UbuntuUpdates.org

Package "quagga-core"

Name: quagga-core

Description:

network routing daemons (core abstraction layer)

Latest version: 1.2.4-4ubuntu0.5
Release: focal (20.04)
Level: updates
Repository: main
Head package: quagga
Homepage: http://www.quagga.net/

Links


Download "quagga-core"


Other versions of "quagga-core" in Focal

Repository Area Version
base main 1.2.4-4build1
security main 1.2.4-4ubuntu0.5

Changelog

Version: 1.2.4-4ubuntu0.5 2024-09-17 17:06:59 UTC

  quagga (1.2.4-4ubuntu0.5) focal-security; urgency=medium

  * SECURITY UPDATE: BGP overflow via TLV value
    - debian/patches/CVE-2024-44070.patch: check the actual remaining
      stream length before taking TLV value in bgpd/bgp_attr.c.
    - CVE-2024-44070

 -- Marc Deslauriers <email address hidden> Tue, 10 Sep 2024 07:47:26 -0400

Source diff to previous version
CVE-2024-44070 An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap in bgpd/bgp_attr.c does not check the actual remaining stream length before t

Version: 1.2.4-4ubuntu0.4 2023-11-15 17:08:43 UTC

  quagga (1.2.4-4ubuntu0.4) focal-security; urgency=medium

  * SECURITY UPDATE: DoS via out-of-bounds read
    - debian/patches/CVE-2022-37032.patch: don't memcpy past end of buffer
      in bgpd/bgp_packet.c.
    - CVE-2022-37032
  * SECURITY UPDATE: DoS via BGP UPDATE without mandatory attributes
    - debian/patches/CVE-2023-46753.patch: check mandatory attributes more
      carefully for UPDATE message in bgpd/bgp_attr.c.
    - CVE-2023-46753

 -- Marc Deslauriers <email address hidden> Wed, 01 Nov 2023 14:49:20 -0400

Source diff to previous version
CVE-2022-37032 An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 may lead to a segmentation fault and denial of service. This occurs in bgp_capabi
CVE-2023-46753 An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur for a crafted BGP UPDATE message without mandatory attributes, e.g., one wi

Version: 1.2.4-4ubuntu0.1 2023-10-17 12:06:52 UTC

  quagga (1.2.4-4ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2023-41358.patch: Do not process NLRIs if the
      attribute length is zero
    - debian/patches/CVE-2023-41360.patch: Don't read the first byte of ORF
      header if we are ahead of stream
    - CVE-2023-41358
    - CVE-2023-41360

 -- Nishit Majithia <email address hidden> Mon, 16 Oct 2023 13:05:21 +0530

CVE-2023-41358 An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c processes NLRIs if the attribute length is zero.
CVE-2023-41360 An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c can read the initial byte of the ORF header in an ahead-of-stream situation.



About   -   Send Feedback to @ubuntu_updates