Source: gobgp Version: 4.4.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for gogbp. CVE-2026-42285[0]: | GoBGP is an open source Border Gateway Protocol (BGP) implementation | in the Go Programming Language. In version 4.4.0, an unauthenticated | remote BGP peer can trigger a fatal panic in GoBGP by sending a | specially crafted BGP UPDATE message. When the server receives a | message with inconsistent attribute lengths, it improperly handles | the internal state transition to a "withdraw" action, leading to a | nil pointer dereference in the AdjRib.Update function. This causes | the entire GoBGP process to crash, resulting in a complete loss of | service availability. This issue has been patched in version 4.5.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-42285 https://www.cve.org/CVERecord?id=CVE-2026-42285 [1] https://github.com/osrg/gobgp/security/advisories/GHSA-p3w2-64xm-833j Please adjust the affected versions in the BTS as needed. Regards, Salvatore
