Debian Bug report logs -
#594262
quagga: Two BGP security problems fixed in 0.99.17
Reported by: Christian Hammers <ch@debian.org>
Date: Tue, 24 Aug 2010 23:21:02 UTC
Severity: grave
Tags: security
Found in version 0.99.16
Fixed in version quagga/0.99.17-1
Done: Christian Hammers <ch@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org
:
Bug#594262
; Package quagga
.
(Tue, 24 Aug 2010 23:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian Hammers <ch@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org
.
(Tue, 24 Aug 2010 23:21:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: quagga
Version: 0.99.16
Severity: grave
Tags: security
Justification: user security hole
The release notes of quagga 0.99.17 on
http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100 mention that:
"This release provides two important bugfixes, which address remote crash
possibility in bgpd discovered by CROSS team. "
CVE IDs have already been requested by someone from RedHat on oss-security:
http://marc.info/?l=oss-security&m=128265627617285&w=2 but not yet been
granted.
Meanwhile I upload 0.99.17 to sid and ask if 0.99.10 (lenny) is affected and if
there's a 0.99.16 backport for the frozen squeeze.
bye,
-christian-
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages quagga depends on:
ii adduser 3.112 add and remove users and groups
ii debconf [debconf-2.0] 1.5.35 Debian configuration management sy
ii iproute 20100519-3 networking and traffic control too
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
ii libcap2 1:2.19-3 support for getting/setting POSIX.
ii libpam0g 1.1.1-4 Pluggable Authentication Modules l
ii libpcre3 8.02-1.1 Perl 5 Compatible Regular Expressi
ii libreadline6 6.1-3 GNU readline and history libraries
ii logrotate 3.7.8-6 Log rotation utility
quagga recommends no packages.
Versions of packages quagga suggests:
ii snmpd 5.4.3~dfsg-1 SNMP (Simple Network Management Pr
Information forwarded
to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>
:
Bug#594262
; Package quagga
.
(Wed, 25 Aug 2010 07:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Thijs Kinkhorst <thijs@debian.org>
:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>
.
(Wed, 25 Aug 2010 07:18:04 GMT) (full text, mbox, link).
Message #10 received at 594262@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Christian,
On woansdei 25 Augustus 2010, Christian Hammers wrote:
> Meanwhile I upload 0.99.17 to sid and ask if 0.99.10 (lenny) is affected
> and if there's a 0.99.16 backport for the frozen squeeze.
Good to hear that you're on to of it.
As for squeeze, from reading the changelog it looks like the nature of the
changes is all bugfixes - perhaps a freeze exception for 0.99.17 is possible
instead of backporting the patches?
Cheers,
Thijs
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Christian Hammers <ch@debian.org>
:
You have taken responsibility.
(Wed, 25 Aug 2010 23:03:09 GMT) (full text, mbox, link).
Notification sent
to Christian Hammers <ch@debian.org>
:
Bug acknowledged by developer.
(Wed, 25 Aug 2010 23:03:09 GMT) (full text, mbox, link).
Message #15 received at 594262-close@bugs.debian.org (full text, mbox, reply):
Source: quagga
Source-Version: 0.99.17-1
We believe that the bug you reported is fixed in the latest version of
quagga, which is due to be installed in the Debian FTP archive:
quagga-doc_0.99.17-1_all.deb
to main/q/quagga/quagga-doc_0.99.17-1_all.deb
quagga_0.99.17-1.diff.gz
to main/q/quagga/quagga_0.99.17-1.diff.gz
quagga_0.99.17-1.dsc
to main/q/quagga/quagga_0.99.17-1.dsc
quagga_0.99.17-1_amd64.deb
to main/q/quagga/quagga_0.99.17-1_amd64.deb
quagga_0.99.17.orig.tar.gz
to main/q/quagga/quagga_0.99.17.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 594262@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Hammers <ch@debian.org> (supplier of updated quagga package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 25 Aug 2010 00:52:48 +0200
Source: quagga
Binary: quagga quagga-doc
Architecture: source all amd64
Version: 0.99.17-1
Distribution: unstable
Urgency: high
Maintainer: Christian Hammers <ch@debian.org>
Changed-By: Christian Hammers <ch@debian.org>
Description:
quagga - BGP/OSPF/RIP routing daemon
quagga-doc - documentation files for quagga
Closes: 594262
Changes:
quagga (0.99.17-1) unstable; urgency=high
.
