Debian Bug report logs -
#442133
CVE-2007-4826 remote denial of service
Reported by: Nico Golde <nion@debian.org>
Date: Thu, 13 Sep 2007 12:51:03 UTC
Severity: normal
Tags: security
Found in version quagga/0.99.8-1
Fixed in versions quagga/0.99.9-1, quagga/0.99.9-2, quagga/0.98.3-7.5, quagga/0.99.5-5etch4
Done: Christian Hammers <ch@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#442133; Package quagga.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Christian Hammers <ch@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: quagga
Version: 0.99.8-1
Severity: serious
Tags: security
Hi,
a CVE has been issued against quagga.
CVE-2007-4826[0]:
bgpd in Quagga before 0.99.9 allows remote BGP peers to
cause a denial of service (crash) via a malformed (1) OPEN
message or (2) COMMUNITY attribute
Please include the CVE id in the changelog if you fix the
bug.
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4826
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug marked as fixed in version 0.99.9-1.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Thu, 13 Sep 2007 12:54:03 GMT) (full text, mbox, link).
Severity set to `normal' from `serious'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Thu, 13 Sep 2007 12:54:04 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#442133; Package quagga.
(full text, mbox, link).
Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #14 received at 442133@bugs.debian.org (full text, mbox, reply):
close 442133 0.99.9-1
stop
On 2007-09-13 Nico Golde wrote:
> a CVE has been issued against quagga.
> CVE-2007-4826[0]:
> bgpd in Quagga before 0.99.9 allows remote BGP peers to
> cause a denial of service (crash) via a malformed (1) OPEN
> message or (2) COMMUNITY attribute
Ah, thanks for Id, I will reupload the unstable version from yesterday and
prepare a security upload in the next days.
bye,
-christian-
Bug marked as fixed in version 0.99.9-1, send any further explanations to Nico Golde <nion@debian.org>
Request was from Christian Hammers <ch@debian.org>
to control@bugs.debian.org.
(Thu, 13 Sep 2007 15:24:04 GMT) (full text, mbox, link).
Reply sent to Christian Hammers <ch@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #21 received at 442133-close@bugs.debian.org (full text, mbox, reply):
Source: quagga
Source-Version: 0.99.9-2
We believe that the bug you reported is fixed in the latest version of
quagga, which is due to be installed in the Debian FTP archive:
quagga-doc_0.99.9-2_all.deb
to pool/main/q/quagga/quagga-doc_0.99.9-2_all.deb
quagga_0.99.9-2.diff.gz
to pool/main/q/quagga/quagga_0.99.9-2.diff.gz
quagga_0.99.9-2.dsc
to pool/main/q/quagga/quagga_0.99.9-2.dsc
quagga_0.99.9-2_amd64.deb
to pool/main/q/quagga/quagga_0.99.9-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 442133@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Hammers <ch@debian.org> (supplier of updated quagga package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 25 Sep 2007 22:01:31 +0200
Source: quagga
Binary: quagga quagga-doc
Architecture: source amd64 all
Version: 0.99.9-2
Distribution: unstable
Urgency: low
Maintainer: Christian Hammers <ch@debian.org>
Changed-By: Christian Hammers <ch@debian.org>
Description:
quagga - BGP/OSPF/RIP routing daemon
quagga-doc - documentation files for quagga
Closes: 442133
Changes:
quagga (0.99.9-2) unstable; urgency=low
.
* Added CVE id for the security bug to the last changelog entry.
Closes: 442133
Files:
13df09baff14c0be83c5047a2f0da840 882 net optional quagga_0.99.9-2.dsc
e69dccd677fedd9b75708e22f8c6b2d7 33285 net optional quagga_0.99.9-2.diff.gz
3bb81a36ded5cb08ca86b90ac39607e7 659718 net optional quagga-doc_0.99.9-2_all.deb
f2f4958c84df8c577bd485869d38a30d 1492776 net optional quagga_0.99.9-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iEYEARECAAYFAkb5d2oACgkQkR9K5oahGOZu4gCgw0HJJpFsk1SThUUrI2DFz94y
HiwAoNcXCGGSdWxT5ur3bwUlabUWjA85
=kkiP
-----END PGP SIGNATURE-----
Reply sent to Christian Hammers <ch@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #26 received at 442133-close@bugs.debian.org (full text, mbox, reply):
Source: quagga
Source-Version: 0.98.3-7.5
We believe that the bug you reported is fixed in the latest version of
quagga, which is due to be installed in the Debian FTP archive:
quagga-doc_0.98.3-7.5_all.deb
to pool/main/q/quagga/quagga-doc_0.98.3-7.5_all.deb
quagga_0.98.3-7.5.diff.gz
to pool/main/q/quagga/quagga_0.98.3-7.5.diff.gz
quagga_0.98.3-7.5.dsc
to pool/main/q/quagga/quagga_0.98.3-7.5.dsc
quagga_0.98.3-7.5_i386.deb
to pool/main/q/quagga/quagga_0.98.3-7.5_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 442133@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Hammers <ch@debian.org> (supplier of updated quagga package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 25 Sep 2007 23:54:28 +0200
Source: quagga
Binary: quagga quagga-doc
Architecture: source i386 all
Version: 0.98.3-7.5
Distribution: oldstable-security
Urgency: high
Maintainer: Christian Hammers <ch@debian.org>
Changed-By: Christian Hammers <ch@debian.org>
Description:
quagga - unoff. successor of the Zebra BGP/OSPF/RIP routing daemon
quagga-doc - documentation files for quagga
Closes: 442133
Changes:
quagga (0.98.3-7.5) oldstable-security; urgency=high
.
