quagga-bgpd: CVE-2017-16227: BGP session termination due to rather long AS paths in update messages

Debian Bug report logs - #879474
quagga-bgpd: CVE-2017-16227: BGP session termination due to rather long AS paths in update messages

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: quagga-bgpd: BGP session termination due to rather long AS paths in update messages

Date: Sun, 22 Oct 2017 01:48:13 +0200

[Message part 1 (text/plain, inline)]

Package: quagga-bgpd
Version: 1.1.1-3
Severity: important
Tags: security upstream

Dear Maintainer,

there is a longstanding bug in quagga where certain BGP update messages
cause a quagga bgpd to drop a session, possibly resulting in loss of
network connectivity.


Details:

Long paths in update messages are segmented in BGP, and the bug is in
the recalculation of the framing information if there are more than two
segments. The resulting data is invalid but will will be used for
redistribution. At least if the receiver is another quagga bgpd, that
message is rejected, eventually resulting in a BGP session termination.

The receiver's log (if written) contains an error message like
| BGP: 172.23.97.181: BGP type 2 length 3074 is too large, attribute total length is 2069.  attr_endp is 0x562feb368121.  endp is 0x562feb367d2c
then.

So if a site's BGP peers all run quagga, that site will lose network
connectivity due to frequent session termination. Additionally, the
repeated initial full table transfer will result in a significantly
bigger network load, I've seen around 1 MByte/sec/link, compared to
usually less than one 1 kbyte/sec/link.

Such extremely long AS paths have occured in the global BGP table at
least four times since June. Last time started on Oct 13th around 20:43
UTC and lasted until the following week.

All versions of quagga in Debian are affected.


How to fix:

Kudos to Andreas Jaggi who identified the bug and provided a fix[1].
After some hours of work I was able to reproduce the issue and can
confirm this patch resolves the issues for all versions of quagga in
Debian (wheezy, jessie, stretch = buster = sid). Details about the
setup available upon request, it's just some stuff to write down.


In my opinion this is serious enough to justify a security upload. If
stable security disagrees, please fix this in the next stable point
release.

Regards,
    Christoph

[1] https://lists.quagga.net/pipermail/quagga-dev/2017-September/033284.html
    http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=7a42b78be9a4108d98833069a88e6fddb9285008

[signature.asc (application/pgp-signature, inline)]

Message #12 received at 879474@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>, 879474@bugs.debian.org

Subject: Re: Bug#879474: quagga-bgpd: BGP session termination due to rather long AS paths in update messages

Date: Mon, 30 Oct 2017 06:13:39 +0100

Control: retitle -1 quagga-bgpd: CVE-2017-16227: BGP session termination due to rather long AS paths in update messages

On Sun, Oct 22, 2017 at 01:48:13AM +0200, Christoph Biedl wrote:
> Package: quagga-bgpd
> Version: 1.1.1-3
> Severity: important
> Tags: security upstream
> 
> Dear Maintainer,
> 
> there is a longstanding bug in quagga where certain BGP update messages
> cause a quagga bgpd to drop a session, possibly resulting in loss of
> network connectivity.

I requested a CVE and it got assigned CVE-2017-16227.

Will look into preparing update for jessie and stretch.

Regards,
Salvatore

Message #19 received at 879474@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 879474@bugs.debian.org

Cc: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>

Subject: Re: Bug#879474: quagga-bgpd: BGP session termination due to rather long AS paths in update messages

Date: Mon, 30 Oct 2017 21:04:34 +0100

Control: severity -1 serious

Hello!

Released DSA-4011-1 for quagga. Raising the severity on purpose of:
"fix in stable, not yet in testing which would be a regression in
security fix when updating" and thus marking as RC.

Regards,
Salvatore

Message #26 received at 879474@bugs.debian.org (full text, mbox, reply):

From: Hugo Lefeuvre <hle@debian.org>

To: 879474@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>, Christoph Biedl <debian.axhn@manchmal.in-ulm.de>, Scott Leggett <scott@sl.id.au>

Subject: Re: Bug#879474: quagga-bgpd: BGP session termination due to rather long AS paths in update messages

Date: Thu, 2 Nov 2017 12:24:53 +0100

[Message part 1 (text/plain, inline)]

Hi,

I have prepared an NMU fixing CVE-2017-16227 in unstable.

Scott, can you take a look ? If you want, you can also upload the
changes under your name, that's fine to me.

