Errata:
s/Tigera/CyberArk Labs/g
I misread the sources. Thanks to Santiago for correcting me.
Maria
On 3/10/23 00:09, Maria Matejka via Bird-users wrote:
Hello!
In fact, I think that Tigera should have never submitted this CVE as it
makes not sense at all. Adding the fact that nobody from Tigera has ever
reached to us regarding this CVE, this simply isn't a legit CVE.
I'll submit a request to reject this CVE. Thank you for pointing to it.
Maria
On 3/9/23 09:02, Radu CARPA wrote:
Hi,
I allow myself to jump on this discussion.
That CVE report is about attacking a kubernetes cluster running Calico
(see the link in the `References to Advisories, Solutions, and Tools`
section in the NIST CVE). By default, calico doesn't require password
authentication for BGP connections. However, that can be enabled using
the `nodeMeshPassword` on the `BGPConfiguration` resource. It can also
be enabled on peers outside the cluster using the `password` field of
the `BGPPeer` custom resource. I'm not sure if it's possible to enable
it globally for the listening socket though. Moreover, Calico uses a
self-patched, old, version of Bird. I believe 1.6.8.
I "think" that CVE was miss-labeled and shouldn't refer to bird as the
source of the problem.
I personally use Password authentication with bird without issues.
Regard,
Radu
On 3/9/23 08:15, Ondrej Filip wrote:
On 09. 03. 23 5:14, William wrote:
On 09/03/2023 13:41, Robert Scheck wrote:
Hello,
Hi!
with https://bugzilla.redhat.com/show_bug.cgi?id=2176483, Red Hat
pointed
me today to CVE-2021-26928.
https://nvd.nist.gov/vuln/detail/CVE-2021-26928
contains a reference to BIRD 2.0.7, but no link related to BIRD
upstream.
Do you see any chance for some comments on it (at least here)? Not
sure if
MITRE adds it then as references at CVE-2021-26928.
I have a PDF of the Bird help documentation that I saved in 2019
(Fossies) that lists password authentication mechanisms as per
RFC2385 with extra options for BSD systems. I'll defer to the Dev
team on this for the final word, but someone has some crossed wires
here.
Yes, this functionality was added in 1.0.12 (12 Nov 2008). So I do
not understand this CVE.
Ondrej
Thank you.
Regards,
Robert
Regards,
William
