Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 174206 (CVE-2007-1995)

Summary: net-misc/quagga DoS (CVE-2007-1995)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mrness, yoswink
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.quagga.net/news2.php?y=2007&m=4&d=8
Whiteboard: B3 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-11 20:10:46 UTC
2007-04-08: Security: DoS in bgpd if configured peer sends crafted packet 
The bgpd daemon is vulnerable to a Denial-of-Service. Configured peers may cause a Quagga bgpd to, typically, assert() and abort. The DoS may be triggered by peers by sending an UPDATE message with a crafted, malformed Multi-Protocol reachable/unreachable NLRI attribute. Further details, and a proposed fix for Quagga 0.99 are available in Bug #354.
Comment 1 Alin Năstac (RETIRED) gentoo-dev 2007-04-12 07:41:11 UTC
Fixed in quagga-0.98.6-r2 and quagga-0.99.6-r1.

Only quagga-0.98.6-r2 needs to be stabilized, the other being the development version (has only ~arch keywords).
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-12 09:21:56 UTC
Arches please test and mark stable. Target keywords are:

quagga-0.98.6-r2.ebuild:KEYWORDS="alpha ~amd64 ~arm hppa ppc ~s390 sparc x86"
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2007-04-12 10:35:29 UTC
x86 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2007-04-12 21:13:18 UTC
Stable for HPPA.
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2007-04-13 14:42:16 UTC
sparc stable.
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2007-04-13 16:32:44 UTC
ppc stable
Comment 7 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-04-14 14:28:35 UTC
alpha stable. security, ready for you guys.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-14 14:51:08 UTC
This one is ready for GLSA decision. I tend to vote NO.
Comment 9 Daniel Black (RETIRED) gentoo-dev 2007-04-20 09:28:17 UTC
no here too.
Comment 10 Matthias Geerdsen (RETIRED) gentoo-dev 2007-04-23 15:23:07 UTC
kinda tend to vote yes
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-23 20:01:05 UTC
i vote yes since the issue seems not so difficult to trigger. Let's have one then.
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-27 21:45:58 UTC
(In reply to comment #7)
> alpha stable. security, ready for you guys.
> 

errr.. don't forget to commit it :)
Comment 13 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-04-30 09:02:58 UTC
(In reply to comment #12)
> (In reply to comment #7)
> > alpha stable. security, ready for you guys.
> > 
> 
> errr.. don't forget to commit it :)
> 

Grrr .... Sorry guys, I was on holidays. Now it's done.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-02 11:34:16 UTC
GLSA 200705-05