--- name: CVE Communications Draft about: Create draft emails for a security vulnerability --- (INTERNAL) (Non-authoritative Draft only) The version in the KB is the authoritative Advisory, this is only DRAFT text to be used for communications (emails). This is also not the CVE checklist for this issue. Once the CVE is made public, this issue should be deleted from the repo. (INTERNAL) DO NOT FORGET TO MAKE THIS ISSUE CONFIDENTIAL! (INTERNAL) (Keep things text-only friendly) All of the official communication about this vulnerability will use a text-only version of this article. This is most obvious in the way that certain links are constructed. Most links should be constructed contrary to "web best-practice" and use the full URL as their link text. (INTERNAL) | header | header | | ------ | ------ | | CVE # | CVE-9999-99999 | | GL Issue | | | Versions affected | | | link to Advisory draft in KB | | | date for earliest | | | date for T-5 | | | public release date | | cut and paste below this line for the customer email ---------------------- NOTE: This Advisory is Confidential and under NDA until Public Release (date of planned release here) unless notified by the Internet Systems Consortium's (ISC's) Security Officer (security-officer@isc.org). We ask that you respect our phased disclosure process (see https://www.isc.org/security-vulnerability-disclosure-policy ). If you know of an additional party who should be included in our phased disclosure process please contact ISC directly and do not forward this advisory to them. DO NOT forward this information to anyone per your Subscription Agreement, as it has not yet been released to the public. If you need to ask a question about this Advance Security Bulletin, before it is publicly released, please do so securely and do not make any reference to the advisory or its existence via unencrypted email to ISC or by opening a new support ticket. We suggest using one of the secure methods below: 1. Log in to your RT queue via https to add the question to the advisory notification ticket in your queue. ISC's support team will post a reply and then inform you directly via email that we have responded and that you need to check the ticket directly. 2. Email your question, encrypted to security-officer@isc.org, using our public PGP key which can be found here: http://www.isc.org/downloads/software-support-policy/openpgp-key/ Regards, ISC Support ---- To Our Advance Notification Customers and Partners -- This message is being sent to you because you are on our list for Early Advance Notification for security issues affecting ISC DHCP. We have learned of a security issue which can be exploited in the ISC DHCP server (dhcpd). The issue, which is designated CVE-xxxx-xxxxx, occurs due to xxxxxxx. This defect applies to versions DHCP 4.1.x - 4.1.y and DHCP 4.4.x - 4.4.y. Description: Impact: Workaround: If you have questions, please use this ticket to ask them. your name here ISC Support Engineer --------------- [DRAFT TEXT OF THE ADVISORY IS BELOW, NOTE THAT THIS IS ONLY A WORKING DRAFT] CVE: CVE-9999-99999 [FILL IN] Document version: 1.0 Posting date: [FILL IN DD MONTH YEAR] Program impacted: DHCP Versions affected: DHCP [FILL IN] Severity: [FILL IN - MEDIUM, HIGH OR CRITICAL] Exploitable: [FILL IN - REMOTELY OR LOCALLY] Description: [FILL IN] Impact: [FILL IN] CVSS Score: [FILL IN] CVSS Vector: CVSS v3.1 Vector: [PASTE HERE] For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C&version=3.1. Workarounds: [FILL IN, OFTEN ...] No workarounds known. Active exploits: [FILL IN, OFTEN ...] We are not aware of any active exploits. Solution: [FILL IN, TYPICALLY SOMETHING LIKE THIS...] Upgrade to the patched release most closely related to your current version of DHCP: DHCP 4.4.x (Current Stable) DHCP 4.1.x (Old Stable) Acknowledgments: ISC would like to thank [REPORTER] from [REPORTER ORGANIZATION] for for discovering and reporting this issue. Document revision history: 1.0 Early Notification, [DAY MONTH YEAR] Related documents: Do you still have questions? Questions regarding this advisory should go to security-officer@isc.org. To report a new issue, please encrypt your message using security-officer@isc.org's PGP key which can be found here: https://www.isc.org/pgpkey/. If you are unable to use encrypted email, you may also report new issues at: https://www.isc.org/reportbug/. Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected. (For current information on which versions are actively supported, please see: https://www.isc.org/download/ ) ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found in the ISC Software Defect and Security Vulnerability Disclosure Policy at https://kb.isc.org/docs/aa-00861. The Knowledgebase article [PASTE IN THE LINK HERE] is the complete and official security advisory document. Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.