Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 906116 (CVE-2023-31489, CVE-2023-31490)

Summary: <net-misc/frr-9.0: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-11 04:51:37 UTC 
CVE-2023-31490 (https://github.com/FRRouting/frr/issues/13099):

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_attr_psid_sub() function.

Patch: https://github.com/FRRouting/frr/commit/44e90d5521c438b0dade42a3810cdb0d5d0479fc

CVE-2023-31489 (https://github.com/FRRouting/frr/issues/13098):

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_capability_llgr() function.

Patch: https://github.com/FRRouting/frr/commit/b1d33ec293e8e36fbb8766252f3b016d268e31ce

Patches are unreleased.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-05 17:18:14 UTC 
These seem to be in 9.0.
Comment 2 Alarig Le Lay 2023-11-10 08:12:42 UTC 
Hello,

We don’t have 8.4 in the tree, the lowest version is 8.5. Just to be sure, I tried to apply those patches but they are rejected.