Todo #16291: Relocate Kea control socket and lease database - pfSense - pfSense bugtracker

Actions

Copy link

Todo #16291

closed

Relocate Kea control socket and lease database

Added by dylan mendez 3 months ago. Updated about 1 month ago.

Status:

Closed

Priority:

High

Assignee:

Christian McDonald

Category:

DHCP (IPv4)

Target version:

2.9.0

Start date:

Due date:

% Done:

Estimated time:

Plus Target Version:

25.11

Release Notes:

Force Exclusion

Description

25.11.a.20250628.0006 does the same.

2025-06-28 21:45:58.188712+00:00 kea-dhcp4 94685 ERROR [kea-dhcp4.dhcp4.0x11563ee68008] DHCP4_INIT_FAIL failed to initialize Kea server: configuration error using file '/usr/local/etc/kea/kea-dhcp4.conf': 'socket-name' is invalid: invalid path specified: '/var/run', supported path is '/var/run/kea'
2025-06-28 21:45:58.188516+00:00 kea-dhcp4 94685 ERROR [kea-dhcp4.dhcp4.0x11563ee68008] DHCP4_CONFIG_LOAD_FAIL configuration error using file: /usr/local/etc/kea/kea-dhcp4.conf, reason: 'socket-name' is invalid: invalid path specified: '/var/run', supported path is '/var/run/kea'
2025-06-28 21:45:58.188270+00:00 kea-dhcp4 94685 ERROR [kea-dhcp4.dhcp4.0x11563ee68008] DHCP4_PARSER_COMMIT_FAIL parser failed to commit changes: 'socket-name' is invalid: invalid path specified: '/var/run', supported path is '/var/run/kea'
2025-06-28 21:45:58.179343+00:00 kea-dhcp4 94685 WARN [kea-dhcp4.dhcp4.0x11563ee68008] DHCP4_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first.
2025-06-28 21:45:58.179288+00:00 kea-dhcp4 94685 WARN [kea-dhcp4.dhcpsrv.0x11563ee68008] DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled.

Files

Download all files

clipboard-202506281542-dacy2.png (5.8 KB) clipboard-202506281542-dacy2.png		dylan mendez, 06/28/2025 09:42 PM
clipboard-202507051618-9vhl5.png (6.9 KB) clipboard-202507051618-9vhl5.png		dylan mendez, 07/05/2025 10:18 PM

Actions

Copy link

Updated by Christopher Cope 3 months ago

Status changed from New to Confirmed

Tested on

25.11-DEVELOPMENT (amd64)
built on Sat Jun 28 0:06:00 UTC 2025
FreeBSD 15.0-CURRENT

I'm seeing the same issue.

It seems to be a change in the new release of Kea. https://gitlab.isc.org/isc-projects/kea/-/wikis/Release-Notes/release-notes-2.6.3

Particularly

7. Security: Sockets: To prevent unauthorized access and potential denial of service, sockets can no longer be created in a world-writable directory, such as /tmp. Sockets must now be created in the more restricted [kea-install-dir]/var/run/kea. This change addresses CVE-2025-32802 [#3831 (closed), #3840 (closed)].

Actions

Copy link

Updated by dylan mendez 3 months ago

Priority changed from Normal to High

Actions

Copy link

Updated by dylan mendez 3 months ago

Changing priority as this can break stuff, even though it's development internal. Feel free to move back to Normal if I'm overreacting.

Actions

Copy link

Updated by dylan mendez 2 months ago

As per CCope, this is caused by this:

Security: Sockets: To prevent unauthorized access and potential denial of service, sockets can no longer be created in a world-writable directory, such as /tmp. Sockets must now be created in the more restricted [kea-install-dir]/var/run/kea. This change addresses CVE-2025-32802 [#3831 (closed), #3840 (closed)].

Actions

Copy link

Updated by Christian McDonald 2 months ago

Assignee set to Christian McDonald

Actions

Copy link

Updated by Christian McDonald 2 months ago

I've got it, this is trivial to fix.

Actions

Copy link

Updated by Christian McDonald 2 months ago

Subject changed from 25.11.a.20250627.1429 breaks Kea service. to Relocate Kea control socket from /var/run to /var/run/kea
Status changed from Confirmed to Feedback
Target version set to 2.9.0
Plus Target Version set to 25.11
Release Notes changed from Default to Force Exclusion