Skip to content

Security: isc-projects/kea

Security

SECURITY.md

Security Policy

Supported Versions

The following versions are supported:

Version Supported End-Of-Life
2.7.x summer 2025, on release of 3.0.0
2.6.x summer 2026, on release of 3.2.0
2.5.x June 2024
2.4.x summer 2025, on release of 3.0.0
2.3.x July 2023
2.2.x August 2024, on release of 2.6.0
2.1.x July 2022
2.0.x August 2023, on release of 2.4.0
1.9.0 September 2021
1.8.0 July 2022
1.7.0 August 2020
1.6.0 September 2021
1.5.0 August 2020
1.3.0 December 2018
1.2.0 June 2018
1.1.0 December 2017
1.0.0 June 2017
0.9.2-P1 March 2017
0.9.1 June 2016

Starting with the Kea 1.7 release, all Kea versions with an odd minor version number are development releases, and become EOL as soon as the following stable release is published.

Limited past EOL support may be available to higher tier customers. Please contact ISC sales, using this form: https://www.isc.org/contact/

Reporting a Vulnerability

To report security vulnerability, please follow this instruction:

https://www.isc.org/reportbug/

Briefly, we prefer confidential issue on gitlab (not github). An issue is much better, because it's easier to get more ISC engineers involved in it, evolve the case as more information is known, update or extra information, etc.

Second best is to send e-mail (possibly encrypted) to kea-security@isc.org.

Software Defects and Security Vulnerability Disclosure Policy

ISC treats the security of its software products very seriously. This document discusses the evaluation of a defect severity and the process in detail: https://kb.isc.org/docs/aa-00861

Further reading

The Kea security section of Kea ARM discusses the technical aspects, such as how to properly configure TLS certificates, how to secure Kea deployment and also what the security incident handling process looks like: https://kea.readthedocs.io/en/latest/arm/security.html#kea-security-processes

The Past advisories for Kea can be found on the KB: https://kb.isc.org/docs On the left hand panel, see the Security Advisiories in the Kea DHCP section.

There aren’t any published security advisories