On Wed, May 28, 2025, at 12:54, Victoria Risk wrote: > Kea users: > > Internet Systems Consortium is pleased to announce the release of Kea 2.4.2, > 2.6.3 and 2.7.9. Please note that all three of these releases contain fixes > addressing multiple security issues detailed in three CVEs published today. > • CVE-2025-32801: Loading a malicious hook library can lead to local > privilege escalation https://kb.isc.org/docs/cve-2025-32801 > • CVE-2025-32802: Insecure handling of file paths allows multiple local > attacks https://kb.isc.org/docs/cve-2025-32802 > • CVE-2025-32803: Insecure file permissions can result in confidential > information leakage https://kb.isc.org/docs/cve-2025-32803 > Kea 2.4.2 is expected to be our last release on that old stable branch, which > we will be retiring with the release of Kea 3.0, expected in June. Kea 2.6.3 > is our current stable version. Release notes for these two versions are > available at:Kea 2.4.2 > https://downloads.isc.org/isc/kea/2.4.2/Kea-2.4.2-ReleaseNotes.txtKea 2.6.3 > https://downloads.isc.org/isc/kea/2.6.3/Kea-2.6.3-ReleaseNotes.txt
I just upgraded to 2.6.3, and my network was broken because the daemons would not start, because the configuration files placed the sockets in /tmp (which is no longer permitted). While I understand that it's rare, if a patch release (incrementing only the last component of the version number) contains breaking/incompatible changes, please help the users by noting that in the release announcement. It is certainly true that not every user reads the entirety of the release notes before upgrading to a new version.
-- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
