Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 359903 (CVE-2010-1674) - <net-misc/quagga-0.99.18 BGP DoS (CVE-2010-{1674,1675})
Summary: <net-misc/quagga-0.99.18 BGP DoS (CVE-2010-{1674,1675})
Alias: CVE-2010-1674
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on: 360091
  Show dependency tree
Reported: 2011-03-22 09:48 UTC by Diego Elio Pettenò (RETIRED)
Modified: 2012-02-21 18:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Build log (quagga-0.99.18:20110322-130455.log,2.12 KB, text/plain)
2011-03-22 14:02 UTC, Agostino Sarubbo
no flags Details
realms patch adopted to 0.99.18 (quagga-0.99.18-realms-test2-gentoo.patch,54.14 KB, text/x-patch)
2011-05-12 12:08 UTC, Oleg Gawriloff
no flags Details
ebuild with realms patch (quagga-0.99.18-r1.ebuild,3.39 KB, text/plain)
2011-05-12 12:10 UTC, Oleg Gawriloff
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Diego Elio Pettenò (RETIRED) gentoo-dev 2011-03-22 09:48:54 UTC
Ebuild is already in tree.
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-22 12:43:15 UTC
Arches, please stabilize =net-misc/quagga-0.99.18
Comment 2 Agostino Sarubbo gentoo-dev 2011-03-22 14:02:29 UTC
Created attachment 266865 [details]
Build log
Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-03-22 16:45:39 UTC
Comment on attachment 266865 [details]
Build log

Yes, realms patch fails to build again and even opsfapi will break.

Fixing this stuff now, sigh.
Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-03-22 17:07:08 UTC
k, no revision bump and the updated ebuild that drops USE=realms and builds with USE=ospfapi is in tree.
Comment 5 Agostino Sarubbo gentoo-dev 2011-03-22 18:09:12 UTC
amd64 ok
Comment 6 Christoph Mende (RETIRED) gentoo-dev 2011-03-22 18:32:55 UTC
amd64 done, thanks Agostino
Comment 7 Andreas Schürch gentoo-dev 2011-03-23 13:17:26 UTC
It looks good now on x86.

Thanks Diego!
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-03-23 17:28:40 UTC
ppc stable
Comment 9 Thomas Kahle (RETIRED) gentoo-dev 2011-03-24 08:09:04 UTC
x86 stable. Many thanks Andreas.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2011-03-24 23:56:58 UTC
Stable for HPPA.
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2011-03-26 20:06:54 UTC
Stable on alpha.
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2011-04-02 15:45:58 UTC
arm/s390/sparc stable
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-04-02 22:16:35 UTC
Thanks, everyone. From $URL:

Quagga 0.99.18 has been released, and is available in the usual place.

This release fixes 2 denial of services in bgpd, which can be remotely triggered by malformed AS-Pathlimit or Extended-Community attributes. These issues have been assigned CVE-2010-1674 and CVE-2010-1675. Support for AS-Pathlimit has been removed with this release. 

GLSA Vote: no.
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2011-04-04 22:34:41 UTC
Vote: YES, Denial of Service in a BGP deamon = big impact...
Comment 15 Oleg Gawriloff 2011-05-12 12:08:55 UTC
Created attachment 272925 [details]
realms patch adopted to 0.99.18
Comment 16 Oleg Gawriloff 2011-05-12 12:10:01 UTC
Created attachment 272927 [details]
ebuild with realms patch

Q&A warning about unknown configure option --enable-realms exists, although working as intended. Don't know how suppress this warning.
Comment 17 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-10-08 13:14:57 UTC
GLSA together with bug 334303, 359903 and 384651
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 18:44:22 UTC
This issue was resolved and addressed in
 GLSA 201202-02 at
by GLSA coordinator Tim Sammut (underling).