git.99rst.org Git - openwrt-packages.git/commit

author	Alexandru Ardelean <redacted>
	Fri, 29 May 2026 03:59:23 +0000 (06:59 +0300)
committer	Alexandru Ardelean <redacted>
	Mon, 1 Jun 2026 11:11:10 +0000 (14:11 +0300)
commit	eb538bd758423647466c6f2a68b677f83391d700
tree	057a1783845174f60aa2d5f5cc3859781d8964cc	tree \| snapshot
parent	9e84e22a78a5c884bc232f5c4d8374553111059f	commit \| diff

kea: bump to 3.0.3

3.0.3 is a security/vulnerability release on the stable 3.0 series.

Notable fixes since 3.0.2:

* **CVE-2026-3608** — A large number of bracket pairs in a JSON payload
  sent to any endpoint caused a stack overflow during recursive parsing.
  The exploit does not need a syntactically valid command, so it bypasses
  RBAC and the command filters on the High-Availability endpoints
  (upstream #4275 / #4288 / #4387).

* Null dereference when configuring the Control Agent with a socket
  entry that lacks the mandatory ``socket-name`` is now caught
  (#4388, #4365).

* UNIX command sockets are created group-writable so Stork 2.4.0+ and
  other tooling using the configured group can talk to the daemon
  (#4398, #4260).

Upstream's release notes flag "no incompatible changes" and "no known
issues" for this bump.

All current patches still apply cleanly.

Release notes:
https://ftp.isc.org/isc/kea/3.0.3/Kea-3.0.3-ReleaseNotes.txt

Signed-off-by: Alexandru Ardelean <redacted>