Bug#1106737: marked as done (isc-kea: CVE-2025-32801 CVE-2025-32802 CVE-2025-32803)

[Debian Bug Tracking System]

Your message dated Tue, 03 Jun 2025 15:16:49 +0000
with message-id <e1umtnh-0003tl...@fasolo.debian.org>
and subject line Bug#1106737: fixed in isc-kea 2.6.3-1
has caused the Debian Bug report #1106737,
regarding isc-kea: CVE-2025-32801 CVE-2025-32802 CVE-2025-32803
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1106737: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106737
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: isc-kea
Version: 2.6.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerabilities were published for isc-kea.

CVE-2025-32801[0]:
| Kea configuration and API directives can be used to load a malicious
| hook library.  Many common configurations run Kea as root, leave the
| API entry points unsecured by default, and/or place the control
| sockets in insecure paths. This issue affects Kea versions 2.4.0
| through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.


CVE-2025-32802[1]:
| Kea configuration and API directives can be used to overwrite
| arbitrary files, subject to permissions granted to Kea.  Many common
| configurations run Kea as root, leave the API entry points unsecured
| by default, and/or place the control sockets in insecure paths. This
| issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2,
| and 2.7.0 through 2.7.8.


CVE-2025-32803[2]:
| In some cases, Kea log files or lease files may be world-readable.
| This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through
| 2.6.2, and 2.7.0 through 2.7.8.

While at least CVE-2025-32801 is a nonissue in Debian context as the
daemon does not as root, cf. the detailed writeup at [3], it might be
still a good idea to have isc-kea patched/rebased to 2.6.2 for Debian
trixie.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-32801
    https://www.cve.org/CVERecord?id=CVE-2025-32801
[1] https://security-tracker.debian.org/tracker/CVE-2025-32802
    https://www.cve.org/CVERecord?id=CVE-2025-32802
[2] https://security-tracker.debian.org/tracker/CVE-2025-32803
    https://www.cve.org/CVERecord?id=CVE-2025-32803
[3] https://www.openwall.com/lists/oss-security/2025/05/28/8

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: isc-kea
Source-Version: 2.6.3-1
Done: Paride Legovini <par...@debian.org>

We believe that the bug you reported is fixed in the latest version of
isc-kea, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1106...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paride Legovini <par...@debian.org> (supplier of updated isc-kea package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 02 Jun 2025 19:00:06 +0200
Source: isc-kea
Architecture: source
Version: 2.6.3-1
Distribution: unstable
Urgency: medium
Maintainer: Kea <isc-...@packages.debian.org>
Changed-By: Paride Legovini <par...@debian.org>
Closes: 1106737
Changes:
 isc-kea (2.6.3-1) unstable; urgency=medium
 .
   * New upstream version 2.6.3.
     Closes: #1106737 by fixing:
     - CVE-2025-32801:
       Loading a malicious hook library can lead to local privilege escalation
     - CVE-2025-32802:
       Insecure handling of file paths allows multiple local attacks
     - CVE-2025-32803:
       Insecure file permissions can result in confidential information leakage
     Thanks: Salvatore Bonaccorso
   * d/*.service: restrict RuntimeDirectory and StateDirectory.
     This is part of the fix of the aforementioned CVEs.
   * d/kea-common.postinst: make /etc/kea owned by _kea:_kea and chmod 0750
   * d/p/0009-disable-database-tests.patch: refresh (context)
   * d/p/0010-set-control-sockets-location.patch drop patch (upstreamed)
   * d/p/0011-kea-ctrl-agent-authentication.patch: drop patch (upstreamed)
   * d/t/smoke-test: execute some test commands as the _kea user.
Checksums-Sha1:
 af04797ef518f5f77eebe682741757fd6cc01723 2865 isc-kea_2.6.3-1.dsc
 1b3074be301ae6f885ce63028503c9d0fa38c5c1 10498882 isc-kea_2.6.3.orig.tar.gz
 d29c3c7aac170276838dd44d148eecfcb231f315 833 isc-kea_2.6.3.orig.tar.gz.asc
 8c3a0e1d61af8cbf7e00cbd2269f135b0cdf0a79 42376 isc-kea_2.6.3-1.debian.tar.xz
 1934a4318131f488d712e46466df164f95b15994 8913 isc-kea_2.6.3-1_source.buildinfo
Checksums-Sha256:
 80ed03d97f6af9c79134859b23cc8bc64114e3a93848a8d2c9a0895972ea8efe 2865 
isc-kea_2.6.3-1.dsc
 00241a5955ffd3d215a2c098c4527f9d7f4b203188b276f9a36250dd3d9dd612 10498882 
isc-kea_2.6.3.orig.tar.gz
 f6946770faeaeb055dced609bf29a949542236921b6780e1a07a56d66b461883 833 
isc-kea_2.6.3.orig.tar.gz.asc
 7f99de391aaf3aa6a786b052ce8078ea261f9c6df395d73169dc17681e4b1367 42376 
isc-kea_2.6.3-1.debian.tar.xz
 c313ad970c1950146668a8ab0c048e5d3fe4ea00c3c796eda951e9378cc44bff 8913 
isc-kea_2.6.3-1_source.buildinfo
Files:
 e00d372923a7260513b8f2f0973ddcda 2865 net optional isc-kea_2.6.3-1.dsc
 abf8cb8bbc74fd7691883b837e9deec8 10498882 net optional 
isc-kea_2.6.3.orig.tar.gz
 91b1f7ddd097fef8852b6ae7b1deb664 833 net optional isc-kea_2.6.3.orig.tar.gz.asc
 77832fc2f4737a63e0be56d7e4928318 42376 net optional 
isc-kea_2.6.3-1.debian.tar.xz
 e2ea98f5c30d730f3689f92bee7ddf63 8913 net optional 
isc-kea_2.6.3-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

wsC7BAEBCgBvBYJoPusrCRDWWGGIPgFNuUcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmeVdLFbQiHcjOfQ4doOLg9BbfmEBwohHan0yhqgeV7W
0xYhBFYa1YXu12aSG6jdltZYYYg+AU25AACzMQf/dSifc7t+wjlwtioMpS1y+EJ9
9NtjxKnI7XLethiVd3ezqj2Nn3YQC3fh8jEByhYnGU5feK+RzluXSzaJmwt1Q1wQ
jCCV6LjM/KdiLvtWmhX0TxoK9zZFbgq4HjsSj0pD6mnQQ+KwtzXIRwZpQt391MnH
AMlZsVKG+zW+Fj7ooVNcnCt0iDtENY0nfHROCJWNyTFVfng/ghAu/cAWukHBTdqD
1y9K/UNj8KNqeoIRTQ9YN18dNvK60AqDxY1Vv/Mb7tsPawa6eQJZovinvL2Z2LIN
1DcTAxmHnssvBF2lWJu9A/BBWlGrIXc83bebrG97W8/ncQ/C2KZXjUdqGZG4aw==
=zQwn
-----END PGP SIGNATURE-----

pgpjDDNc3ZxV_.pgp
Description: PGP signature

--- End Message ---