Hello Quagga maintainers Did you notice the following bug which was marked as security relevant? It was filed as #747 in your BTS.
It would be great if you could provide a patch that applies to 0.99.20.1 (for the current Debian stable distribution). bye, -christian- Beginn der weitergeleiteten Nachricht: Datum: Tue, 13 Nov 2012 11:27:27 -0700 Von: Kurt Seiifried <[email protected]> An: [email protected] Cc: Jan Lieskovsky <[email protected]>, "Steven M. Christey" <[email protected]>, Denis Ovsienko <[email protected]>, Christian Hammers <[email protected]>, "Dmitry V. Levin" <[email protected]>, Paul Jakma <[email protected]>, Florian Weimer <[email protected]>, "Marco d'Itri" <[email protected]> Betreff: Re: [oss-security] CVE Request -- quagga (ospf6d): Assertion failure when removing routes (retrieving information which route to remove) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/13/2012 07:48 AM, Jan Lieskovsky wrote: > Hello Kurt, Steve, vendors, > > Marco d'Itri in Debian bug [1] has reported the following > deficiency, being present in 0.99.21 and possibly earlier versions > of the Quagga routing suite: > > A denial of service flaw was found in the way Quagga's ospf6d > daemon performed routes removal. In certain circumstances when > removing the route the ospf6d daemon terminated with assertion > failure when trying to determine / find, which route to remove. An > OSPF6 router could use this flaw to cause ospf6d on an adjacent > router to abort. > > References: [1] > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693102 [2] > https://bugzilla.redhat.com/show_bug.cgi?id=876197 > > Upstream bug report: [3] > https://bugzilla.quagga.net/show_bug.cgi?id=747 > > Could you allocate a CVE id for this? > > Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat > Security Response Team > Please use CVE-2012-5521 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQopEPAAoJEBYNRVNeJnmT5fQP/0T4SrIhya2QCMKB6xwXh2A3 g15i+A2X0ToXLDgUpnMlJPUbQMSRKvncm+prkHUJNsDxP6KW/hzMj/lsFGfdxsda drGePasJJNJUT0f1Z2g8IXNfy1iUq3ZnjAFpwbd93iR/iRclDvNPhC5813XOr37G ozpR4E4K+7Uf2GUvPAHwbTsgYeCQwnOzWZ3wIet9+Ej1vaEqRuXra3XmSnLAPiRp RTZb6A4TROnc/+KLRI8JHH5AZUSNODJClG00sewI8CVSEp+EtbRRljntzzRVlqOJ OXqITx5F5a+Su1S93dlRCoj4GJlPOJ9ALZ74+9RxmBFmR/ApE+uVUqZmIlJbvK73 sAUBEvvV8yymP6WoaamA/UP8HcICATvjjdQe+I5fgCiFLxOU2z2vVkNuOdNZNwom iDGnnckWVEfjy9uRPAf7ubybCAMyY54pMZP2YHOwEzCaH7p74G3Pgv52DtGnQqU6 ADSJPp0Sc6R0/QyqCbnSyksdPw/gAUWEbAZvlct63o2k+tENii3DjN8oz7bd4dsB afIuUqXbV+/1ta/6fkduY6Hir5gOyBXkh9KNg84FM6aa1sYgLGuxzVb1OOxXzXd8 dsc6nahjFM98n80yx5InFKgyEcGr9BEzEWjn3dqKtagEyr5X3RjeFEabTlojYZIS sMvb3K2PDbLv/+TJ2NIG =S1si -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
