quagga: CVE-2016-4036

Debian Bug report logs - #835223
quagga: CVE-2016-4036

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: quagga: CVE-2016-4036

Date: Tue, 23 Aug 2016 18:28:51 +0200

Source: quagga
Version: 0.99.23.1-1
Severity: important
Tags: security

Hi,

the following vulnerability was published for quagga.

CVE-2016-4036[0]:
| The quagga package before 0.99.23-2.6.1 in openSUSE and SUSE Linux
| Enterprise Server 11 SP 1 uses weak permissions for /etc/quagga, which
| allows local users to obtain sensitive information by reading files in
| the directory.

Although the description from MITRE metnions openSUSE and SUSE Linux
Enterprise Server 11 SP explicitly, the isue affects in similar way as
well the Debian package.

Filling the bug report to have it tracked as well in the BTS.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-4036

Regards,
Salvatore

Message #12 received at 835223-close@bugs.debian.org (full text, mbox, reply):

From: Hugo Lefeuvre <hle@debian.org>

To: 835223-close@bugs.debian.org

Subject: Bug#835223: fixed in quagga 0.99.23.1-1+deb8u2

Date: Sun, 28 Aug 2016 12:47:58 +0000

Source: quagga
Source-Version: 0.99.23.1-1+deb8u2

We believe that the bug you reported is fixed in the latest version of
quagga, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 835223@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hugo Lefeuvre <hle@debian.org> (supplier of updated quagga package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 22 Aug 2016 10:27:07 +0200
Source: quagga
Binary: quagga quagga-dbg quagga-doc
Architecture: source amd64 all
Version: 0.99.23.1-1+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Christian Hammers <ch@debian.org>
Changed-By: Hugo Lefeuvre <hle@debian.org>
Description:
 quagga     - BGP/OSPF/RIP routing daemon
 quagga-dbg - BGP/OSPF/RIP routing daemon (debug symbols)
 quagga-doc - documentation files for quagga
Closes: 822787 835223
Changes:
 quagga (0.99.23.1-1+deb8u2) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2016-4049: Missing size check in bgp_dump_routes_func in
     bgpd/bgp_dump.c allowing DoS (Closes: #822787).
   * CVE-2016-4036: World readable sensitive files in /etc/quagga
     (Closes: #835223).
Checksums-Sha1:
