On Fri, 08 May 2026 20:31:37 +0200 Salvatore Bonaccorso <[email protected]> wrote: > The following vulnerability was published for gogbp. > > CVE-2026-42285[0]: > | GoBGP is an open source Border Gateway Protocol (BGP) implementation > | in the Go Programming Language. In version 4.4.0, an unauthenticated > | remote BGP peer can trigger a fatal panic in GoBGP by sending a > | specially crafted BGP UPDATE message. When the server receives a > | message with inconsistent attribute lengths, it improperly handles > | the internal state transition to a "withdraw" action, leading to a > | nil pointer dereference in the AdjRib.Update function. This causes > | the entire GoBGP process to crash, resulting in a complete loss of > | service availability. This issue has been patched in version 4.5.0.
Funny timing, as I just pushed an update for gobgp earlier today. :) I didn't see any mention of security fixes in the 4.5.0 release changelog, but do see three CVEs published by the project (all fixed now in sid); I'll update the package's d/changelog to add them with the next upload of gobgp. Mathias
signature.asc
Description: This is a digitally signed message part
