar, I tried importing version 2.6.3 but unfortunately
    we need to adapt a quilt patch in a non-trivial way. Should be doable.

    Ack, thank you.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Paride Legovini@21:1/5 to Salvatore Bonaccorso on Sun Jun 1 20:20:01 2025
    On 2025-05-28 23.34, Salvatore Bonaccorso wrote:
    The following vulnerabilities were published for isc-kea.

    [...]

    While at least CVE-2025-32801 is a nonissue in Debian context as the
    daemon does not as root, cf. the detailed writeup at [3], it might be
    still a good idea to have isc-kea patched/rebased to 2.6.2 for Debian
    trixie.

    This is on my radar, I tried importing version 2.6.3 but unfortunately
    we need to adapt a quilt patch in a non-trivial way. Should be doable.

    --
    Paride

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Paride Legovini@21:1/5 to Paride Legovini on Tue Jun 3 10:40:02 2025
    On 2025-06-01 20.14, Paride Legovini wrote:
    On 2025-05-28 23.34, Salvatore Bonaccorso wrote:
    The following vulnerabilities were published for isc-kea.

    [...]

    While at least CVE-2025-32801 is a nonissue in Debian context as the
    daemon does not as root, cf. the detailed writeup at [3], it might be
    still a good idea to have isc-kea patched/rebased to 2.6.2 for Debian
    trixie.

    This is on my radar, I tried importing version 2.6.3 but unfortunately
    we need to adapt a quilt patch in a non-trivial way. Should be doable.

    I had a deeper look, and maybe none of these CVEs really affect Trixie.

    These CVEs revolve around:

    * Daemons running at root. We never did this in Debian.

    * API entry points unsecured by default. This is fixed in Trixie, see
    the d/changelog entry for 2.2.0-8 and this d/NEWS entry:

    https://salsa.debian.org/debian/isc-kea/-/blob/58ec2c3573/debian/NEWS#L1

    (This is work of Andreas Hasenack from the Ubuntu Server team.)

    * Control sockets in insecure paths. This was tracked in Debian in bug
    #1014929 and fixed in version 2.2.0-2 and it's fixed in Bookworm. (This
    is work of Athos Ribeiro from the Ubuntu Server team.)

    I did forwards the bug upstream, it was acknowledged but only fixed
    after the CVEs were filed, see:

    https://gitlab.isc.org/isc-projects/kea/-/issues/2495

    * Kea log files may be world-readable. Not true in Debian: we always had LogsDirectoryMode=0750 in the systemd service files.

    * Kea lease files may be world-readable. This *is* true in Debian.

    ----

    If I'm not mistaken in the above, Debian is not affected by the high
    severity part of those CVEs. On the other hand I'd really like the
    package to stay close to upstream, in particular in security choices, as
    that's there most scrutiny will happen.

    I'd still like to upload 2.6.3 to trixie, I prepared a branch already:

    https://salsa.debian.org/paride/isc-kea/-/tree/package-2.6.3

    Note that the we can now drop some d/patches, as some "fixed in Debian"
    things are now upstream. Also note that I mentioned all the CVEs in the changelog, as that may make tracking easier.

    I'll see what the release team thinks of this upload.

    Cheers,

    Paride

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)