 7f66c79b9594eecdd1dd9bab30346314abf1efd0 2166 quagga_0.99.23.1-1+deb8u2.dsc
 9db69d23c4d0faccc6ed2bceb2869b3c1433a079 38096 quagga_0.99.23.1-1+deb8u2.debian.tar.xz
 22186ceaf9400fcfbc58be4c4488eba88f3d9cb3 1219744 quagga_0.99.23.1-1+deb8u2_amd64.deb
 b1071490762fded6e84f125d596d8d4701cb578d 1769976 quagga-dbg_0.99.23.1-1+deb8u2_amd64.deb
 32cdcf2455813e83edac13148ba26c25477c340f 906702 quagga-doc_0.99.23.1-1+deb8u2_all.deb
Checksums-Sha256:
 e50d554843806d16f5c8aae31df06f05ead7167a772440a83568ca87523c1c14 2166 quagga_0.99.23.1-1+deb8u2.dsc
 af45ffc8e41253defcb93622d9d9065d941e9b6b9a9e60bc319bb7980a3f59d4 38096 quagga_0.99.23.1-1+deb8u2.debian.tar.xz
 98f0a24de2098129860529ac797ebcca9ab5adca189bb2217d7e80494250a975 1219744 quagga_0.99.23.1-1+deb8u2_amd64.deb
 f2ea03b4c71a836b876a0be8a361d3314d97a16cd6e4f95a40900036984879b5 1769976 quagga-dbg_0.99.23.1-1+deb8u2_amd64.deb
 7012ed5c6deec9020ce0849cd2f18975f82d965f28563993b1f60fbff42c0dba 906702 quagga-doc_0.99.23.1-1+deb8u2_all.deb
Files:
 88ecbdc1ef6d413ea02a41933ac6ca7f 2166 net optional quagga_0.99.23.1-1+deb8u2.dsc
 869530531b12abeb41ac84fcaec55b49 38096 net optional quagga_0.99.23.1-1+deb8u2.debian.tar.xz
 63acdc53648273dc779c0b5c35b667c3 1219744 net optional quagga_0.99.23.1-1+deb8u2_amd64.deb
 013033961f6cc6413cd7463746d4b1fb 1769976 debug extra quagga-dbg_0.99.23.1-1+deb8u2_amd64.deb
 c9ea14bacb6bc10b307017998f11fc71 906702 net optional quagga-doc_0.99.23.1-1+deb8u2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXvuHgAAoJEKyQrD7FJAZetJgP/RudEdTOrZUEJ2AstpAg+tej
lOtcjNgxrAwZf5xqQzTwBaGzj8Sc7NdqO1RG75nZAUGFNkFrJqqrDdxvRYMcEF+Q
cprhkNRyOhHjMouRftrFAc+ByWzXlWVqlJjeTecMipn2zx/B4pf3DO2r3lwIbiJ8
+ksYyhsPTruyJ0Fjvnb6xKOsI4NRPeJEDw4eUrAvkmntVEGcquz2GOyAe0Vnci7t
es9mYaQQQpCdU4lr8CGGV3ZB6bia+mr/myD23EgQfL9WR5xp3vqb2mn60hdAxfNC
vsCM7tswsbnPn1x054N/ho0Hp51ab38Bef7DF3gJJVr2OT7VO8e9sEbtx6DQI+S6
gdN2Qr2T3w3FhHmY1C9sPRAP7fDcEhVDSRKgiJ/LnvAEJKrNJf2+LgyR4iESsdaA
U7INRcQSKr4fE7E01FqsH26mJ3hZu70TLCxiEb+KMK6uxL/0+AFuwCk7Vei/3A4e
HwhDcA6y++3VjwzS3KsP8AiSIy5WN/TkElnT8QsLZMnlVbGFkdyjeP4vnN3/ehPp
ZqfsA2K5zhOHQhH1vX8pfyIw/Kc2JsDN0lPSgJvXdo4Hqam8mQNmojRWSfASYhhl
3DyI95mShLI3P3xlFFLAJLmHBpVGi+LBqI/sV5jtQSgFt7W5E4EyGqFDXqXrx5xV
rkQH8/KnBPz5b63NgVe0
=KH1g
-----END PGP SIGNATURE-----

