Your message dated Wed, 30 Mar 2016 22:50:48 +0000
with message-id <[email protected]>
and subject line Bug#819179: fixed in quagga 1.0.20160315-1
has caused the Debian Bug report #819179,
regarding quagga: CVE-2016-2342
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
819179: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819179
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: quagga
Version: 0.99.22.4-1
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for quagga.
CVE-2016-2342[0]:
| The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in the VPNv4 NLRI
| parser in bgpd in Quagga before 1.0.20160309, when a certain VPNv4
| configuration is used, relies on a Labeled-VPN SAFI routes-data length
| field during a data copy, which allows remote attackers to execute
| arbitrary code or cause a denial of service (stack-based buffer
| overflow) via a crafted packet.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-2342
[1]
http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=a3bc7e9400b214a0f078fdb19596ba54214a1442
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: quagga
Source-Version: 1.0.20160315-1
We believe that the bug you reported is fixed in the latest version of
quagga, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Brunotte <[email protected]> (supplier of updated quagga package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 30 Mar 2016 23:34:33 +0200
Source: quagga
Binary: quagga quagga-dbg quagga-doc
Architecture: source amd64 all
Version: 1.0.20160315-1
Distribution: unstable
Urgency: high
Maintainer: Christian Brunotte <[email protected]>
Changed-By: Christian Brunotte <[email protected]>
Description:
quagga - BGP/OSPF/RIP routing daemon
quagga-dbg - BGP/OSPF/RIP routing daemon (debug symbols)
quagga-doc - documentation files for quagga
Closes: 819179
Changes:
quagga (1.0.20160315-1) unstable; urgency=high
.
* SECURITY:
CVE-2016-2342: VPNv4 NLRI parses memcpys to stack on unchecked length
(Closes: #819179)
* New upstream release
* babeld has been removed from the Quagga upstream project.
There is a implementation available in the Debian "babeld" package.
* Removed no longer recognized configure options: --enable-ospf-te,
--enable-opaque-lsa and --enable-ipv6
* Removed configure options that are now default: --enable-pimd and
--enable-vtysh
Checksums-Sha1:
6e93d3217acf9d953220b77670a045a2417e5749 2175 quagga_1.0.20160315-1.dsc
c026913f245d22552d0c3f8d224360c6d10781e0 1819488
quagga_1.0.20160315.orig.tar.xz
154408e6b09b047bfd5fe8c308be689c2fa9621f 34524
quagga_1.0.20160315-1.debian.tar.xz
39decdc8442fba16c3b43bbb5e45de540e1bd445 2019202
quagga-dbg_1.0.20160315-1_amd64.deb
d45f10ae5c69dd68909c50b2df9678540d7bafdb 976894
quagga-doc_1.0.20160315-1_all.deb
079902cc5ce8308f088cb9268d3b3db0768c2e35 1362802
quagga_1.0.20160315-1_amd64.deb
Checksums-Sha256:
8ceee94e07ee8a7d06c34d941ecf7ce710ca99eb186601616b9f4e08e7e79398 2175
quagga_1.0.20160315-1.dsc
d284af5dd875dbba90ab875d40db5d68fdc9ede17a76f2af525f85344be56767 1819488
quagga_1.0.20160315.orig.tar.xz
8e9e2028759ffef30ce654bf958c6161667852772f97f778dd4efb9bb9737ebf 34524
quagga_1.0.20160315-1.debian.tar.xz
b45fc782b9850e5bad6952d77f900a7135da6d0eb6c39c8c82087a11f7fe2c9f 2019202
quagga-dbg_1.0.20160315-1_amd64.deb
59092612b4e532cefe754023818fb219036df43e14dc1136cd3a45692942dda0 976894
quagga-doc_1.0.20160315-1_all.deb
a14c197423a964e86e78c293e8a158279f9524c4a19d73b76ca4c3041d19c7b3 1362802
quagga_1.0.20160315-1_amd64.deb
Files:
c9cb7158f4198fafc66c176d1f00f8d9 2175 net optional quagga_1.0.20160315-1.dsc
61bfd0c8fb696dd778234ee8b05821bc 1819488 net optional
quagga_1.0.20160315.orig.tar.xz
6e0d2b3cb4c38ec7c6bc4efcf9ad0717 34524 net optional
quagga_1.0.20160315-1.debian.tar.xz
36acab6a01b5ae06f00372eb10c30ae0 2019202 debug extra
quagga-dbg_1.0.20160315-1_amd64.deb
4123e3802ebc243cb7d3fde28a3ba031 976894 net optional
quagga-doc_1.0.20160315-1_all.deb
c7b1f75d94a674f3f99c7e25b8d3aa2e 1362802 net optional
quagga_1.0.20160315-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJW/FS8AAoJEBFMqvYI4liTHHoP/1awhOGgUJMyabhwMCFQNT2K
y5vbSnS74rQxUa8zhtmElIVC753jGlzBMjSBn3bv8na7Q1gqXKHcNtxgjAOA3kX+
Dq9yhaAFLZdCNoDFhyuOaRajbgV74KLmg+Evvd1tmKMppyEZxgfrKeFXeCIOhhwp
fPNyZXtwflzSS3VRfW43xuFf3Z2MsmpwCXI/n1nt7Js8E6VZezgZ7p4EQarmsrcQ
VfLUMYL1nVDGB/ZJnd3N1FxmkXxY7o2QOcqsIXxGMr2dq/uESp9ubXR7in8/m0s/
NNbmGC48C7Z6gLo1UmPLQpy+4S7pm1heyZU/Rnsqb6BjfuJPmxsJOerUb02YM52h
ozExqXWd1sP+et5mZcyl2caVmvqTYp+zG3w/f3qVhnKxcLF20RkCLd6zayuW6Vhc
VsKm1rZtC26tF+YwBCD2x3wU+1WPTRYqZhIJzoSV55yp8e6q66psTBrks0uLN1tq
PL7vqn+0NKTaq0PWrc0fHgrqIwYTf/IrijEajmKbJl4KJyAtQedMLR1Epkcle3Ek
DKXioz/FG5uc8rClox5o1EfZ+FrFaBycvugGmQ0bPKPuvvam28O1U49Dm0QWX08y
Ua+aL+rmhEY2cRYgdbT6obHPzVxa++JUL95fTYDL9zCsMsWFq5P6ZBKiotgYwwIW
+GXBSA161JjKayASYmas
=f1ot
-----END PGP SIGNATURE-----
--- End Message ---
