The latest quagga release fixes a buffer overflow, upstream release notes:
Quagga is a software routing suite that implements numerous routing
protocols for Unix-based platforms. A memcpy function in the VPNv4 NLRI
parser of bgp_mplsvpn.c does not properly check the upper-bound length of
received Labeled-VPN SAFI routes data, which may allow for arbitrary code
execution on the stack. Note that hosts are only vulnerable if bgpd is
running with BGP peers enabled for VPNv4, which is not a default
Author: Sergey Popov <firstname.lastname@example.org>
Date: Wed Mar 16 17:16:51 2016 +0300
net-misc/quagga: version bump
Arches, please test and mark stable =net-misc/quagga-1.0.20160315
Target keywords: alpha amd64 arm hppa ppc sparc x86
Stable on alpha.
Stable for HPPA.
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Old vulnerable versions are masked
The ebuilds must be removed from the tree. Please let us know when you can remove them. Thanks.
(In reply to Aaron Bauman from comment #11)
> The ebuilds must be removed from the tree. Please let us know when you can
> remove them. Thanks.
They must not, they should me removed, but until they are not - we can keep them masked per our policy.
I will keep them masked until quagga team will sort out all problems in new releases. In some OSPF configurations new releases of quagga just crashes, no solution provided for now.
This particular bug is about vulnerability in bgpd. I think that it is unreasonable to let OSPF users suffer from regression, because of fixing vulnerability in bgpd, which maybe even not used by them
This issue was resolved and addressed in
GLSA 201610-03 at https://security.gentoo.org/glsa/201610-03
by GLSA coordinator Aaron Bauman (b-man).