UbuntuUpdates.org

Package "quagga"

Name: quagga

Description:

BGP/OSPF/RIP routing daemon

Latest version: 0.99.22.4-3ubuntu1.5
Release: trusty (14.04)
Level: security
Repository: main
Homepage: http://www.quagga.net/

Links


Download "quagga"


Other versions of "quagga" in Trusty

Repository Area Version
base main 0.99.22.4-3ubuntu1
updates main 0.99.22.4-3ubuntu1.5

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 0.99.22.4-3ubuntu1.5 2018-02-16 01:06:22 UTC

  quagga (0.99.22.4-3ubuntu1.5) trusty-security; urgency=medium

  * SECURITY UPDATE: DoS and possible code execution via double-free
    - debian/patches/Quagga-2018-1114.patch: fix double-free in
      bgpd/bgp_attr.c, bgpd/bgp_attr.h.
    - No CVE number
  * SECURITY UPDATE: code-to-string conversion table overrun
    - debian/patches/Quagga-2018-1550.patch: limit size in
      bgpd/bgp_debug.c.
    - No CVE number
  * SECURITY UPDATE: hang via invalid OPEN message
    - debian/patches/Quagga-2018-1975.patch: fix infinite loop in
      bgpd/bgp_packet.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Wed, 07 Feb 2018 07:38:47 -0500

Source diff to previous version

Version: 0.99.22.4-3ubuntu1.4 2017-10-31 19:07:04 UTC

  quagga (0.99.22.4-3ubuntu1.4) trusty-security; urgency=medium

  * SECURITY UPDATE: DoS via telnet CLI
    - debian/patches/CVE-2017-5495-1.patch: limit size of vty buffer to
      4096 bytes in lib/command.c, lib/vty.c, lib/vty.h, vtysh/vtysh.c.
    - debian/patches/CVE-2017-5495-2.patch: ensure vty buf is nul
      terminated and wrap puts to it with checks in lib/vty.c.
    - CVE-2017-5495
  * SECURITY UPDATE: DoS via BGP UPDATE messages
    - debian/patches/CVE-2017-16227.patch: fix AS_PATH size calculation for
      long paths in bgpd/bgp_aspath.c.
    - CVE-2017-16227

 -- Marc Deslauriers <email address hidden> Mon, 30 Oct 2017 10:29:58 -0400

Source diff to previous version
CVE-2017-5495 All versions of Quagga, 0.93 through 1.1.0, are vulnerable to an unbounded memory allocation in the telnet 'vty' CLI, leading to a Denial-of-Service
CVE-2017-16227 The aspath_put function in bgpd/bgp_aspath.c in Quagga before 1.2.2 allows remote attackers to cause a denial of service (session drop) via BGP UPDAT

Version: 0.99.22.4-3ubuntu1.3 2016-10-25 14:06:30 UTC

  quagga (0.99.22.4-3ubuntu1.3) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via stack overrun in IPv6 RA receive
    code
    - debian/patches/CVE-2016-1245.patch: use proper buffer size in
      zebra/rtadv.c.
    - CVE-2016-1245

 -- Marc Deslauriers <email address hidden> Tue, 18 Oct 2016 15:18:22 +0200

Source diff to previous version

Version: 0.99.22.4-3ubuntu1.2 2016-10-13 13:06:36 UTC

  quagga (0.99.22.4-3ubuntu1.2) trusty-security; urgency=medium

  * SECURITY UPDATE: insecure directory permissions
    - debian/quagga.postinst: set proper directory permissions on
      /etc/quagga, /var/log/quagga, /var/run/quagga.
    - CVE-2016-4036
  * SECURITY UPDATE: denial of service via a large BGP packet
    - debian/patches/dump_fix.patch: create multiple MRT records if there
      is too much data for a prefix in bgpd/bgp_dump.c.
    - CVE-2016-4049

 -- Marc Deslauriers <email address hidden> Wed, 12 Oct 2016 16:03:58 -0400

Source diff to previous version
CVE-2016-4036 The quagga package before 0.99.23-2.6.1 in openSUSE and SUSE Linux Enterprise Server 11 SP 1 uses weak permissions for /etc/quagga, which allows loca
CVE-2016-4049 The bgp_dump_routes_func function in bgpd/bgp_dump.c in Quagga does not perform size checks when dumping data, which might allow remote attackers to

Version: 0.99.22.4-3ubuntu1.1 2016-03-24 13:06:46 UTC

  quagga (0.99.22.4-3ubuntu1.1) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service or arbitrary code execution via
    Labeled-VPN SAFI and crafted packet
    - debian/patches/CVE-2016-2342.patch: sanity check lengths in
      bgpd/bgp_mplsvpn.c.
    - CVE-2016-2342

 -- Marc Deslauriers <email address hidden> Wed, 23 Mar 2016 08:15:51 -0400

CVE-2016-2342 The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in the VPNv4 NLRI parser in bgpd in Quagga before 1.0.20160309, when a certain VPNv4 configuration



About   -   Send Feedback to @ubuntu_updates