# Kea 3.0.1 Security Release Notes, August 27, 2025 Welcome to Kea 3.0.1, a security release of the stable 3.0 series. This supersedes the previous release, version 3.0.0. Kea is a DHCP implementation developed by Internet Systems Consortium (ISC) that features DHCPv4 and DHCPv6 servers with DNS update and a REST API; optional database support (MySQL and PostgreSQL); optional RADIUS, Kerberos, YANG/NETCONF, and GSS-TSIG support; and much more. Kea provides extensive management capabilities, including but not limited to: TLS support, Role-Based Access Control, run-time configuration monitoring and updates via a REST API, host reservations, and client classification. The text below references issue numbers. For more details, visit the Kea GitLab page at https://gitlab.isc.org/isc-projects/kea/-/issues. For details about Docker issues, visit the page at https://gitlab.isc.org/isc-projects/kea-docker/-/issues/. For details about packaging, visit the page at https://gitlab.isc.org/isc-projects/kea-packaging/-/issues/. The following changes and fixes have been introduced in version 3.0.1: 1. **Vulnerability**: We corrected an issue in `kea-dhcp4` that caused the server to abort if a client sent a broadcast request with particular options, and Kea failed to find an appropriate subnet for that client. This addresses CVE-2025-40779 [#4055, #4048]. 2. **Build**: We added support for Botan crypto library v3. The old v2 version that reached EOL is no longer supported [#4057, #3553]. 3. **Bug fixes**: The code no longer adds the qualifying suffix to fully qualified host names specified in host reservations [#4056, #3949]. 4. **Packaging**: If services were started and deb packages were upgraded, services are now restarted; under Kea 3.0.0 the old service would continue running. On removal of deb packages, services are now stopped, while for Kea 3.0.0 the old service would continue running [isc-projects/kea-packaging#51]. ## Incompatible Changes There are no incompatible changes. However, if you are compiling from sources and you are using the Botan 2.x crypto library, you need to upgrade to the currently supported version, Botan 3.x. This does not affect users who install Kea using packages or compile from sources and use the OpenSSL crypto library. ## Known Issues There are no significant known issues. ## Acknowledgments ISC would like to thank the following for bringing the issue in CVE-2025-40779 to our attention: * Jochen M. * Martin Dinev, Trading212 * Ashwani Kumar, Post Graduate Institute of Medical Education & Research, Chandigarh, India * Bret Giddings, University of Essex * Florian Ritterhoff, Munich University of Applied Sciences ## License This version of Kea is released under the Mozilla Public License, version 2.0. https://www.mozilla.org/en-US/MPL/2.0 Some Kea hook libraries are provided under the MPL 2.0; others are licensed with the Kea Hooks Basic Commercial End User License. The source for each hook library includes the applicable license. ## Download Pre-built ISC packages for current versions of the most popular Linux operating systems are available at: https://cloudsmith.io/~isc/repos/ Pre-built Docker images and well as Docker files are available. For details, see: https://gitlab.isc.org/isc-projects/kea-docker The Kea source and PGP signature for this release may be downloaded from: https://www.isc.org/download The signature was generated with the ISC code-signing key, which is available at: https://www.isc.org/pgpkey ISC provides detailed documentation, including installation instructions and usage tutorials, in the Kea Administrator Reference Manual. Documentation is included with the installation or at https://kea.readthedocs.io/en/latest/index.html in HTML, PDF, or EPUB formats. ISC maintains a public open source code tree, wiki, issue tracking system, milestone planner, and roadmap at https://gitlab.isc.org/isc-projects/kea. Limitations and known issues with this release can be found at https://gitlab.isc.org/isc-projects/kea/-/wikis/known-issues-list. We ask users of this software to please let us know how it worked for you and what operating system you tested on. Feel free to share your feedback on the Kea Users mailing list (https://lists.isc.org/mailman/listinfo/kea-users). We would also like to hear whether the documentation is adequate and accurate. Please open tickets in the Kea GitLab project for bugs, documentation omissions and errors, and enhancement requests. We want to hear from you even if everything worked. ## Support Professional support for Kea is available from ISC. We encourage all professional users to consider this option; Kea maintenance is funded with support subscriptions. For more information on ISC's Kea software support, see https://www.isc.org/support/. Free best-effort support is provided by our user community via a mailing list. Information on all public email lists is available at https://www.isc.org/community/mailing-list. If you have any comments or questions about working with Kea, please share them to the Kea Users list (https://lists.isc.org/mailman/listinfo/kea-users). Bugs and feature requests may be submitted via GitLab at https://gitlab.isc.org/isc-projects/kea/-/issues. ## Changes The following summarizes changes and important upgrades since the previous release, version 3.0.0. 2378. [build]* fdupont, razvan Moved Botan crypto backend support to version 3. (Gitlab #4057, #3553) 2377. [bug] tmark, razvan Avoid adding the qualifying-suffix to fully qualified host names specified in host reservations. (Gitlab #4056, #3949) 2376. [sec] tmark Corrected an issue in kea-dhcp4 that caused the server to abort if a client sent a unicast request with a particular options, and Kea failed to find an appropriate subnet for that client. CVE:2025-40779 (Gitlab #4055, #4048) There were no changes to the hook libraries, but please update hook libraries to the 3.0.0 version when updating your core application(s). Thank you again to everyone who assisted us in making this release possible. We look forward to receiving your feedback.