On 23 December 2015 at 21:53, Stuart Henderson <st...@openbsd.org> wrote:
> On 2015/12/23 14:47, Patrik Lundin wrote:
>> On Wed, Dec 23, 2015 at 11:33:30AM +0000, Stuart Henderson wrote:
>> > Updated tar.gz for the 0.9.2-P1 crash fix ("Improved handling of incoming
>> > packets with invalid client-id and DUID.")
>> >
>>
>> Nice catch! I had not seen any word of this release on the kea mailing
>> lists, how did you notice it?
>
> I saw it on oss-sec first, then on ISC's security RSS feed (and as if
> to emphasize the slightly random nature of that feed it was followed
> by release notes for 0.9, 0.9.2-beta and 0.9.2 :-) I read oss-sec anyway,
> and since I maintain the BIND port I track a few places where ISC are
> likely to announce things.
>
> http://www.openwall.com/lists/oss-security/2015/12/22/11
> https://www.isc.org/?feed=security-feed
>

What would be really  nice is if they described somewhere the
'crafted' packet that was blowing them up. As far as the diff goes
they just wrapped try {} around the code trying to get a client
identifier. So it's kinda unsatisfying as far as figuring out if our
in-tree dhcpd would blow up with a similar packet. :-)

.... Ken

Reply via email to