Kea DHCP 1.4.0 may fail to release memory after temporarily storing client network packets. This causes a constant increase in memory consumption that can cause server resources to become exhausted, leading to loss of DHCP server functionality. Gentoo Security Scout Florian Schuhmacher
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1eb7529cbbd47cd674f5bce9c951a356c36cde07 commit 1eb7529cbbd47cd674f5bce9c951a356c36cde07 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2018-07-12 09:25:38 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2018-07-12 09:25:57 +0000 net-misc/kea: Security cleanup. Bug: https://bugs.gentoo.org/660988 Package-Manager: Portage-2.3.42, Repoman-2.3.9 net-misc/kea/Manifest | 1 - net-misc/kea/kea-1.4.0.ebuild | 68 ------------------------------------------- 2 files changed, 69 deletions(-)
I already added version 1.4.0_p1 to the tree today. Now I've also removed 1.4.0 version. Any information about older versions being affected? No need to initialize stabilization process as there's no stable version of kea in the tree yet.
The memory leak is connected to the callout handle store, which was added in Kea 1.4.0 to support additional hooks capabilities. Prior to 1.4.0 it did not exist, so Kea 1.4.0 (along with its interim development releases, e.g. 1.4.0b1) would be the only release(s) affected.
For posterity: https://kb.isc.org/docs/aa-01626
