'[oss-security] Quagga 1.2.3 release with BGP security issue fixes'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Quagga 1.2.3 release with BGP security issue fixes
From:       Paul Jakma <paul () jakma ! org>
Date:       2018-02-15 23:07:20
Message-ID: alpine.LFD.2.21.1802152258500.12267 () stoner ! jakma ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

Quagga 1.2.3 has been released, and it contains fixes for a number of 
BGP security issues, 3 of which were not public till today. Please see:

   http://savannah.nongnu.org/forum/forum.php?forum_id=9095

The CERT vulnerability note is at:

   https://www.kb.cert.org/vuls/id/940439

Quagga advisories are at the URIs in the release announcement, also 
available via either of:

   https://gogs.quagga.net/Quagga/quagga/src/master/doc/security
   https://git.savannah.gnu.org/cgit/quagga.git/tree/doc/security

Quagga-2018-1114 can be triggered by receiving a transitive BGP 
attribute - meaning it potentially could be triggered by a message sent 
by a BGP speaker far away. It involves a double-free, which could be 
serious, depending on the malloc implementation. See:

  https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-1114.txt

Vendors are encouraged to provide backports to older releases.

Quagga users should upgrade to a release appropriate for their stability 
needs with the relevant fixes applied.

regards,
- -- 
Paul Jakma | paul@jakma.org | @pjakma | Key ID: 0xD86BF79464A2FF6A

-----BEGIN PGP SIGNATURE-----

iQJMBAEBCAA2BQJahhKpLxpodHRwczovL3d3dy5qYWttYS5vcmcvfnBhdWwvcGdw
X3BvbGljeS0xLjEudHh0AAoJEOFGbL/NtBuaDNsP/2l3tczRgiGVpoiDu3yAWkWT
Q4VSv7lbDgorvm5FYDiEPr8e7rp6ERiJNGjjlpl907pmDU2TAEaeQI3PQj4I9uag
hv4sq1+n/ODoXPGtlQKsDWN4ob0B3fZ6bOh8a4Y6iUl9s0ESk0Ogi34k7hjqjWp2
4RbjpLbLMOAF3IOZo3uFoA9+Uzr8jDkC6FVNULfcWDOaTlagjJgE+Amr0a6gM+yK
DSjYommtAmqSrV3/Wv3uC96/whWnjzTZluObBTc8FVWy9zxP5zwvRMirDxehWrEh
N9C9A38ZsfXMQ+IWbaosdCClMNSZqbiRSZP6aNmBk9/HlSUK6yF6e6jNOzmiPdy3
0n1507rkfBInu5ALeqs/DyWGqVLkV2h+RHKJyUCIzmHaBomHf3MS9iPBy+63whQg
aGPuT6283dzcjD20qYY1u0KLziRVHg8TdDu4aCy3UXD/w2pvbn3Nymo3RoL/g20/
9VylvokNujnzaGxjG9nc5/fqA/XKkT9G/7sCnG2OHU7hheaPrq/6+7OL4RCS6kz4
iL40V0RDp26yg7lHm51MtCEHn91yv5wFKnG2fESfkUUMTeqO8jiThbl8UOYE4j/l
66VvLca/XwP4r0KASmrM8O3PiktmulGg2TTCo30nx4bmr30j10dGtteBQupwpRWn
UXXvosef5rPdV887X4EK
=YNE6
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic