Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 906116 (CVE-2023-31489, CVE-2023-31490) - <net-misc/frr-9.0: multiple vulnerabilities
Summary: <net-misc/frr-9.0: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2023-31489, CVE-2023-31490
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-05-11 04:51 UTC by John Helmert III
Modified: 2023-12-27 00:22 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-11 04:51:37 UTC 
CVE-2023-31490 (https://github.com/FRRouting/frr/issues/13099):

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_attr_psid_sub() function.

Patch: https://github.com/FRRouting/frr/commit/44e90d5521c438b0dade42a3810cdb0d5d0479fc

CVE-2023-31489 (https://github.com/FRRouting/frr/issues/13098):

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_capability_llgr() function.

Patch: https://github.com/FRRouting/frr/commit/b1d33ec293e8e36fbb8766252f3b016d268e31ce

Patches are unreleased.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-05 17:18:14 UTC 
These seem to be in 9.0.
Comment 2 Alarig Le Lay 2023-11-10 08:12:42 UTC 
Hello,

We don’t have 8.4 in the tree, the lowest version is 8.5. Just to be sure, I tried to apply those patches but they are rejected.