On 2015/12/23 22:03, Kenneth Westerback wrote:
> On 23 December 2015 at 21:53, Stuart Henderson <st...@openbsd.org> wrote:
> > On 2015/12/23 14:47, Patrik Lundin wrote:
> >> On Wed, Dec 23, 2015 at 11:33:30AM +0000, Stuart Henderson wrote:
> >> > Updated tar.gz for the 0.9.2-P1 crash fix ("Improved handling of incoming
> >> > packets with invalid client-id and DUID.")
> >> >
> >>
> >> Nice catch! I had not seen any word of this release on the kea mailing
> >> lists, how did you notice it?
> >
> > I saw it on oss-sec first, then on ISC's security RSS feed (and as if
> > to emphasize the slightly random nature of that feed it was followed
> > by release notes for 0.9, 0.9.2-beta and 0.9.2 :-) I read oss-sec anyway,
> > and since I maintain the BIND port I track a few places where ISC are
> > likely to announce things.
> >
> > http://www.openwall.com/lists/oss-security/2015/12/22/11
> > https://www.isc.org/?feed=security-feed
> >
>
> What would be really nice is if they described somewhere the
> 'crafted' packet that was blowing them up. As far as the diff goes
> they just wrapped try {} around the code trying to get a client
> identifier. So it's kinda unsatisfying as far as figuring out if our
> in-tree dhcpd would blow up with a similar packet. :-)
See, they learned from Juniper!
