<!DOCTYPE html><html><head><title></title></head><body><div>On Wed, May 28, 2025, at 12:54, Victoria Risk wrote:</div><blockquote type="cite" id="qt" style="overflow-wrap:break-word;"><pre style="text-wrap-mode:wrap;"><span class="font" style="font-family:Courier;">Kea users:

Internet Systems Consortium is pleased to announce the release of Kea 2.4.2, 2.6.3 and 2.7.9. Please note that all three of these releases contain fixes addressing multiple security issues detailed in three CVEs published today. </span></pre><pre style="text-wrap-mode:wrap;"><ul style="text-wrap-mode:wrap;white-space-collapse:collapse;margin-top:0px;margin-right:0px;margin-bottom:1rem;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;"><li style="margin-top:0px;line-height:1.6em;margin-left:25px;padding-left:3px;"><span class="font" style="font-family:Courier;">CVE-2025-32801: Loading a malicious hook library can lead to local privilege escalation <a href="https://kb.isc.org/docs/cve-2025-32801" rel="nofollow noreferrer noopener" target="_blank" style="margin-top:0px;">https://kb.isc.org/docs/cve-2025-32801</a></span></li><li style="line-height:1.6em;margin-left:25px;padding-left:3px;"><span class="font" style="font-family:Courier;">CVE-2025-32802: Insecure handling of file paths allows multiple local attacks <a href="https://kb.isc.org/docs/cve-2025-32802" rel="nofollow noreferrer noopener" target="_blank" style="margin-top:0px;">https://kb.isc.org/docs/cve-2025-32802</a></span></li><li style="line-height:1.6em;margin-left:25px;padding-left:3px;"><span class="font" style="font-family:Courier;">CVE-2025-32803: Insecure file permissions can result in confidential information leakage <a href="https://kb.isc.org/docs/cve-2025-32803" rel="nofollow noreferrer noopener" target="_blank" style="margin-top:0px;">https://kb.isc.org/docs/cve-2025-32803</a></span></li></ul></pre><pre style="text-wrap-mode:wrap;"><span class="font" style="font-family:Courier;">Kea 2.4.2 is expected to be our last release on that old stable branch, which we will be retiring with the release of Kea 3.0, expected in June. </span></pre><pre style="text-wrap-mode:wrap;"><span class="font" style="font-family:Courier;">Kea 2.6.3 is our current stable version. </span></pre><pre style="text-wrap-mode:wrap;"><span class="font" style="font-family:Courier;">Release notes for these two versions are available at:</span></pre><pre style="text-wrap-mode:wrap;"><span class="font" style="font-family:Courier;">Kea 2.4.2 <a href="https://downloads.isc.org/isc/kea/2.4.2/Kea-2.4.2-ReleaseNotes.txt">https://downloads.isc.org/isc/kea/2.4.2/Kea-2.4.2-ReleaseNotes.txt</a></span></pre><pre style="text-wrap-mode:wrap;"><span class="font" style="font-family:Courier;">Kea 2.6.3 <a href="https://downloads.isc.org/isc/kea/2.6.3/Kea-2.6.3-ReleaseNotes.txt">https://downloads.isc.org/isc/kea/2.6.3/Kea-2.6.3-ReleaseNotes.txt</a></span></pre><pre style="text-wrap-mode:wrap;"><br></pre></blockquote><div><br></div><div>I just upgraded to 2.6.3, and my network was broken because the daemons would not start, because the configuration files placed the sockets in /tmp (which is no longer permitted).</div><div><br></div><div>While I understand that it's rare, if a patch release (incrementing only the last component of the version number) contains breaking/incompatible changes, please help the users by noting that in the release announcement. It is certainly true that not every user reads the entirety of the release notes before upgrading to a new version.</div><div><br></div></body></html>