oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Quagga 1.2.3 release with BGP security issue fixes

From: Paul Jakma <paul () jakma org>
Date: Thu, 15 Feb 2018 23:07:20 +0000 (GMT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,
Quagga 1.2.3 has been released, and it contains fixes for a number of BGP security issues, 3 of which were not public till today. Please see: 

  http://savannah.nongnu.org/forum/forum.php?forum_id=9095

The CERT vulnerability note is at:

  https://www.kb.cert.org/vuls/id/940439
Quagga advisories are at the URIs in the release announcement, also available via either of: 

  https://gogs.quagga.net/Quagga/quagga/src/master/doc/security
  https://git.savannah.gnu.org/cgit/quagga.git/tree/doc/security
Quagga-2018-1114 can be triggered by receiving a transitive BGP attribute - meaning it potentially could be triggered by a message sent by a BGP speaker far away. It involves a double-free, which could be serious, depending on the malloc implementation. See: 

 https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-1114.txt

Vendors are encouraged to provide backports to older releases.
Quagga users should upgrade to a release appropriate for their stability needs with the relevant fixes applied. 

regards,
- -- Paul Jakma | paul () jakma org | @pjakma | Key ID: 0xD86BF79464A2FF6A 

-----BEGIN PGP SIGNATURE-----

iQJMBAEBCAA2BQJahhKpLxpodHRwczovL3d3dy5qYWttYS5vcmcvfnBhdWwvcGdw
X3BvbGljeS0xLjEudHh0AAoJEOFGbL/NtBuaDNsP/2l3tczRgiGVpoiDu3yAWkWT
Q4VSv7lbDgorvm5FYDiEPr8e7rp6ERiJNGjjlpl907pmDU2TAEaeQI3PQj4I9uag
hv4sq1+n/ODoXPGtlQKsDWN4ob0B3fZ6bOh8a4Y6iUl9s0ESk0Ogi34k7hjqjWp2
4RbjpLbLMOAF3IOZo3uFoA9+Uzr8jDkC6FVNULfcWDOaTlagjJgE+Amr0a6gM+yK
DSjYommtAmqSrV3/Wv3uC96/whWnjzTZluObBTc8FVWy9zxP5zwvRMirDxehWrEh
N9C9A38ZsfXMQ+IWbaosdCClMNSZqbiRSZP6aNmBk9/HlSUK6yF6e6jNOzmiPdy3
0n1507rkfBInu5ALeqs/DyWGqVLkV2h+RHKJyUCIzmHaBomHf3MS9iPBy+63whQg
aGPuT6283dzcjD20qYY1u0KLziRVHg8TdDu4aCy3UXD/w2pvbn3Nymo3RoL/g20/
9VylvokNujnzaGxjG9nc5/fqA/XKkT9G/7sCnG2OHU7hheaPrq/6+7OL4RCS6kz4
iL40V0RDp26yg7lHm51MtCEHn91yv5wFKnG2fESfkUUMTeqO8jiThbl8UOYE4j/l
66VvLca/XwP4r0KASmrM8O3PiktmulGg2TTCo30nx4bmr30j10dGtteBQupwpRWn
UXXvosef5rPdV887X4EK
=YNE6
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: