Kea 2.4.2 (stable) released on May 28, 2025
-2172. [build] andrei
+2173. [build] andrei
The library version numbers have been bumped up for the Kea 2.4.2
stable release.
(Gitlab #3890)
+2172. [sec]* tmark, fdupont, razvan
+ All files and sockets created by Kea servers have been
+ restricted to default paths determined at compile time
+ which may be overridden by environment variables. This
+ includes lease files, log files, control channel sockets,
+ and the output from commands such as lease4-write and
+ lease6-write. The output of config-write is restricted to
+ the directory from which the configuration file was read.
+ Use of unsupported paths will result in servers emitting
+ errors and refusing to start or rejecting commands.
+ The specifics including the supported paths and environment
+ variable names are in the relevant ARM sections.
+ CVE:2025-32801
+ (Gitlab #3831)
+
2171. [sec]* fdupont
Change the umask to no group write and no other access
at the entry of Kea server/agent binaries.
As of Kea 2.4.2, lease files may only be loaded from the data directory
determined during compilation: ``"[kea-install-dir]/var/lib/kea"``. This
path may be overridden at startup by setting the environment variable
- ``KEA_DHCP_DATA_DIRECTORY`` to the desired path. If a path other than
+ ``KEA_DHCP_DATA_DIR`` to the desired path. If a path other than
this value is used in ``name``, Kea will emit an error and refuse to start
or, if already running, log an unrecoverable error. For ease of use in
specifying a custom file name simply omit the path component from ``name``.
As of Kea 2.4.2, lease files may only be loaded from the data directory
determined during compilation: ``"[kea-install-dir]/var/lib/kea"``. This
path may be overridden at startup by setting the environment variable
- ``KEA_DHCP_DATA_DIRECTORY`` to the desired path. If a path other than
+ ``KEA_DHCP_DATA_DIR`` to the desired path. If a path other than
this value is used in ``name``, Kea will emit an error and refuse to start
or, if already running, log an unrecoverable error. For ease of use in
specifying a custom file name simply omit the path component from ``name``.
files may only be loaded from the directory determined at
compilation: ``"[kea-install-dir]/var/lib/kea"``. This path may be
overridden at startup by setting the environment variable
- ``KEA_DHCP_DATA_DIRECTORY`` to the desired path. If a path other than
+ ``KEA_DHCP_DATA_DIR`` to the desired path. If a path other than
this value is used in ``data-directory``, Kea will emit an error and
refuse to start or, if already running, log an unrecoverable error.
As of Kea 2.4.2, the lease file may only be written to the data directory
determined during compilation: ``"[kea-install-dir]/var/lib/kea"``. This
path may be overridden at startup by setting the environment variable
- ``KEA_DHCP_DATA_DIRECTORY`` to the desired path. If a path other than
+ ``KEA_DHCP_DATA_DIR`` to the desired path. If a path other than
this value is used in ``filename``, Kea will emit an error and refuse to start
or, if already running, log an unrecoverable error. For ease of use in
specifying a custom file name simply omit the path portion from ``filename``.
may only be loaded from the directory determined at compilation:
``"[kea-install-dir]/var/lib/kea"``.
This path may be overridden at startup by setting the environment variable
- ``KEA_DHCP_DATA_DIRECTORY`` to the desired path. If a path other than
+ ``KEA_DHCP_DATA_DIR`` to the desired path. If a path other than
this value is used in ``name`` or ``data-directory``, Kea will emit an error and
refuse to start or, if already running, log an unrecoverable error.
This restriction applies to writing lease file using ``lease4-write`` and
Path restrictions mentioned through this section can be summarized according to
the following table:
-+-------------------------------------+---------------------------------------+----------------------------------+
-| Restricted Element | Default Value | Environment Variable Override |
-+=====================================+=======================================+==================================+
-| Config Files (``config-write``) | Same Directory as Initial Config File | N/A |
-+-------------------------------------+---------------------------------------+----------------------------------+
-| Lease Files | ``var/lib/kea`` | ``KEA_DHCP_DATA_DIRECTORY`` |
-+-------------------------------------+---------------------------------------+----------------------------------+
-| Log Files | ``var/log/kea`` | ``KEA_LOG_FILE_DIR`` |
-+-------------------------------------+---------------------------------------+----------------------------------+
-| Unix Sockets | ``var/run/kea`` | ``KEA_CONTROL_SOCKET_DIR`` |
-+-------------------------------------+---------------------------------------+----------------------------------+
++-------------------------------------+---------------------------------------+-------------------------------+
+| Restricted Element | Default Value | Environment Variable Override |
++=====================================+=======================================+===============================+
+| Config Files (``config-write``) | Same Directory as Initial Config File | N/A |
++-------------------------------------+---------------------------------------+-------------------------------+
+| Lease Files | ``var/lib/kea`` | ``KEA_DHCP_DATA_DIR`` |
++-------------------------------------+---------------------------------------+-------------------------------+
+| Log Files | ``var/log/kea`` | ``KEA_LOG_FILE_DIR`` |
++-------------------------------------+---------------------------------------+-------------------------------+
+| Unix Sockets | ``var/run/kea`` | ``KEA_CONTROL_SOCKET_DIR`` |
++-------------------------------------+---------------------------------------+-------------------------------+
projects / thirdparty / kea.git / commitdiff
