* Matthias Gerstner , 2025-05-28 19:21:
By leveraging issue 3.2), the Kea services can be instructed to create
`_kea` owned files in the attacker's `$HOME/.Private`. The content of
the created files is not fully attacker controlled, however, so it will
not be possible to craft a valid ELF objec
UNSUBSCRIBE
From: Andrei Pavel
Sent: Wednesday, May 28, 2025 12:34 PM
To: oss-security@lists.openwall.com
Cc: security-offi...@isc.org
Subject: [oss-security] ISC has disclosed three vulnerabilities in Kea
(CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)
On 28 May 2025 we (Internet Systems Con
On Wed, May 28, 2025 at 05:54:41PM +, Jounee Kim wrote:
> UNSUBSCRIBE
I am sorry for letting this one through, which happened in error. Of
course, we (the moderators) normally reject misaddressed unsubscription
requests like that (but do unsubscribe the people manually, and we did
this time t
Severity: important
Affected versions:
- Apache Commons BeanUtils 1.x 1.0 before 1.11.0
- Apache Commons BeanUtils 2.x 2.0.0-M1 before 2.0.0-M2
Description:
Improper Access Control vulnerability in Apache Commons.
A special BeanIntrospector class was added in version 1.9.2. This can be used
On 28 May 2025 we (Internet Systems Consortium) disclosed three
vulnerabilities affecting our Kea software:
- CVE-2025-32801: Loading a malicious hook library can lead to
local privilege escalation https://kb.isc.org/docs/cve-2025-32801
- CVE-2025-32802: Insecure handling of file pa
Hello list,
we originally reported these issues to upstream and would like to share
our full report below.
This is a report about local security issues in the Kea DHCP server suite.
During a routine review we found a local root exploit and a number of further
local vulnerabilities in its REST API
