Please see upstream patch. Specific AS4 prefixes cause the daemon to explode violently. Seen in the field for our deployment.
Could you supply an 0.99.10 & 0.99.11 ebuild update please: https://www.caputo.com/foss/quagga-0.99.10-BGP-4-byte-ASN-bug-fixes.patch https://www.caputo.com/foss/quagga-0.99.11-BGP-4-byte-ASN-bug-fixes.patch (Right now we are unable to use 0.99.11 due to non-functional TCP-MD5, I'll file a separate bug for that if you want)
Fixed in quagga-0.99.11-r1. quagga-0.99.10 has been removed from the tree approx 2 months ago. AFAIK, TCP MD5 is supported by upstream: "Initial support for TCP-MD5 has been merged. This adds the neighbor ... password command, and some support for setting TCP-MD5 on pure-IPv4 connections on Linux. On Linux systems with IPv6 available, passing the -l 0.0.0.0 argument to bgpd may allow TCP-MD5 support to work. It's not possible at this point to have IPv6 sessions and also use TCP-MD5 on IPv4 sessions. This will hopefully be rectified in a future release." Can you be more specific?
(In reply to comment #2) > Fixed in quagga-0.99.11-r1. quagga-0.99.10 has been removed from the tree > approx 2 months ago. We are still running it because of the TCP-MD5 breakage in 0.99.11 though. > On Linux systems with IPv6 available, passing the -l 0.0.0.0 argument > to bgpd may allow TCP-MD5 support to work. It's not possible at this point to > have IPv6 sessions and also use TCP-MD5 on IPv4 sessions. This will hopefully > be rectified in a future release." And that would explain the bug we are seeing. On a patched 0.99.10, you can run TCP-MD5 over IPv4 *and* have IPv6 peerings. If you then migrate that working configuration to 0.99.11, any TCP-MD5 IPv4 peers will fail to come up. > Can you be more specific? I believe separating out IPv4/IPv6 instances should work around this bug so we can upgrade. Feel free to leave the bug closed as the problem is upstream. Thanks.
*** Bug 268557 has been marked as a duplicate of this bug. ***
Just to confirm what you've posted, two instances of 0.99.11-r1 (one IPv4-only, one IPv6-only) are now running in production, with working TCP-MD5 support on v4.
I guess security never saw this one...I failed on searching for this, because the component was wrong. Please let us know stuff like this so that we can write GLSAs, if we have to. Ready to vote, I vote YES.
It seems that 0.99.11 never had a stable version...0.98.6-r4 is not affected, right? Then we would not have to decide on a GLSA, can change this to ~3 [noglsa] and close. Do you plan to stabilize 0.99.11-r1 and remove the old version?
*** Bug 268870 has been marked as a duplicate of this bug. ***
CVE-2009-1572 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1572): The BGP daemon (bgpd) in Quagga 0.99.11 and earlier allows remote attackers to cause a denial of service (crash) via an AS path containing ASN elements whose string representation is longer than expected, which triggers an assert error.
0.98 doesn't support 32-bit ASNs, so yeah, it is not affected. 0.99 is marked as testing because upstream keeps this release branch tagged as unstable. Probably they reserve stable tag for the future version 1.0.
Thanks Alin & sorry for the bugspam everyone (and I accidentally send the CVE info twice), now closing noglsa.
reopening to reassign