* SECURITY:
"This release provides two important bugfixes, which address remote crash
possibility in bgpd discovered by CROSS team.":
1. Stack buffer overflow by processing certain Route-Refresh messages
CVE-2010-2948
2. DoS (crash) while processing certain BGP update AS path messages
CVE-2010-2949
Closes: #594262
Checksums-Sha1:
9e2578eabc22c9d477f94b6d78e83fa4d0a33085 1297 quagga_0.99.17-1.dsc
31f42fa9f4d96aadf1bf97c3d9bf3308eb0d56c1 2202151 quagga_0.99.17.orig.tar.gz
c648f7f37aaab9c14d288ba93cc8f14b6e52b21f 34072 quagga_0.99.17-1.diff.gz
71fc6062b36ef708c221d6f2219ac2e00fa0b01d 608588 quagga-doc_0.99.17-1_all.deb
f6478cdf1094f80ad1260d35c005ccd500b7bca0 1721314 quagga_0.99.17-1_amd64.deb
Checksums-Sha256:
7bad9aa0c93e3c9077f06fd016f4bbeb19bd1fb993248435ab2001e9ac7cda72 1297 quagga_0.99.17-1.dsc
1d77df121a334e9504b45e489ee7ce35bf478e27d33cd2793a23280b59d9efd4 2202151 quagga_0.99.17.orig.tar.gz
2be52026b53907462a10615c5c45820742129012d3df80df22bc3fa2a3ab5a31 34072 quagga_0.99.17-1.diff.gz
99c877ef1d183c06674632cf483e08f35e985a475f1630720a37ab13eb26143f 608588 quagga-doc_0.99.17-1_all.deb
d95b564c4989ca7ad0a7ce8cf52bacca1752d5f0dde98688fc7ebcc1f9b022f0 1721314 quagga_0.99.17-1_amd64.deb
Files:
c58450ec036b06457ac0be4f2ced26d2 1297 net optional quagga_0.99.17-1.dsc
37b9022adca04b03863d2d79787e643f 2202151 net optional quagga_0.99.17.orig.tar.gz
48d8ef0ed35c810a6fc1ffcde99f4537 34072 net optional quagga_0.99.17-1.diff.gz
5bcb7988d5fe45dc081b766151f12351 608588 doc optional quagga-doc_0.99.17-1_all.deb
fc8717143bb79d4cc8638003ae1582e2 1721314 net optional quagga_0.99.17-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkx1nu4ACgkQkR9K5oahGOa99wCg5LHN/G9px5+EHjwVidLZoxSC
a+gAn0geBQO2s4xYzpkTu+YPVgDXHD0N
=XGSI
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#594262
; Package quagga
.
(Wed, 25 Aug 2010 23:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian Hammers <ch@debian.org>
:
Extra info received and forwarded to list.
(Wed, 25 Aug 2010 23:15:03 GMT) (full text, mbox, link).
Message #20 received at 594262@bugs.debian.org (full text, mbox, reply):
Hello Jan
I read on oss-security-l and the RedHat bugzilla that you've done some
investigations on the recent Quagga BGP security bugs and even
checked if older releases are vulnerable, too.
As they are, I wonder if you will try to backport patches for the older
versions of Quagga that were shipped e.g. with RHEL4 or if you just
upload 0.99.17. At Debian we usually try to be very conservative and
backport patches whenever possible but the GIT changesets you mentioned
look a bit too invasive to me :-(
bye,
-christian-
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 23 Sep 2010 07:36:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:57:36 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.