Your message dated Sun, 27 Mar 2016 19:47:07 +0000
with message-id <[email protected]>
and subject line Bug#819179: fixed in quagga 0.99.23.1-1+deb8u1
has caused the Debian Bug report #819179,
regarding quagga: CVE-2016-2342
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
819179: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819179
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: quagga
Version: 0.99.22.4-1
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for quagga.
CVE-2016-2342[0]:
| The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in the VPNv4 NLRI
| parser in bgpd in Quagga before 1.0.20160309, when a certain VPNv4
| configuration is used, relies on a Labeled-VPN SAFI routes-data length
| field during a data copy, which allows remote attackers to execute
| arbitrary code or cause a denial of service (stack-based buffer
| overflow) via a crafted packet.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-2342
[1]
http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=a3bc7e9400b214a0f078fdb19596ba54214a1442
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: quagga
Source-Version: 0.99.23.1-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
quagga, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated quagga package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 24 Mar 2016 16:26:12 +0100
Source: quagga
Binary: quagga quagga-dbg quagga-doc
Architecture: all source
Version: 0.99.23.1-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Christian Hammers <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 819179
Description:
quagga - BGP/OSPF/RIP routing daemon
quagga-dbg - BGP/OSPF/RIP routing daemon (debug symbols)
quagga-doc - documentation files for quagga
Changes:
quagga (0.99.23.1-1+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2016-2342: VPNv4 NLRI parses memcpys to stack on unchecked length
(Closes: #819179)
Checksums-Sha1:
b9177c86e7ff76d45d6d68b93900a6173d97a5d6 2166 quagga_0.99.23.1-1+deb8u1.dsc
0501f527383cfa548a800de9816cf1423f6b2336 2526612 quagga_0.99.23.1.orig.tar.gz
06e87d10640648453b8791950eb5bf3ad6c61383 36624
quagga_0.99.23.1-1+deb8u1.debian.tar.xz
8d5af40263ab286394efafb84e7f4daf77784746 907506
quagga-doc_0.99.23.1-1+deb8u1_all.deb
Checksums-Sha256:
e87b93c0920af4de6f5c28df8233a81481c3c7bdaa2917241fc87258446cdd09 2166
quagga_0.99.23.1-1+deb8u1.dsc
3abf2046bc27539ce2d17c238e06c8fd0d479a8e402580c6aa455808bd48e004 2526612
quagga_0.99.23.1.orig.tar.gz
b66f9276593f989e34452a08690ef1546f6f879fb552d2e14d2d424f1e357170 36624
quagga_0.99.23.1-1+deb8u1.debian.tar.xz
c2bcd78877ed697886cb9570f502b98e4da1502f10064677ec8a8d93e3f3d82b 907506
quagga-doc_0.99.23.1-1+deb8u1_all.deb
Files:
b4feb19b4793394c221aa81d53982d39 2166 net optional
quagga_0.99.23.1-1+deb8u1.dsc
f9d9c63529c55d646a4cbe6513b37953 2526612 net optional
quagga_0.99.23.1.orig.tar.gz
227a9b49ced82517a4002f0c3c856ed1 36624 net optional
quagga_0.99.23.1-1+deb8u1.debian.tar.xz
0d395086ebbd9e4106c4fb631c388c6d 907506 net optional
quagga-doc_0.99.23.1-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJW96E/AAoJEAVMuPMTQ89Es8MP/3ZJ+hhOIJCbxBKP8q1SO5JK
Hd7xv50Qa+ARx0HhJjGSW8NhLzsrMT6rhgjuJdE0qZJH/i6lWz1im3qONUtMKu8Q
prdoDLz/YL5MnaKuFZkvvAhKWCazbSYZJUrrXeGGmtwnuaUSN292ZS0b/GqhqxSl
feeSq9eQ6Ac8OCBrk+fSC7L/K11ILx1DGh8clhae8AGRpSXsALHLyeems4UH88TF
EA0/pjAlFGTmKA26nMx4WN1dOff/TFLvKT9B7Jv46XEhKQKha+7v8+WQW5A6CMMu
lusxfFo3Jbe1vXgHnrU3kdPbHQlp95n69+gvFkyADYazrB6az0j/Yn69aMrHVb92
W8fp9U84kKg4QC7RGLLQ7jRBg6ngx5XqK1+4HekSCD21FsnKTqs7S/mxJDHUeNH+
K2vIsrBS2VtlqWDR+Pyog92c8TAQgcDnM9f4t0e76t0dsfg4QShJvnV/rSd5l0aK
XYnv1IE5vzUvBPY8OPq9dYrp7EZrmHDtAlNqrIZba4fcSxjeF/i+oB/E3sWryoBS
wUg4WtMs3kJcjKUtBVFn9+9xRYF85VWL23Wqs5VT9MK94rlVBIdX9n2A/qFPhd4X
AicooHLkFsJlUaUzzOkA793B8KtM37Zlbg2/IzaHMXV3DWaqGLk1k2iwE7JszeKs
p1CKNv0/OvQEdN3YCTpX
=xC5a
-----END PGP SIGNATURE-----
--- End Message ---
