| Summary: | <net-misc/bird-2.0.8 does not provide functionality for password authentication of BGP peers | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Petr Vaněk <arkamar> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED INVALID | ||
| Severity: | normal | CC: | alarig, proxy-maint, zubkov318 |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | C3 [cleanup] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Petr Vaněk
2023-03-07 20:14:21 UTC
This is nonsence. Somebody involved in this CVE did not do their homework properly. BIRD supports TCP MD5 auth for BGP since ~14 years ago: https://gitlab.nic.cz/labs/bird/-/commit/d51aa2819005a03e4cfb6f62333be6ccadfb3c06 Yes, it does not seem to be correct, se also this thread https://bird.network.cz/pipermail/bird-users/2023-March/016761.html it appeared in the list today. Petr: Is there a fix in bird-2.0.8? Or is the CVE invalid? We don't have to track it here if it's bogus. It is bogus. Upstream will submit a request to reject this CVE [1]. [1] http://trubka.network.cz/pipermail/bird-users/2023-March/016766.html The CVE is DISPUTED by upstream which claims that the functionality was added in 1.0.12 [1]. [1] http://trubka.network.cz/pipermail/bird-users/2023-March/016763.html |