Without answer in the next days, I'll upload it in the DELAYED queue
to avoid the removal.

You can find a debdiff in attachment.

Cheers,
 Hugo

-- 
             Hugo Lefeuvre (hle)    |    www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA

[debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #31 received at 879474@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Hugo Lefeuvre <hle@debian.org>, 879474@bugs.debian.org

Cc: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>, Scott Leggett <scott@sl.id.au>

Subject: Re: Bug#879474: quagga-bgpd: BGP session termination due to rather long AS paths in update messages

Date: Thu, 2 Nov 2017 12:44:28 +0100

Control: block -1 by 880522

Hi Hugo

On Thu, Nov 02, 2017 at 12:24:53PM +0100, Hugo Lefeuvre wrote:
> Hi,
> 
> I have prepared an NMU fixing CVE-2017-16227 in unstable.

I have the same NMU locally pending (actually trivially since I did
the upload for stretch and it's the same version ;-) sorry for not
letting know the bug), but I have refrained from uploading because I
think we should see what is the problem actually for #880522.

Regards,
Salvatore

Message #40 received at 879474@bugs.debian.org (full text, mbox, reply):

From: Scott Leggett <scott@sl.id.au>

To: Salvatore Bonaccorso <carnil@debian.org>, 879474@bugs.debian.org

Cc: Hugo Lefeuvre <hle@debian.org>, Christoph Biedl <debian.axhn@manchmal.in-ulm.de>

Subject: Re: Bug#879474: quagga-bgpd: BGP session termination due to rather long AS paths in update messages

Date: Sun, 5 Nov 2017 23:16:43 +1100

[Message part 1 (text/plain, inline)]

On 2017-11-02.12:44, Salvatore Bonaccorso wrote:
> Control: block -1 by 880522
> 
> Hi Hugo
> 
> On Thu, Nov 02, 2017 at 12:24:53PM +0100, Hugo Lefeuvre wrote:
> > Hi,
> > 
> > I have prepared an NMU fixing CVE-2017-16227 in unstable.
> 
> I have the same NMU locally pending (actually trivially since I did
> the upload for stretch and it's the same version ;-) sorry for not
> letting know the bug), but I have refrained from uploading because I
> think we should see what is the problem actually for #880522.

Hi Salvatore, Hugo,

Thanks for preparing the NMU for stable, much appreciated! :-)

I've packaged upstream release 1.2.2 that fixes this bug (and several
others including #880522) in unstable. I'm waiting on sponsorship for
that upload [0].

[0] https://mentors.debian.net/package/quagga

-- 
Regards,
Scott.

[signature.asc (application/pgp-signature, inline)]

Message #45 received at 879474@bugs.debian.org (full text, mbox, reply):

From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>

To: Scott Leggett <scott@sl.id.au>

Cc: Salvatore Bonaccorso <carnil@debian.org>, 879474@bugs.debian.org, Hugo Lefeuvre <hle@debian.org>

Subject: Re: Bug#879474: quagga-bgpd: BGP session termination due to rather long AS paths in update messages

Date: Sun, 5 Nov 2017 21:46:00 +0100

[Message part 1 (text/plain, inline)]

Scott Leggett wrote...

> I've packaged upstream release 1.2.2 that fixes this bug (and several
> others including #880522) in unstable. I'm waiting on sponsorship for
> that upload [0].

Did some tests, looks good. As I already wrote in private, if I should
sponsor an upload, drop me a line.

    Christoph

[signature.asc (application/pgp-signature, inline)]

Message #50 received at 879474-close@bugs.debian.org (full text, mbox, reply):

