Debian Bug report logs -
#890563
quagga: CVE-2018-5378 CVE-2018-5379 CVE-2018-5380 CVE-2018-5381
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 15 Feb 2018 22:42:05 UTC
Severity: serious
Tags: fixed-upstream, security, upstream
Found in version quagga/1.1.1-1
Fixed in versions quagga/1.1.1-3+deb9u2, quagga/1.2.4-1
Done: Brett Parker <iDunno@sommitrealweird.co.uk>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, Scott Leggett <scott@sl.id.au>:
Bug#890563; Package src:quagga.
(Thu, 15 Feb 2018 22:42:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, Scott Leggett <scott@sl.id.au>.
(Thu, 15 Feb 2018 22:42:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: quagga
Version: 1.1.1-1
Severity: serious
Tags: security upstream fixed-upstream
Justification: security update done via DSA-4115-1; regression from stable
Hi,
the following vulnerabilities were published for quagga.
CVE-2018-5378[0]:
invalid attr length sends NOTIFY with data overrun
CVE-2018-5379[1]:
Fix double free of unknown attribute
CVE-2018-5380[2]:
debug print of received NOTIFY data can over-read msg array
CVE-2018-5381[3]:
fix infinite loop on certain invalid OPEN messages
See [4] for the announcement.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-5378
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5378
[1] https://security-tracker.debian.org/tracker/CVE-2018-5379
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5379
[2] https://security-tracker.debian.org/tracker/CVE-2018-5380
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5380
[3] https://security-tracker.debian.org/tracker/CVE-2018-5381
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5381
[4] https://savannah.nongnu.org/forum/forum.php?forum_id=9095
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as fixed in versions quagga/1.1.1-3+deb9u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 15 Feb 2018 22:45:03 GMT) (full text, mbox, link).
Reply sent
to Brett Parker <iDunno@sommitrealweird.co.uk>:
You have taken responsibility.
(Sun, 18 Mar 2018 15:51:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 18 Mar 2018 15:51:07 GMT) (full text, mbox, link).
Message #12 received at 890563-close@bugs.debian.org (full text, mbox, reply):
Source: quagga
Source-Version: 1.2.4-1
We believe that the bug you reported is fixed in the latest version of
quagga, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 890563@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Brett Parker <iDunno@sommitrealweird.co.uk> (supplier of updated quagga package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 17 Mar 2018 15:33:00 +0000
Source: quagga
Binary: quagga quagga-core quagga-doc quagga-bgpd quagga-isisd quagga-ospf6d quagga-ospfd quagga-pimd quagga-ripd quagga-ripngd
Architecture: source
Version: 1.2.4-1
Distribution: unstable
Urgency: medium
Maintainer: Brett Parker <iDunno@sommitrealweird.co.uk>
Changed-By: Brett Parker <iDunno@sommitrealweird.co.uk>
Description:
quagga - network routing daemons (metapackage)
quagga-bgpd - BGP4/BGP4+ routing daemon
quagga-core - network routing daemons (core abstraction layer)
quagga-doc - network routing daemons (documentation)
quagga-isisd - IS-IS routing daemon
quagga-ospf6d - OSPF6 routing daemon
quagga-ospfd - OSPF routing daemon
quagga-pimd - PIM routing daemon
quagga-ripd - RIPv1 routing daemon
quagga-ripngd - RIPng routing daemon
Closes: 884919 890563
Changes:
quagga (1.2.4-1) unstable; urgency=medium
.
* New maintainer (Closes: #884919)
* New upstream release (Closes: #890563)
- Fixes CVE-2018-5278
- Fixes CVE-2018-5279
- Fixes CVE-2018-5280
- Fixes CVE-2018-5281
Checksums-Sha1:
ab5e6e27ad132f022a4e1375b59bf75dfe9be878 2581 quagga_1.2.4-1.dsc
bc891de7c979fb04d14fc74a5f5da9c42192660c 2937122 quagga_1.2.4.orig.tar.gz
551cb16e6a73c84b7174e127809c19511cf2cb6e 28364 quagga_1.2.4-1.debian.tar.xz
0d16588066a7d003d91d0b145a0793cf918cdcac 10125 quagga_1.2.4-1_source.buildinfo
Checksums-Sha256:
d68931487c8a92710eacfbc50b635a092e766533db3021e5c42d447f709ebdf6 2581 quagga_1.2.4-1.dsc
4d1b28f215c661deab421c744b0502aadeac90b3497db3bf2bf454fcf339281f 2937122 quagga_1.2.4.orig.tar.gz
e2c518efc6a30158056d81c9e3ff37941642a974c2b1f3523473909eac9c722e 28364 quagga_1.2.4-1.debian.tar.xz
f79cf3511494dd95ae7c2b9287de6b4b876c650e87137627ac7f9fa08d60fd5c 10125 quagga_1.2.4-1_source.buildinfo
Files:
e7e806d1a1c8ab93364ee18bca814962 2581 net optional quagga_1.2.4-1.dsc
59c94f0adbc2d9ec5486e47031c3382b 2937122 net optional quagga_1.2.4.orig.tar.gz
2e889071ca271930392b45ce6ed0329f 28364 net optional quagga_1.2.4-1.debian.tar.xz
7c9ab2d48e78759a3a1e6c8720e83ea1 10125 net optional quagga_1.2.4-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAlquhRIACgkQWHl5VzRC
aE7sIxAAwLwLClO8gATA3KPNLkHyf3rc16XGHIylQHZV+DByLkKCzXX1mWUb3QVg
+u3GLh+eXM6QV0Apx1YN+1KYteev3J5a9F4bLUIedLNJUn+nXjd0f4p21kJXU0CW
3Tszs7JXPHfcYVm+XGGCvOwR3VA4CSyEtbgS4Ho4RYeZpftLo8P2CvXCfWfvklnb
Bj8O2Lqmvrsp9l5pvpAoKUAwiTbOcem9ybR59F/LQQrXvwAq7+CaR1IGxnvjQysx
djtI/2UB9H+gcRCvzLEkmF4DRVVAQiS9tGxZy+nuQi8zUECB/iFf7W0NmlC8xc8i
sQe2MuPVd1Z19PFTSP5oDDrPtdj6luaWmyl5JTo0Yp0yiwGhHiPcOrdSkft7bM8b
Bgqd/IJhNMCrPVU18cR+lcUfVigmDF2tv5fGRA9tOsL+LSRekb1J/3v4KGmNiSSn
K1eV1Tv4xW/MPuzw/zyy0m+iN8/zhEfmO91Mu3a9iShDO74GQKY/X3B2K4KzMa1h
RUdhnO73jrqB3L2XRdwc1vQHzGRiWSiQFify2DkVaEt8CbrbzMx+aM30Hv4SNu3G
PAV+Rghv3bVhvUsKDut/AtMTYZAbYR28L+nHwmX8RTT0ZIFZBH2Q3b9Oo/vvxpXy
XyGhIcJLknE+yolTK6YV1hLokVuMI9gKA/do+bpdVGM0P5a/85w=
=vsxm
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 16 Apr 2018 07:29:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:13:36 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon