Source: frr Version: 8.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for frr. CVE-2022-26125[0]: | Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due | to wrong checks on the input packet length in isisd/isis_tlvs.c. CVE-2022-26126[1]: | Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due | to the use of strdup with a non-zero-terminated binary string in | isis_nb_notifications.c. CVE-2022-26127[2]: | A buffer overflow vulnerability exists in FRRouting through 8.1.0 due | to missing a check on the input packet length in the | babel_packet_examin function in babeld/message.c. CVE-2022-26128[3]: | A buffer overflow vulnerability exists in FRRouting through 8.1.0 due | to a wrong check on the input packet length in the babel_packet_examin | function in babeld/message.c. CVE-2022-26129[4]: | Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due | to wrong checks on the subtlv length in the functions, | parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv in | babeld/message.c. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-26125 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26125 [1] https://security-tracker.debian.org/tracker/CVE-2022-26126 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26126 [2] https://security-tracker.debian.org/tracker/CVE-2022-26127 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26127 [3] https://security-tracker.debian.org/tracker/CVE-2022-26128 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26128 [4] https://security-tracker.debian.org/tracker/CVE-2022-26129 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26129 Please adjust the affected versions in the BTS as needed. Regards, Salvatore