From: Scott Leggett <scott@sl.id.au>

To: 879474-close@bugs.debian.org

Subject: Bug#879474: fixed in quagga 1.2.2-1

Date: Sun, 12 Nov 2017 13:05:28 +0000

Source: quagga
Source-Version: 1.2.2-1

We believe that the bug you reported is fixed in the latest version of
quagga, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 879474@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Scott Leggett <scott@sl.id.au> (supplier of updated quagga package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 05 Nov 2017 22:11:44 +1100
Source: quagga
Binary: quagga quagga-core quagga-doc quagga-bgpd quagga-isisd quagga-ospf6d quagga-ospfd quagga-pimd quagga-ripd quagga-ripngd
Architecture: source amd64 all
Version: 1.2.2-1
Distribution: unstable
Urgency: medium
Maintainer: Scott Leggett <scott@sl.id.au>
Changed-By: Scott Leggett <scott@sl.id.au>
Description:
 quagga     - network routing daemons (metapackage)
 quagga-bgpd - BGP4/BGP4+ routing daemon
 quagga-core - network routing daemons (core abstraction layer)
 quagga-doc - network routing daemons (documentation)
 quagga-isisd - IS-IS routing daemon
 quagga-ospf6d - OSPF6 routing daemon
 quagga-ospfd - OSPF routing daemon
 quagga-pimd - PIM routing daemon
 quagga-ripd - RIPv1 routing daemon
 quagga-ripngd - RIPng routing daemon
Closes: 847106 857187 879474 879971 880522
Changes:
 quagga (1.2.2-1) unstable; urgency=medium
 .
   * New upstream release (Closes: #879474, #857187).
   * Rework patches to apply against new upstream version.
   * Change zebra daemon GID to allow writing to /run/quagga (Closes: #880522).
   * Change group permissions on Quagga.conf (Closes: #847106).
   * Add missing build-dep on libc-ares-dev.
   * Add patch for documentation fixes (Closes: #879971).
Checksums-Sha1:
 5b4a661ac8edd5a477014716bb6bec090809926d 2593 quagga_1.2.2-1.dsc
 5aad3aca1ba179af6b70ba18afbc9c11c0b2f32b 2231866 quagga_1.2.2.orig.tar.gz
 34dfccf71682e6a950b178757ebc2a661c1411d9 32788 quagga_1.2.2-1.debian.tar.xz
 60ca22e2da4d8e5a3c394714595c0c18851587db 716852 quagga-bgpd-dbgsym_1.2.2-1_amd64.deb
 0b438bdda2b4343071ea081b9a91b4e224dca322 255440 quagga-bgpd_1.2.2-1_amd64.deb
 bc60b8df14bb2846aed8996eb0045fac2fe80c76 1385280 quagga-core-dbgsym_1.2.2-1_amd64.deb
 8ffd0137b2bba9a6ffa142926571e39e88fbf299 540488 quagga-core_1.2.2-1_amd64.deb
 e2b48cbaaefdaeed7180f41ec8b60e85d52468cd 884596 quagga-doc_1.2.2-1_all.deb
 d9b4e211a45067366fdcab770f8d87ed8ed76807 324600 quagga-isisd-dbgsym_1.2.2-1_amd64.deb
 98a1b03c1cf6a520e454c3850274fcfce3bd1370 125052 quagga-isisd_1.2.2-1_amd64.deb
 59678891ba7147ae6b6eeb918ecc6c223a917b8b 300800 quagga-ospf6d-dbgsym_1.2.2-1_amd64.deb
 8a6166edcac4295c66201bad2a27851031a1f544 123248 quagga-ospf6d_1.2.2-1_amd64.deb
 99aa06696f5d8077d5e00f8f9e355456da7d373b 22924 quagga-ospfd-dbgsym_1.2.2-1_amd64.deb
 8c01c62bd7492478030d9912f1a848b491fb14b2 31696 quagga-ospfd_1.2.2-1_amd64.deb
