Solves CVE-2026-3608.
License-Update: copyright years refreshed
Release notes [1]:
Welcome to Kea 3.0.3, a vulnerability release of the stable 3.0 series.
This supersedes the previous release, version 3.0.2.
1. **Vulnerability**: We addressed an issue, which was assigned
CVE-2026-3608, where a large number of bracket pairs in a JSON payload
directed to any endpoint would result in a stack overflow, due to
recursive calls when parsing the JSON [#4275, #4288, #4387]. Since the
exploit does not require the JSON request to have the full syntax of a
valid command, it bypasses RBAC and the command filters on the
High-Availability endpoints.
2. **Security**: A null dereference is now no longer possible when
configuring the Control Agent with a socket that lacks the mandatory
socket-name entry [#4388, #4365].
3. **Permissions**: UNIX sockets are now created as group-writable
[#4398, #4260]. This allows users belonging to the group to send
commands to the UNIX sockets. In particular, it allows Stork 2.4.0 and
above to detect the Kea daemon.
[1] https://downloads.isc.org/isc/kea/3.0.3/Kea-3.0.3-ReleaseNotes.txt
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
HOMEPAGE = "http://kea.isc.org"
SECTION = "connectivity"
LICENSE = "MPL-2.0"
-LIC_FILES_CHKSUM = "file://COPYING;md5=fb634ed1d923b8b8fd1ed7ffc9b70ae4"
+LIC_FILES_CHKSUM = "file://COPYING;md5=a64dc8efc3c40d0502ad372f810700e4"
DEPENDS = "boost log4cplus openssl"
file://0001-d2-dhcp-46-radius-dhcpsrv-Avoid-Boost-lexical_cast-o.patch \
file://0001-src-lib-log-logger_level_impl.cc-add-a-missing-inclu.patch \
"
-SRC_URI[sha256sum] = "29f4e44fa48f62fe15158d17411e003496203250db7b3459c2c79c09f379a541"
+SRC_URI[sha256sum] = "09702ddb078b637e85de9236cbedd3fb9d7af7c6e797026c538b45748ad4d631"
inherit meson pkgconfig systemd update-rc.d upstream-version-is-even
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
