CVE-2021-26928: BIRD through 2.0.7 does not provide functionality for password authentication of BGP peers. Because of this, products that use BIRD (which may, for example, include Tigera products in some configurations, as well as products of other vendors) may have been susceptible to route redirection for Denial of Service and/or Information Disclosure. NOTE: a researcher has asserted that the behavior is within Tigera’s area of responsibility; however, Tigera disagrees.
This is nonsence. Somebody involved in this CVE did not do their homework properly. BIRD supports TCP MD5 auth for BGP since ~14 years ago: https://gitlab.nic.cz/labs/bird/-/commit/d51aa2819005a03e4cfb6f62333be6ccadfb3c06
Yes, it does not seem to be correct, se also this thread https://bird.network.cz/pipermail/bird-users/2023-March/016761.html it appeared in the list today.
Petr: Is there a fix in bird-2.0.8? Or is the CVE invalid? We don't have to track it here if it's bogus.
It is bogus. Upstream will submit a request to reject this CVE [1]. [1] http://trubka.network.cz/pipermail/bird-users/2023-March/016766.html
The CVE is DISPUTED by upstream which claims that the functionality was added in 1.0.12 [1]. [1] http://trubka.network.cz/pipermail/bird-users/2023-March/016763.html