From http://quagga.net/news2.php?y=2007&m=9&d=7 : This release fixes two potential DoS conditions in bgpd, reported by Mu Security, where a bgpd could be crashed if a peer sent a malformed OPEN message or a malformed COMMUNITY attribute. Only configured peers can do this, hence we consider these issues to be very low impact. Patches are linked at Redhat (URL)
mrness, please provide an updated ebuild
I cannot do it until I have an AS4 patch for quagga 0.99.9.
could you then backport the patches maybe? "several weeks" is a little too long for a security bug according to the RH bug that should be these: http://cvs.quagga.net/cgi-bin/viewcvs.cgi/quagga/bgpd/bgp_attr.c.diff?r1=1.23&r2=1.24&diff_format=h http://cvs.quagga.net/cgi-bin/viewcvs.cgi/quagga/bgpd/bgp_community.c.diff?r1=1.7&r2=1.8&diff_format=h
I've backported those patches in quagga-0.98.6-r3 and quagga-0.99.7-r1. Arches, please mark quagga-0.98.6-r3 as stable (leave quagga-0.99.7-r1 as is). @amd64: I know you didn't received a request for stabilization, but could you please do it anyway?
Stable for HPPA.
This is CVE-2007-4826.
x86 stable
ppc stable
alpha stable, thanks Tobias
Marked stable on amd64.
sparc stable
GLSA request filed.
hmm, there should be a vote first. "we consider these issues to be very low impact" => I vote NO.
(In reply to comment #13) > "we consider these issues to be very low impact" => I vote NO. I imagine an ISP would be concerned about it. If I would have dozens of BGP peers, I wouldn't want to let my router at the mercy of my peers.
Thx for the comment Alin. I tend to vote YES.
I vote no. Very low threat. Let's suppose that some ISPs could use quagga on Linux (hum....). I don't really think that an ISP could play that in a civilized environment. It would finish in court.
I agree Linux routers are no match for high end Cisco routers in the terms of processing power (obviously an embedded solution with virtually unlimited numbers of specialized CPUs will always surclass a general purpose OS with up to 8 x86 CPUs). However, I think quagga is used by big boys and the proof of that is the AS4 patch, made and maintained by a RIPE employee. If they aren't using it, why the hell they do that? I have a grin on my face everytime I hear someone saying they are secure because they have applied all updates from glsa-check. C'mon, this package is very popular among security conscious type of people. How hard could it be to cut-n-paste from other security alerts?
mrness: we can't cut and paste from other advisories, they are copyrighted (at least in the U.S.). A BGP peer router would have to be compromised in order for this to even be possible. If the upstream router has been compromised, you've got *far* more to worry about than a DoS. I vote no.
Well, others did their homework and released an advisory. In our parallel world however, this remotely exploitable DoS bug doesn't deserve the hassle of releasing such advisory. Just close this bug. Happy slacking...
I've been slacking for sure but matt, p-y, falco and others certainly have not. They're simply overwhelmed by bugs:( AFAIK if one of your peers are compromised you have far worse things to worry about than DoS. Voting NO and closing. Feel free to convince me of otherwise and I'll make the draft myself.