 fbba52f3fc61833a2e2216bb9b6bc58e18d0284b 283720 quagga-pimd-dbgsym_1.2.2-1_amd64.deb
 31661bd5197410867bffc3f76178fd537d81878a 112076 quagga-pimd_1.2.2-1_amd64.deb
 9c8243e5f9a2576b76e9361cd91cd46182eb7b58 123628 quagga-ripd-dbgsym_1.2.2-1_amd64.deb
 5ce9ef25a407798b121fd687a3849ebe44c28a0b 64368 quagga-ripd_1.2.2-1_amd64.deb
 7b39b50ce18d0e76d2f7951db1ec4bb2a492d623 108260 quagga-ripngd-dbgsym_1.2.2-1_amd64.deb
 fc944a8014f3c9c58cd34fbec15cd6c6302ed40b 56640 quagga-ripngd_1.2.2-1_amd64.deb
 4d280cd89ec207150362036da45d8a45df9aef18 14094 quagga_1.2.2-1_amd64.buildinfo
 d63e647a9fd4eca5d9ced152b31bc3569526a37a 23020 quagga_1.2.2-1_amd64.deb
Checksums-Sha256:
 2e97f0ae5b81b5a1f1092f454510f5e1bdc538d8f4921e5ac4b337af3709cc5e 2593 quagga_1.2.2-1.dsc
 475bd3ccef6c20839d70b82e22b33ee521759aee6249511bff4cbf1b9669e06b 2231866 quagga_1.2.2.orig.tar.gz
 53296f89b408dab8e1687c2ac8b9a4ebb4d84210d5f59ed17521d2c0f017c415 32788 quagga_1.2.2-1.debian.tar.xz
 2a0ea84db6fb60a65d69c942e56f1cb05e3e4b0ee8ef29a7a00f0108cbbf1647 716852 quagga-bgpd-dbgsym_1.2.2-1_amd64.deb
 4204150052a2806b679ffe89d0de0038e375a293575d3024dc5bed5be38f3651 255440 quagga-bgpd_1.2.2-1_amd64.deb
 c2e43ce27ae32bd917a67470c917f9a51bdb624336c9dd3853a78bd891a56987 1385280 quagga-core-dbgsym_1.2.2-1_amd64.deb
 e78d2ec10759daa2a861131e444bb83f8a9ff24fef14b78cecc2dffc9bf88473 540488 quagga-core_1.2.2-1_amd64.deb
 604fb59cc39cef9d41d6352b08791350c5c4abeded79ad50a36f66b363ef1583 884596 quagga-doc_1.2.2-1_all.deb
 8a161d03516ee39ca1720221ea2a0477e45cf19fcf0318514d598da8939e8ea6 324600 quagga-isisd-dbgsym_1.2.2-1_amd64.deb
 58c7bb6836337aaaa3a675dc22d4082f9508fb772d8f14105f034717515f1640 125052 quagga-isisd_1.2.2-1_amd64.deb
 8572d18a940156038b2f3ef512753cde594457d5ad8694ae39266193889a5244 300800 quagga-ospf6d-dbgsym_1.2.2-1_amd64.deb
 3ca8f400cc2b0e9735ce56bfe11624ca4fa3a174641ac1362c24e0978aa22787 123248 quagga-ospf6d_1.2.2-1_amd64.deb
 3f9559743b3e0a05f487559bf1af8c8157d0ad2f85ae7ea478340b469213d967 22924 quagga-ospfd-dbgsym_1.2.2-1_amd64.deb
 9c12b434c21daeefcc0309e450a2dd1941b216205444c127968ac9b642780307 31696 quagga-ospfd_1.2.2-1_amd64.deb
 07ee72615d4503837ecf1e6fadb0333758513674cf02dfeb65ea7de16286e329 283720 quagga-pimd-dbgsym_1.2.2-1_amd64.deb
 790e42c9cefb0db33b0621ef06cd1207fe65034174b33650992e76c20bbf3aa9 112076 quagga-pimd_1.2.2-1_amd64.deb
 c9c2928790744dfdc5e1eb0862ee555e2577280c02c6b81bf8db56383c808a40 123628 quagga-ripd-dbgsym_1.2.2-1_amd64.deb
 d935d1206d349be8815e9acdb7fd807f831d566bf53ce7f2acb0d1a834117dbe 64368 quagga-ripd_1.2.2-1_amd64.deb
 bc173c54dbc9b02839fcc33f59f786287fe93d172ca50b67e7760a8007c07825 108260 quagga-ripngd-dbgsym_1.2.2-1_amd64.deb
 f4296c1d2f17d54deb8e99699b0f81d7bdfa04a464ad2e85078f971c5b572751 56640 quagga-ripngd_1.2.2-1_amd64.deb
 a6d9218cf3c335150f5134a23bb23288d6c7969657527ad317677a365004d32d 14094 quagga_1.2.2-1_amd64.buildinfo
