On 2025-06-01 20.14, Paride Legovini wrote: > On 2025-05-28 23.34, Salvatore Bonaccorso wrote: >> The following vulnerabilities were published for isc-kea. >> > [...] >> >> While at least CVE-2025-32801 is a nonissue in Debian context as the >> daemon does not as root, cf. the detailed writeup at [3], it might be >> still a good idea to have isc-kea patched/rebased to 2.6.2 for Debian >> trixie. > > This is on my radar, I tried importing version 2.6.3 but unfortunately > we need to adapt a quilt patch in a non-trivial way. Should be doable.
I had a deeper look, and maybe none of these CVEs really affect Trixie. These CVEs revolve around: * Daemons running at root. We never did this in Debian. * API entry points unsecured by default. This is fixed in Trixie, see the d/changelog entry for 2.2.0-8 and this d/NEWS entry: https://salsa.debian.org/debian/isc-kea/-/blob/58ec2c3573/debian/NEWS#L1 (This is work of Andreas Hasenack from the Ubuntu Server team.) * Control sockets in insecure paths. This was tracked in Debian in bug #1014929 and fixed in version 2.2.0-2 and it's fixed in Bookworm. (This is work of Athos Ribeiro from the Ubuntu Server team.) I did forwards the bug upstream, it was acknowledged but only fixed after the CVEs were filed, see: https://gitlab.isc.org/isc-projects/kea/-/issues/2495 * Kea log files may be world-readable. Not true in Debian: we always had LogsDirectoryMode=0750 in the systemd service files. * Kea lease files may be world-readable. This *is* true in Debian. ---- If I'm not mistaken in the above, Debian is not affected by the high severity part of those CVEs. On the other hand I'd really like the package to stay close to upstream, in particular in security choices, as that's there most scrutiny will happen. I'd still like to upload 2.6.3 to trixie, I prepared a branch already: https://salsa.debian.org/paride/isc-kea/-/tree/package-2.6.3 Note that the we can now drop some d/patches, as some "fixed in Debian" things are now upstream. Also note that I mentioned all the CVEs in the changelog, as that may make tracking easier. I'll see what the release team thinks of this upload. Cheers, Paride