* SECURITY:
A bgpd could be crashed if a peer sent a malformed OPEN message or a
malformed COMMUNITY attribute. Only configured peers can do this.
The bug is fixed by 96_SECURITY_ubuntu_fix_dos_malformed_community.dpatch.
CVE-2007-4826. Closes: 442133
Files:
69dc4e5de4de00ec723ecaad6f285af8 1017 net optional quagga_0.98.3-7.5.dsc
8bfd06c851172358137d7b67d5f90490 43910 net optional quagga_0.98.3-7.5.diff.gz
4f150df3d0d7c1b26d648590ac02541a 488996 net optional quagga-doc_0.98.3-7.5_all.deb
e3057ed965a580381e7c15dc430df295 1192432 net optional quagga_0.98.3-7.5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBRv6giL97/wQC1SS+AQJ1jQf9EktKzy0lOWfuHn6Hy990qlHUV+tQsXVO
kp3jJTVnKEZPiazMMJJniBweCVT5T3TDn7d7kP2ta49IOJ//r1QD/tWQ5/Eme93X
q1gUardl+n92TUwwkM19zyZo19KX0M776JsQzzTW5XzNYBO8NJJvg6ZehjwBXuoa
AOUG6pA/Op/1Zk7Q/dmpqa8R3DMRnZnxJNIxRaRIQ3qckqvGcCYqQftwlbJ2s9F9
xwOenv7nkqcfogmjZnP/L9PpEZTMbN2/TcGBXeeOchEQGGqXuwxNF12i49FRYSSg
5x0N4CYvfGtObAATtEn4yujCOMSL3MFKvvGogljOTHsUvTpAlfWCyA==
=kCtS
-----END PGP SIGNATURE-----
Reply sent to Christian Hammers <ch@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #31 received at 442133-close@bugs.debian.org (full text, mbox, reply):
Source: quagga
Source-Version: 0.99.5-5etch4
We believe that the bug you reported is fixed in the latest version of
quagga, which is due to be installed in the Debian FTP archive:
quagga-doc_0.99.5-5etch4_all.deb
to pool/main/q/quagga/quagga-doc_0.99.5-5etch4_all.deb
quagga_0.99.5-5etch4.diff.gz
to pool/main/q/quagga/quagga_0.99.5-5etch4.diff.gz
quagga_0.99.5-5etch4.dsc
to pool/main/q/quagga/quagga_0.99.5-5etch4.dsc
quagga_0.99.5-5etch4_amd64.deb
to pool/main/q/quagga/quagga_0.99.5-5etch4_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 442133@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Hammers <ch@debian.org> (supplier of updated quagga package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 25 Sep 2007 22:10:42 +0200
Source: quagga
Binary: quagga quagga-doc
Architecture: source amd64 all
Version: 0.99.5-5etch4
Distribution: stable-security
Urgency: high
Maintainer: Christian Hammers <ch@debian.org>
Changed-By: Christian Hammers <ch@debian.org>
Description:
quagga - unoff. successor of the Zebra BGP/OSPF/RIP routing daemon
quagga-doc - documentation files for quagga
Closes: 442133
Changes:
quagga (0.99.5-5etch4) stable-security; urgency=high
.
* SECURITY:
A bgpd could be crashed if a peer sent a malformed OPEN message or a
malformed COMMUNITY attribute. Only configured peers can do this.
The bug is fixed by 96_SECURITY_ubuntu_fix_dos_malformed_community.dpatch.
CVE-2007-4826. Closes: 442133
Files:
3a36e812322157de715626cbe04c519f 1046 net optional quagga_0.99.5-5etch4.dsc
0de3c5021dbed0e4739f88b6f00a9c59 33551 net optional quagga_0.99.5-5etch4.diff.gz
2bafee611f8a75fedc07be2224f90922 720288 net optional quagga-doc_0.99.5-5etch4_all.deb
00846f88e7df3db61001d54fd5647d23 1414716 net optional quagga_0.99.5-5etch4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBRvn0tr97/wQC1SS+AQKLCwf+IMIUju1U9dp7Wrzdzz5Q9QjRH5NYZUIj
WU6K+CluBKhhcvnpTWs+5Qu7pEJfLIgvRHRFq6zlhw24gbExvo49Tv8LwXppzmPM
9ZzVfN55SGtq4LVRXMab/rI3oiTmBmjMaIyLMLr2Ov+l8wS+huaxche0jW8xITY2
Kg4uY8wwZTScbuDtpQT2BV9Kbhd1d1aKamaoziFyGd8o8wEPgfUacgC/684S9Wv4
p9fjIZY3crjXuYhjGrX/ba9SgutVll4KojxjnBoEbXn5N5PJCUaabj1r1zIQ+zB5
juNr8ZCUQRmKICuZ/kQFL3rC5D+3bzCAWOyciFg44w4kowHERdLq9g==
=yj9B
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 14 Nov 2007 07:26:51 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:14:46 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon