906116 – (CVE-2023-31489, CVE-2023-31490) <net-misc/frr-9.0: multiple vulnerabilities

Bug 906116 (CVE-2023-31489, CVE-2023-31490) - <net-misc/frr-9.0: multiple vulnerabilities

Summary: <net-misc/frr-9.0: multiple vulnerabilities

Status:	IN_PROGRESS

Alias:	CVE-2023-31489, CVE-2023-31490

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa?]
Keywords:

Depends on:
Blocks:

Reported:	2023-05-11 04:51 UTC by John Helmert III
Modified:	2023-12-27 00:22 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-05-11 04:51:37 UTC

CVE-2023-31490 (https://github.com/FRRouting/frr/issues/13099):

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_attr_psid_sub() function.

Patch: https://github.com/FRRouting/frr/commit/44e90d5521c438b0dade42a3810cdb0d5d0479fc

CVE-2023-31489 (https://github.com/FRRouting/frr/issues/13098):

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_capability_llgr() function.

Patch: https://github.com/FRRouting/frr/commit/b1d33ec293e8e36fbb8766252f3b016d268e31ce

Patches are unreleased.

Comment 1 John Helmert III archtester

2023-11-05 17:18:14 UTC

These seem to be in 9.0.

Comment 2 Alarig Le Lay 2023-11-10 08:12:42 UTC

Hello,

We don’t have 8.4 in the tree, the lowest version is 8.5. Just to be sure, I tried to apply those patches but they are rejected.