ALT-PU-2025-14151-2

Package update kea in branch sisyphus

Version3.0.2-alt1

Published2026-02-04

Max severityHIGH

Severity:

Closed issues (2)

HIGH7.5

Уязвимость DHCP-сервера с открытым исходным кодом Kea, связанная с использованием смещения указателя вне диапазона, позволяющая нарушителю повысить свои привилегии и вызвать отказ в обслуживании

Published: 2025-12-11

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2025-11232

HIGH7.5

To trigger the issue, three configuration parameters must have specific settings: "hostname-char-set" must be left at the default setting, which is "[^A-Za-z0-9.-]"; "hostname-char-replacement" must be empty (the default); and "ddns-qualifying-suffix" must NOT be empty (the default is empty). DDNS updates do not need to be enabled for this issue to manifest. A client that sends certain option content would then cause kea-dhcp4 to exit unexpectedly. This issue affects Kea versions 3.0.1 through 3.0.1 and 3.1.1 through 3.1.2.

Published: 2025-10-29Modified: 2026-04-15

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References