 220e97097547e9ef17d478c9ae72ab1c8be833d45b1e05f5e8015cffb7f0362e 23020 quagga_1.2.2-1_amd64.deb
Files:
 df4ad21254d75a416bb1ad16be726d97 2593 net optional quagga_1.2.2-1.dsc
 3b04d0343c87229328c45978a4c599ba 2231866 net optional quagga_1.2.2.orig.tar.gz
 1b05633a8e916215300e9cadf168b6ff 32788 net optional quagga_1.2.2-1.debian.tar.xz
 81e8e0439eb9b8d79df2f14f129aea2b 716852 debug optional quagga-bgpd-dbgsym_1.2.2-1_amd64.deb
 2f18f90b7b4ba5f478ddbe22720c37bc 255440 net optional quagga-bgpd_1.2.2-1_amd64.deb
 422c10276a00c03184cb00ee2c6ce55f 1385280 debug optional quagga-core-dbgsym_1.2.2-1_amd64.deb
 d0b4be0f3158869745b8981c9832cf8b 540488 net optional quagga-core_1.2.2-1_amd64.deb
 8d0df6ee3a406200b76f39157fac25a4 884596 doc optional quagga-doc_1.2.2-1_all.deb
 d456d99588f42c28dbf76a97aa1219d1 324600 debug optional quagga-isisd-dbgsym_1.2.2-1_amd64.deb
 b906e8988abaae1d284fd0d551d4c84a 125052 net optional quagga-isisd_1.2.2-1_amd64.deb
 37cf06f5068068820fc56000b495a0ed 300800 debug optional quagga-ospf6d-dbgsym_1.2.2-1_amd64.deb
 71ccde1c3495c077cc34d1da16860fe7 123248 net optional quagga-ospf6d_1.2.2-1_amd64.deb
 bff79dc86d4dd559fdbeb9d91f618e63 22924 debug optional quagga-ospfd-dbgsym_1.2.2-1_amd64.deb
 98ca5d7607d740d6d8ebf1aeadfbfc97 31696 net optional quagga-ospfd_1.2.2-1_amd64.deb
 df2a41467110095b43f77d5a777da235 283720 debug optional quagga-pimd-dbgsym_1.2.2-1_amd64.deb
 f1fb4308c8ddca35c52fa02c18096587 112076 net optional quagga-pimd_1.2.2-1_amd64.deb
 232d1bb4974d1ff61c9b0bceba5c1ba5 123628 debug optional quagga-ripd-dbgsym_1.2.2-1_amd64.deb
 22837ccdc91d22da1603c84180683105 64368 net optional quagga-ripd_1.2.2-1_amd64.deb
 d2bc1b58750d01facb8fa1651306003a 108260 debug optional quagga-ripngd-dbgsym_1.2.2-1_amd64.deb
 568a7d3aa7b7592740ba13e098f38ade 56640 net optional quagga-ripngd_1.2.2-1_amd64.deb
 ebb70a02a2550b48e41c3e1a6b2edc0a 14094 net optional quagga_1.2.2-1_amd64.buildinfo
 d7f24d6163f769b25a85a04d59899b8a 23020 net optional quagga_1.2.2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEErvI0h4bzccaJpzYAlaQv6DU1JfkFAloIRDMQHGJlcm5hdEBs
dWZmeS5jeAAKCRCVpC/oNTUl+RBZEACWMCHLBLm2oYoTeYEF79BN22yRS0iE/843
VghsMXoe0kkDlkLud2fQMzo/82Cu8jNcvCIzWhXxd12Xtqf88452MpmvaM1er7js
bQDycYiDlGVN1N0a/DijoSq9KC0LDbciZNAVpL/7xm5j/8qHz2n5iCz+5kwdToxF
abLpAT072+0PhDNh0PW1guhAWmguJ4dyeAUrJ4dzfHCZqx5FxU+L4H3diHSZnbI7
JYuMrU8R31RLsAkERyk58KQNfb0pe4NqQM2qdOblBf0/ZJ0Aw1Wc4KAhaCAvB9uR
v//Fb8fADkMFNDLbC6Vn5JfzGuywBsYrE1tneo+Zs3imECV/nVeo2xFQcORbZm/4
B0Qk49i/lxd6vjBVDk0TDp+INF4vv5mJgnbUhkXOSsKvu/L705YOACqMynUQyHvl
ziGRt0LJF42CcPeHh4C8vlLHPZcII1JnhlAlgPA7Wtg75Qau0AbVkd0U+7pX+9G+
2+TRLKTpwx8ceyglOoozn6AMDjk1752WLRJyTcGwXiaIGpb+jrKCkoZkDzGBJwp1
m0iUkx7g1VqGh/5r3IOrGpEi3qsCgUWko6f15FV81F3jDcHPugs1XaASi7eSrt/W
Nw/ZmBBnTjvORbRoUSA6gsbzhSSDxpmgVcrUO6sEAxIFf4FthU2KVXTN1aaNzI41
FNOhatdeGw==
=3AvB
-----END PGP SIGNATURE-----

