-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : quagga Version : 0.99.22.4-1+wheezy3 CVE ID : CVE-2016-4036 CVE-2016-4049 Debian Bug : 835223, 822787
The quagga package installs world readable sensitive files in /etc/quagga, and might be subject to denial of service because of lacking packet size checks. CVE-2016-4036 The quagga package before 0.99.23-2.6.1 uses weak permissions for /etc/quagga, which allows local users to obtain sensitive information by reading files in the directory. CVE-2016-4049 The bgp_dump_routes_func function in bgpd/bgp_dump.c in Quagga does not perform size checks when dumping data, which might allow remote attackers to cause a denial of service (assertion failure and daemon crash) via a large BGP packet. For Debian 7 "Wheezy", these problems have been fixed in version 0.99.22.4-1+wheezy3. We recommend that you upgrade your quagga packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJXwbFMAAoJEKyQrD7FJAZemlkP/071gHbOvL+/EnP3w5gI0+/F U5D415WvPbI9oR8b5igd4LHdVKs22tKlPkJ1jHEghsGQFg4VehudVH4GqsKeV+6X XwHCYdH6pPBtxey1yd+qY94ZfeaoK2ko9FiIspxrtuu1V48n4fGkrRuOToq6Z1Yw +zlGnYOgkTtAck8J2uI7G1heXkVeLBw4msmXZRMyhh+Tx75DGIqvbdwGa8ahPI7w ZNFhhcTmYTNJquA8gTPXRCtmDwcVIcnkMJzlo0BOdTTAL7SFdkcNIlAMCz5OWwFi osnnBVd8zCOqjrOx0YhiljX7XGxpoYLjuBXOlcFjuwT0MXgMp5Yr1I4MZTaG7ynb ARgnhyzZ1fp0lj3r+vlZqThCiu89aUlBc1msqJNS7IptCDaIQ+IuM7v7/yMeDB/y Olb4YKkKf6BZojjU6A1MW7KTMzNqbFK/zuV8sO8Vbgm6zxxQyWFC8Npb/nDdGTML ZpPYmMCsKwhwcMujAsbD7afPol9eUMIvLaLx4/L40SfMOeuTomaUJH7BuMi6N/Lk ugWe0+vKkWEY/qhQLvNGVTxnutqZ81bXQI7l+MSYNDhReZmKz2akUEr0j7/3ZODH BTWwCiDo+IIWi+M2LaLrdL5r8gxC6vz3n6u43/dDkYoIpU7RFmRHh/NghBP+7v0t 54gUBa2NBrhSEcIEFE5U =n5Oq -----END PGP SIGNATURE-----
