Hi Mathias, On Fri, May 08, 2026 at 11:27:16PM +0000, Mathias Gibbens wrote: > On Fri, 08 May 2026 20:31:37 +0200 Salvatore Bonaccorso <[email protected]> > wrote: > > The following vulnerability was published for gogbp. > > > > CVE-2026-42285[0]: > > | GoBGP is an open source Border Gateway Protocol (BGP) implementation > > | in the Go Programming Language. In version 4.4.0, an unauthenticated > > | remote BGP peer can trigger a fatal panic in GoBGP by sending a > > | specially crafted BGP UPDATE message. When the server receives a > > | message with inconsistent attribute lengths, it improperly handles > > | the internal state transition to a "withdraw" action, leading to a > > | nil pointer dereference in the AdjRib.Update function. This causes > > | the entire GoBGP process to crash, resulting in a complete loss of > > | service availability. This issue has been patched in version 4.5.0. > > Funny timing, as I just pushed an update for gobgp earlier today. :) > > I didn't see any mention of security fixes in the 4.5.0 release > changelog, but do see three CVEs published by the project (all fixed > now in sid); I'll update the package's d/changelog to add them with the > next upload of gobgp.
No worries, it was just a lucky race you uploading and me filling the bug. It is enough for us, I already tracked the fixed version accordingly in the security-tracker. Regards, Salvatore