Message #55 received at 879474-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 879474-close@bugs.debian.org

Subject: Bug#879474: fixed in quagga 1.1.1-3+deb9u1

Date: Sun, 12 Nov 2017 15:34:36 +0000

Source: quagga
Source-Version: 1.1.1-3+deb9u1

We believe that the bug you reported is fixed in the latest version of
quagga, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 879474@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated quagga package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 30 Oct 2017 06:25:29 +0100
Source: quagga
Binary: quagga quagga-core quagga-doc quagga-bgpd quagga-isisd quagga-ospf6d quagga-ospfd quagga-pimd quagga-ripd quagga-ripngd
Architecture: source
Version: 1.1.1-3+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Scott Leggett <scott@sl.id.au>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 879474
Description: 
 quagga     - network routing daemons (metapackage)
 quagga-bgpd - BGP4/BGP4+ routing daemon
 quagga-core - network routing daemons (core abstraction layer)
 quagga-doc - network routing daemons (documentation)
 quagga-isisd - IS-IS routing daemon
 quagga-ospf6d - OSPF6 routing daemon
 quagga-ospfd - OSPF routing daemon
 quagga-pimd - PIM routing daemon
 quagga-ripd - RIPv1 routing daemon
 quagga-ripngd - RIPng routing daemon
Changes:
 quagga (1.1.1-3+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * bgpd: Fix AS_PATH size calculation for long paths (CVE-2017-16227)
     (Closes: #879474)
Checksums-Sha1: 
 c4ca2ee080fd3c4d75bd34d2e38b15e1149423d4 2766 quagga_1.1.1-3+deb9u1.dsc
 b18648e49719d88351d91bf6782dd534de735f88 2173432 quagga_1.1.1.orig.tar.gz
 7e8095d18ec0fee6bece66be8ff42a1712ac5c31 32744 quagga_1.1.1-3+deb9u1.debian.tar.xz
Checksums-Sha256: 
 7a213d555282b74df9de424fe34ba919b92e77edc282af9fab8abec30bba40b9 2766 quagga_1.1.1-3+deb9u1.dsc
 cd464dd5575dfcedc6ad590eced904290d9c5fded89984bfa5610657dfb412bc 2173432 quagga_1.1.1.orig.tar.gz
 671061449798fe3d70c5ef6e7c509093687d6c514da1cc958c1adf0d4afe7e25 32744 quagga_1.1.1-3+deb9u1.debian.tar.xz
Files: 
 7cc8d00c4e9ddfef29be77651d841b46 2766 net optional quagga_1.1.1-3+deb9u1.dsc
 1b63d3f9f1a0ba19ada60536c05eaaab 2173432 net optional quagga_1.1.1.orig.tar.gz
 bcd849d70adfec3280f8bf13c9264b01 32744 net optional quagga_1.1.1-3+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAln2uOBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EDeIP/jVN5yseysYmWb9WGC9kfGv5BXvzPEYQ
tgUJHF8NhfbG3w66lFGy6+TOnMq5MRt/I3K9yZ2gxW+HfFdGhPP7H3gVSE9YR3va
rnJrymGI7Vy9IB1TtLcnaRCWNfIhaVtgdi8nt1Y8EVnw+lpNTT2BmIumfp55wAJJ
HM4zWGAYy6gOiSGElZzbZm2NHBdYvBnPJaZMw27qf/axXhVkBcuQXuS9lv6xMg4X
/YPJerGDU7di0SPIp4QvUXBYm6m+YVF5tPNpBEp9NNOc4PMk37f5w8+hhbFZPTox
juvxjMq+xrcdtk+bPTnKY8cXGCWKwuWvaoHL6lKriahL25bg2RR1fpOxxGDqFoFu
1cT9HAt8jaTMUX3dOyCXhGO8sJhroKuO/gtHetb+KP1yY0pRh6Htb3E3ZchwoMdx
8DEejpKsuz+dexLC4eL5u6TpU/d/PdiMskTZMRoIHmyekpn20OLo94c12DPTHMQY
1fjDQs9/SY8LdT1IS32itPMVN04M7NwsFwdDAHL6DwOpOt+0PTbvOR1Ypa2+Xgoh
8xkCzpmyx6oAbqG+1g8j4Pbf4UhrZc5uXQ+bG0bcIHHmYotW93ZIeYSqLUqebEHQ
ei2KLjybsJ1T3786f4YfRSikzjyhWGVK5Dnr6Wj0sJSqiElMBlFBH0fDjd4bnnmY
6wXFZdWK5kCZ
=v6LG
-----END PGP SIGNATURE-----