Message #17 received at 835223-close@bugs.debian.org (full text, mbox, reply):

From: Hugo Lefeuvre <hle@debian.org>

To: 835223-close@bugs.debian.org

Subject: Bug#835223: fixed in quagga 1.0.20160315-2

Date: Sun, 11 Sep 2016 22:23:03 +0000

Source: quagga
Source-Version: 1.0.20160315-2

We believe that the bug you reported is fixed in the latest version of
quagga, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 835223@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hugo Lefeuvre <hle@debian.org> (supplier of updated quagga package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 11 Sep 2016 21:37:00 +0200
Source: quagga
Binary: quagga quagga-dbg quagga-doc
Architecture: source amd64 all
Version: 1.0.20160315-2
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Hugo Lefeuvre <hle@debian.org>
Description:
 quagga     - BGP/OSPF/RIP routing daemon
 quagga-dbg - BGP/OSPF/RIP routing daemon (debug symbols)
 quagga-doc - documentation files for quagga
Closes: 822787 835223
Changes:
 quagga (1.0.20160315-2) unstable; urgency=high
 .
   * QA upload.
   * Run wrap-and-sort.
   * debian/control:
     - Set QA group as maintainer, as Christian orphaned the package (see
       #837358).
     - Bump Standards-Version to 3.9.8.
   * SECURITY:
     - CVE-2016-4049: Missing size check in bgp_dump_routes_func in
       bgpd/bgp_dump.c allowing DoS (Closes: #822787).
     - CVE-2016-4036: World readable sensitive files in /etc/quagga
       (Closes: #835223).
Checksums-Sha1:
 15c0abffd54cf65a5ed1a8d4718f0bff89d10784 2181 quagga_1.0.20160315-2.dsc
 bc6eb71017282a18d7f5986fae54f51d1e90990b 36096 quagga_1.0.20160315-2.debian.tar.xz
 2d49815d8b42e93171fffabde887eb7aa201bca1 2122804 quagga-dbg_1.0.20160315-2_amd64.deb
 8e0f5ed4c5fadb418ce9623b47b2149508e3aedc 977248 quagga-doc_1.0.20160315-2_all.deb
 ad6fac6d6675737c2078c6b0fbe27351e949e2d7 1364846 quagga_1.0.20160315-2_amd64.deb
Checksums-Sha256:
 c926a904660da820139cc6e13896516a68d62fc1826d698cc776fe47607ef962 2181 quagga_1.0.20160315-2.dsc
 3884b9e9cbf4da1b214882fcf43a066f294323cb6b9133238d5bb586945d8807 36096 quagga_1.0.20160315-2.debian.tar.xz
 faff85f2eebea341b34be27864c5882e163d5a3a1a27a18c938834cecd3565c8 2122804 quagga-dbg_1.0.20160315-2_amd64.deb
 a9332039b6308b17ce8eb8dfd470e0c8fb5108a46366e7463eb3b493444039dc 977248 quagga-doc_1.0.20160315-2_all.deb
 0b69e8704a75bd8c5c2ef4fc08d2eb1cb6067fb7a31ce6950a573b47303b200b 1364846 quagga_1.0.20160315-2_amd64.deb
Files:
 25f6651aaec6751863a354874011f8ff 2181 net optional quagga_1.0.20160315-2.dsc
 da754a7a4234bdfa69bc667fbdb7462f 36096 net optional quagga_1.0.20160315-2.debian.tar.xz
 d946682fa60a9130882d29a18eafae94 2122804 debug extra quagga-dbg_1.0.20160315-2_amd64.deb
 6956843578185d5db80547cc046f3452 977248 net optional quagga-doc_1.0.20160315-2_all.deb
 40275e739c338f257fbf4bff6b81b5a3 1364846 net optional quagga_1.0.20160315-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJX1bYWAAoJEKyQrD7FJAZe8ykP/imZHwbldTqcbbtR6EmlDZ4R
8TzSq76k5HzTqjgWs/Wi0U3OYztoGLrfieKF71lU4XI6SSPnsHyHBmBnF2ZWA8Xn
wwpz4qaX/Ii1S4cgXnHqP3/gFdioqkEua93Xw72YqWF1ynl0MQ9sXKHNQWKLQqpE
wFAkcvrHf335HDQ+whFqysMl3SMlgLtF4thF/DR2kKYQggmnglvRUVN5/aD9U8T/
1U+UvRxP9YWz1PuB2Tss+A+tioTunhKDIihno+PiIFyqCo16SaU8nsnuKbeMX3Cd
lwV/L1CbmTyjcoPF7O9tto0dhkdD2R9waMATzjiycC1uoNoFfZCkaAyrzQ1gpu8/
/su7/bGsx6HdlZ5zBxjA4EYqfpS8paq8iaeYvjVzABnN9Kzfly37yD01+BAGucSH
bYn+46QOATF6HSqWNbNyto6FcJl+AJj8sYz4mCrcRFAA6jnz5auErjy5oYt2Sg5T
A0Ix6CIt2FwmtI2kGkfIeRdzuMk73Weq7veQsjleGIBQej3TTol53vQa3gisD+G5
GlWY2RZeDJDp9EJzu2kyUcZmySvLdWdXHUsffHfllk03tVmbgibtwuWDuCzPHzih
RA+jCwan0F056kkQyQfECAPR4glzP3blbtkt6dFZHLes8ypDok5esMGyJk4Mt1cQ
VGE3ba4Z2Zt4fUrz0FMO
=zHEE
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.