kea: bump to 3.0.3#29942
Open
liuyuf78fk wants to merge 1 commit into
Open
Conversation
3.0.3 is a security/vulnerability release on the stable 3.0 series. Notable fixes since 3.0.2: * **CVE-2026-3608** — A large number of bracket pairs in a JSON payload sent to any endpoint caused a stack overflow during recursive parsing. The exploit does not need a syntactically valid command, so it bypasses RBAC and the command filters on the High-Availability endpoints (upstream openwrt#4275 / openwrt#4288 / openwrt#4387). * Null dereference when configuring the Control Agent with a socket entry that lacks the mandatory ``socket-name`` is now caught (openwrt#4388, openwrt#4365). * UNIX command sockets are created group-writable so Stork 2.4.0+ and other tooling using the configured group can talk to the daemon (openwrt#4398, openwrt#4260). Upstream's release notes flag "no incompatible changes" and "no known issues" for this bump. All current patches still apply cleanly. Release notes: https://ftp.isc.org/isc/kea/3.0.3/Kea-3.0.3-ReleaseNotes.txt Signed-off-by: Alexandru Ardelean <alex@shruggie.ro> (cherry picked from commit eb538bd)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR backports the Kea 3.0.3 security update from master to the stable
openwrt-25.12branch.It includes critical fixes for CVE-2026-3608 (JSON payload stack overflow), a Control Agent null dereference issue, and UNIX command socket permission improvements.
📦 Package Details
Maintainer: Philip Prindeville, Noah Meyerhans
Description:
Backport the Kea 3.0.3 security update from master to the
openwrt-25.12branch.🧪 Run Testing Details
Test Log Evidence:
The service starts successfully with multi-threading enabled and handles client requests smoothly:
✅ Formalities