Message #60 received at 879474-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 879474-close@bugs.debian.org

Subject: Bug#879474: fixed in quagga 0.99.23.1-1+deb8u4

Date: Sat, 18 Nov 2017 22:21:36 +0000

Source: quagga
Source-Version: 0.99.23.1-1+deb8u4

We believe that the bug you reported is fixed in the latest version of
quagga, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 879474@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated quagga package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 30 Oct 2017 06:38:36 +0100
Source: quagga
Binary: quagga quagga-dbg quagga-doc
Architecture: all source
Version: 0.99.23.1-1+deb8u4
Distribution: jessie-security
Urgency: high
Maintainer: Christian Hammers <ch@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 879474
Description: 
 quagga     - BGP/OSPF/RIP routing daemon
 quagga-dbg - BGP/OSPF/RIP routing daemon (debug symbols)
 quagga-doc - documentation files for quagga
Changes:
 quagga (0.99.23.1-1+deb8u4) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * bgpd: Fix AS_PATH size calculation for long paths (CVE-2017-16227)
     (Closes: #879474)
Checksums-Sha1: 
 7a5ccdd7208ba03181cea4a379d599f14245376a 2335 quagga_0.99.23.1-1+deb8u4.dsc
 5d2f4e1c0afee677e607c35ce42d26da37cff9e6 39536 quagga_0.99.23.1-1+deb8u4.debian.tar.xz
 01dfd91b08b445e3e46fe90dccfc9cee1cd494a7 907776 quagga-doc_0.99.23.1-1+deb8u4_all.deb
Checksums-Sha256: 
 597a3623f5dda14bd27f278834c9e983c03dc7166f885b299fefffbc35db69e6 2335 quagga_0.99.23.1-1+deb8u4.dsc
 07d9fe87596388d2fef83227f4a8052c6dc59c5d01a11938ddd7b088b0797e3c 39536 quagga_0.99.23.1-1+deb8u4.debian.tar.xz
 1a630bf150dac87f2f6f854bfc1b136f1a5bcdf112b5e6513dacffc6fc53e538 907776 quagga-doc_0.99.23.1-1+deb8u4_all.deb
Files: 
 f0cc19c40d299e53b81721bb4e207079 2335 net optional quagga_0.99.23.1-1+deb8u4.dsc
 88ede271e6b4f65210864568b9356a69 39536 net optional quagga_0.99.23.1-1+deb8u4.debian.tar.xz
 371a0817c51592ad91187ebbdba6eb2e 907776 net optional quagga-doc_0.99.23.1-1+deb8u4_all.deb

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAln2171fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ErJYP/1nDZTKlczF/vgPq7VYe7kFKweaJRz6u
L8rOoU4LvbB6nPw1zlEtxku+iTPiGex3vmv1guZvsytPAlUKAAxPTnp4j8CGJOiP
uM38Jh6gfrGAb1vs8rN3R5+S/B+tbjyt+UBn0ZFOiceyCBjmYxLfrvwNJL6CQA2M
F2pVhGplk9u01ALxr0L1j/UvWwwo+x1lv3gJesSvWgI/1VGvT0387pPGICizE6YH
xsGCGwukLlIXCAj96272e2/u5tRBzz3+bKfIpTIZErZMfh4MYF+GKpKWMi4U5a8m
G2KbMyU76ml2+xYDxlcsHXX0cBV07+R5zZiPhkwCkExBwhgtvZyfkmEkvvUpuRZV
T0Vg43L9ID321jyuHHvR89X56YdtRfcoex8ZOl1CQzVwtiNZRZDeYtfHn6TrzcWY
aaSV8y7eXBTqQYhRLho2OVwhLSsoCBodpZYLa9vxBzSrv/2Gx+iCjSxyvyrnZiLr
eedy1BaCz3zpGxMdl/WU3g/aSjZa0aXdxAoAguyla8N1euayg/pJMRU7MOZolt12
LIrTzMS/kirMK9Ps0vpkFqaT+YX9M1urM5uqL7pNkL/BkWAQ1k22JqQCfbFk66mj
Q33rTTqtJk8MzyKBjjwrblxp7hj7VE8SMqHAPBKeSRgG8l7Qyxyp85I2EdsqTquw
pmbIkx9aXn7c
=gxbM
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.