UbuntuUpdates.org

Package "frr"

Name: frr

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • FRRouting suite - BGP RPKI support (rtrlib)
  • FRRouting suite - SNMP support

Latest version: 8.1-1ubuntu1.11
Release: jammy (22.04)
Level: updates
Repository: universe

Links



Other versions of "frr" in Jammy

Repository Area Version
base universe 8.1-1ubuntu1
base main 8.1-1ubuntu1
security main 8.1-1ubuntu1.11
security universe 8.1-1ubuntu1.11
updates main 8.1-1ubuntu1.11

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 8.1-1ubuntu1.6 2023-10-18 06:07:05 UTC

  frr (8.1-1ubuntu1.6) jammy-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2023-41358.patch: Do not process NLRIs if the
      attribute length is zero
    - debian/patches/CVE-2023-41360.patch: Don't read the first byte of ORF
      header if we are ahead of stream
    - CVE-2023-41358
    - CVE-2023-41360
  * SECURITY UPDATE: Null pointer dereference
    - debian/patches/CVE-2023-41909.patch: Limit flowspec to no attribute
      means a implicit withdrawal
    - CVE-2023-41909

 -- Nishit Majithia <email address hidden> Mon, 16 Oct 2023 13:03:51 +0530

Source diff to previous version
CVE-2023-41358 An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c processes NLRIs if the attribute length is zero.
CVE-2023-41360 An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c can read the initial byte of the ORF header in an ahead-of-stream situation.
CVE-2023-41909 An issue was discovered in FRRouting FRR through 9.0. bgp_nlri_parse_flowspec in bgpd/bgp_flowspec.c processes malformed requests with no attributes,

Version: 8.1-1ubuntu1.5 2023-08-31 04:07:11 UTC

  frr (8.1-1ubuntu1.5) jammy-security; urgency=medium

  * SECURITY UPDATE: a BGP route attribute, tunnel encapsulation, can
    be corrupted and cause denial of service
    - debian/patches/CVE-2023-38802.patch: use treat-as-withdraw for
      tunnel encapsulation attribute
    - CVE-2023-31490

 -- Mark Esler <email address hidden> Wed, 30 Aug 2023 10:39:00 -0500

Source diff to previous version
CVE-2023-38802 FRRouting FRR 7.5.1 through 9.0 and Pica8 PICOS 4.3.3.2 allow a remote attacker to cause a denial of service via a crafted BGP update with a corrupte
CVE-2023-31490 An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_attr_psid_sub() function.

Version: 8.1-1ubuntu1.4 2023-06-05 16:07:27 UTC

  frr (8.1-1ubuntu1.4) jammy-security; urgency=medium

  * SECURITY UPDATE: denial of service via bgp_attr_psid_sub()
    - debian/patches/CVE-2023-31490.patch: ensure stream received has
      enough data in bgpd/bgp_attr.c.
    - CVE-2023-31490

 -- Marc Deslauriers <email address hidden> Fri, 02 Jun 2023 13:56:18 -0400

Source diff to previous version
CVE-2023-31490 An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_attr_psid_sub() function.

Version: 8.1-1ubuntu1.3 2022-12-13 02:06:21 UTC

  frr (8.1-1ubuntu1.3) jammy; urgency=medium

  * d/frr.postinst: don't change log ownership if the syslog user
    doesn't exist. Thanks to Alessandro Ratti
    <email address hidden> for the fix (LP: #1991812).

 -- Andreas Hasenack <email address hidden> Fri, 28 Oct 2022 11:38:34 -0300

Source diff to previous version
1991812 FRR deb packaging regression

Version: 8.1-1ubuntu1.2 2022-10-18 16:06:25 UTC

  frr (8.1-1ubuntu1.2) jammy-security; urgency=medium

  * SECURITY UPDATE: DoS via out-of-bounds read
    - debian/patches/CVE-2022-37032.patch: make sure hdr length is at a
      minimum of what is expected in bgpd/bgp_packet.c.
    - CVE-2022-37032
  * SECURITY UPDATE: use-after-free due to a race condition
    - debian/patches/CVE-2022-37035.patch: avoid notify race between io and
      main pthreads in bgpd/bgp_io.c, bgpd/bgp_packet.c, bgpd/bgp_packet.h.
    - CVE-2022-37035

 -- Marc Deslauriers <email address hidden> Wed, 05 Oct 2022 12:35:26 -0400

CVE-2022-37032 An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 may lead to a segmentation fault and denial of service. This occurs in bgp_capabi
CVE-2022-37035 An issue was discovered in bgpd in FRRouting (FRR) 8.3. In bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c, there is a possible



About   -   Send Feedback to @ubuntu_updates