Your message dated Sat, 09 Mar 2024 00:04:55 +0000
with message-id <[email protected]>
and subject line Bug#1065144: fixed in frr 9.1-0.1
has caused the Debian Bug report #1065144,
regarding frr: CVE-2024-27913
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1065144: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065144
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: frr
Version: 8.4.4-1.1
Severity: important
Tags: security upstream
Forwarded: https://github.com/FRRouting/frr/pull/15431
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for frr.
CVE-2024-27913[0]:
| ospf_te_parse_te in ospfd/ospf_te.c in FRRouting (FRR) through 9.1
| allows remote attackers to cause a denial of service (ospfd daemon
| crash) via a malformed OSPF LSA packet, because of an attempted
| access to a missing attribute field.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-27913
https://www.cve.org/CVERecord?id=CVE-2024-27913
[1] https://github.com/FRRouting/frr/pull/15431
[2]
https://github.com/FRRouting/frr/commit/aae54e20498974cb026bd0e2649ca3e753090492
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: frr
Source-Version: 9.1-0.1
Done: Daniel Baumann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
frr, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Baumann <[email protected]> (supplier of updated frr
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 08 Mar 2024 23:21:21 +0100
Source: frr
Architecture: source
Version: 9.1-0.1
Distribution: unstable
Urgency: high
Maintainer: David Lamparter <[email protected]>
Changed-By: Daniel Baumann <[email protected]>
Closes: 1042473 1044470 1055852 1065144
Changes:
frr (9.1-0.1) unstable; urgency=high
.
* Non-maintainer upload.
* New upstream release (Closes: #1042473, #1055852):
- CVE-2023-3748: parsing certain babeld unicast hello messages that are
intended to be ignored. This issue may allow an attacker to send
specially
crafted hello messages with the unicast flag set, the interval field set
to 0, or any TLV that contains a sub-TLV with the Mandatory flag set to
enter an infinite loop and cause a denial of service.
- CVE-2023-38407: bgpd/bgp_label.c attempts to read beyond the end of the
stream during labeled unicast parsing.
- CVE-2023-41361: bgpd/bgp_open.c does not check for an overly large
length of the rcv software version.
- CVE-2023-46752: It mishandles malformed MP_REACH_NLRI data, leading to a
crash.
- CVE-2023-46753: A crash can occur for a crafted BGP UPDATE message
without mandatory attributes, e.g., one with only an unknown transit
attribute.
- CVE-2023-47234: A crash can occur when processing a crafted BGP UPDATE
message with a MP_UNREACH_NLRI attribute and additional NLRI data (that
lacks mandatory path attributes).
- CVE-2023-47235: A crash can occur when a malformed BGP UPDATE message
with an EOR is processed, because the presence of EOR does not lead to a
treat-as-withdraw outcome.
* Updating patches:
- removing CVE-2023-38802.patch, included upstream.
- removing CVE-2023-41358.patch, included upstream.
- removing CVE-2023-41360.patch, included upstream.
- removing unapplied CVE-2023-41361.patch, included upstream.
- adding CVE-2024-27913.patch from upstream:
ospf_te_parse_te in ospfd/ospf_te.c allows remote attackers to cause a
denial of service (ospfd daemon crash) via a malformed OSPF LSA packet,
because of an attempted access to a missing attribute field (Closes:
#1065144).
* Updating build-depends:
- adding now required protobuf-c-compiler to build-depends.
- adding now required libprotobuf-c-dev to build-depends.
- adding new libmgmt_be_nb.so to frr.install.
- removing obsolete lsb-base.
- prefering new pkgconf over old pkg-config.
* Updating override_dh_auto_clean to fix FTBFS when built twice in a row
(Closes: #1044470):
- call dh_auto_clean which is safe to run now.
- remove tests/.pytest_cache.
* Removing obsolete doc-base.
Checksums-Sha1:
fa8ccd2fbde1dd12bd2b9b75a6b1e73c429a5755 2734 frr_9.1-0.1.dsc
b96093130eb27fd472e03a7fda3613f080dc6e99 8231024 frr_9.1.orig.tar.xz
c0d3f1806539be400ea783f3d35f3967a530216d 32564 frr_9.1-0.1.debian.tar.xz
f84ba762264d886a4458615178dc7c5a16794242 11698 frr_9.1-0.1_amd64.buildinfo
Checksums-Sha256:
fe61b7fc08e26ed1ed0555e5a41986a8c23a2d0014f048bd62659cfe683a6f86 2734
frr_9.1-0.1.dsc
da24cc625121f7f215cc2c57dfb491266f7634b0b50422f8911bb0c44e812e60 8231024
frr_9.1.orig.tar.xz
0f6e95c12ddb133d420eabab1bf5bff2f001edec7473ea3a635887a02b113e24 32564
frr_9.1-0.1.debian.tar.xz
012b55f3fad830c07c6ddf3a05b96948b31a7e76fc6df42a97812059b28449be 11698
frr_9.1-0.1_amd64.buildinfo
Files:
5b55fe3b9eb1abc04d1ce0155fc0cbc3 2734 net optional frr_9.1-0.1.dsc
f87041fcdbcaa3663df69a9425f97876 8231024 net optional frr_9.1.orig.tar.xz
348a84a902d34edb280f6c83a4ba61db 32564 net optional frr_9.1-0.1.debian.tar.xz
8e99cdb7bc0b4d41ebe78090d829b0ce 11698 net optional frr_9.1-0.1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEgTbtJcfWfpLHSkKSVc8b+YaruccFAmXrou4ACgkQVc8b+Yar
ucfNPA/+LcXs6oES7ubU+eVvuDL1E5DFQLmYIdrtIyuqu0V7wo0OfzDk7vmzHaTf
aCDvwFuGwVuDTVd/HfQU5lmrdB8Oty+OCZKjXRKgOtQsvkxD4Vit+EYGYa7cic82
O27zq27U7jm0Je9zyjMsk6etG27bQQVH+Synfuv4ju+1j+G+fsJ5ymxb1K20dEwV
hnSZ7TVQOvmgtCRzuWeZuMvc1tbB6YGPhNDQLl2y6Vug15hKUfYqjOQrtLJHigvQ
FsgQiDDDaFFWcKlmO3XizW38FKUS3N8a3v+KaF6Lmw19Sh0LGM8YLqkzoxf04E2o
u6TtaZNXW82WiIboz1OUYAKP8olFYy+hBPspqjx8aVlUJlwdfNBsgTttphUB7AEE
YsdG7VXncdpBONif5gWGPIQGKvJgjPSh7kzgpna4Yx4u9JaCd+b58ZoAPsgbM2Hs
z7cY8DzNkboxBK0z2OC6+qsYt2UxTSwZS7FvlUWcNdP4+grensR9JurisOqDwNnQ
bif1hvWPa26VPoBlfFFbOX9tthr5xxm3ojLi9oEI6+UBETdsJLZnye7k00s66lh/
MxknI0X+4RTwplId844psJFsh3Aql67t3ORmQ41orFlWCkz/esIYr1UvAlf1bFtA
Hm2k55H59zn4O04eUC8GQUoWqI3p4Go1qlHvnjy2p6MOdW4uXl0=
=7fB/
-----END PGP SIGNATURE-----
pgpU4t6TBa5mS.pgp
Description: PGP signature
--- End Message ---
