""" Subject: ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803) On 28 May 2025 we (Internet Systems Consortium) disclosed three vulnerabilities affecting our Kea software: - CVE-2025-32801: Loading a malicious hook library can lead to local privilege escalation https://kb.isc.org/docs/cve-2025-32801 - CVE-2025-32802: Insecure handling of file paths allows multiple local attacks https://kb.isc.org/docs/cve-2025-32802 - CVE-2025-32803: Insecure file permissions can result in confidential information leakage https://kb.isc.org/docs/cve-2025-32803 New versions of Kea are available from https://www.isc.org/downloads - https://downloads.isc.org/isc/kea/2.4.2/ - https://downloads.isc.org/isc/kea/2.6.3/ - https://downloads.isc.org/isc/kea/2.7.9/ With the public announcement of these vulnerabilities, the embargo period is ended and any updated software packages that have been prepared may be released. """
I've filed bug 957113 for the non-security issues mentioned at https://security.opensuse.org/2025/05/28/kea-dhcp-security-issues.html#65-gentoo-linux.
