Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 15 Feb 2018 23:07:20 +0000 (GMT)
From: Paul Jakma <paul@...ma.org>
To: oss-security@...ts.openwall.com
Subject: Quagga 1.2.3 release with BGP security issue fixes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

Quagga 1.2.3 has been released, and it contains fixes for a number of 
BGP security issues, 3 of which were not public till today. Please see:

   http://savannah.nongnu.org/forum/forum.php?forum_id=9095

The CERT vulnerability note is at:

   https://www.kb.cert.org/vuls/id/940439

Quagga advisories are at the URIs in the release announcement, also 
available via either of:

   https://gogs.quagga.net/Quagga/quagga/src/master/doc/security
   https://git.savannah.gnu.org/cgit/quagga.git/tree/doc/security

Quagga-2018-1114 can be triggered by receiving a transitive BGP 
attribute - meaning it potentially could be triggered by a message sent 
by a BGP speaker far away. It involves a double-free, which could be 
serious, depending on the malloc implementation. See:

  https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-1114.txt

Vendors are encouraged to provide backports to older releases.

Quagga users should upgrade to a release appropriate for their stability 
needs with the relevant fixes applied.

regards,
- -- 
Paul Jakma | paul@...ma.org | @pjakma | Key ID: 0xD86BF79464A2FF6A

-----BEGIN PGP SIGNATURE-----

iQJMBAEBCAA2BQJahhKpLxpodHRwczovL3d3dy5qYWttYS5vcmcvfnBhdWwvcGdw
X3BvbGljeS0xLjEudHh0AAoJEOFGbL/NtBuaDNsP/2l3tczRgiGVpoiDu3yAWkWT
Q4VSv7lbDgorvm5FYDiEPr8e7rp6ERiJNGjjlpl907pmDU2TAEaeQI3PQj4I9uag
hv4sq1+n/ODoXPGtlQKsDWN4ob0B3fZ6bOh8a4Y6iUl9s0ESk0Ogi34k7hjqjWp2
4RbjpLbLMOAF3IOZo3uFoA9+Uzr8jDkC6FVNULfcWDOaTlagjJgE+Amr0a6gM+yK
DSjYommtAmqSrV3/Wv3uC96/whWnjzTZluObBTc8FVWy9zxP5zwvRMirDxehWrEh
N9C9A38ZsfXMQ+IWbaosdCClMNSZqbiRSZP6aNmBk9/HlSUK6yF6e6jNOzmiPdy3
0n1507rkfBInu5ALeqs/DyWGqVLkV2h+RHKJyUCIzmHaBomHf3MS9iPBy+63whQg
aGPuT6283dzcjD20qYY1u0KLziRVHg8TdDu4aCy3UXD/w2pvbn3Nymo3RoL/g20/
9VylvokNujnzaGxjG9nc5/fqA/XKkT9G/7sCnG2OHU7hheaPrq/6+7OL4RCS6kz4
iL40V0RDp26yg7lHm51MtCEHn91yv5wFKnG2fESfkUUMTeqO8jiThbl8UOYE4j/l
66VvLca/XwP4r0KASmrM8O3PiktmulGg2TTCo30nx4bmr30j10dGtteBQupwpRWn
UXXvosef5rPdV887X4EK
=YNE6
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