Your message dated Thu, 28 Nov 2013 22:17:20 +0000 with message-id <e1vm9tg-0001az...@franck.debian.org> and subject line Bug#730513: fixed in quagga 0.99.22.4-1+wheezy1 has caused the Debian Bug report #730513, regarding CVE-2013-6051 - bgpd crash on valid BGP updates to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 730513: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=730513 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: quagga Severity: grave Tags: security Version: 0.99.21-4+wheezy1 CVE-2013-6051 was assigned to this issue. DSA is coming soon. Best Regards -christian- On Tue, 19 Nov 2013 16:25:27 +0100 David Lamparter <equi...@opensourcerouting.org> wrote: > Note that 0.99.21 has another open issue that I don't see the fix for > in the Debian package, being > http://git.savannah.gnu.org/gitweb/?p=quagga.git;a=commitdiff;h=8794e8d229dc9fe29ea31424883433d4880ef408 > which can crash bgpd on receiving normal, valid BGP updates. (No idea > if it's exploitable.) There is no CVE number for this, the severity > was only discovered after 0.99.22, containing the fix, was already > out. 0.99.20 is not affected.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: quagga Source-Version: 0.99.22.4-1+wheezy1 We believe that the bug you reported is fixed in the latest version of quagga, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 730...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christian Hammers <c...@debian.org> (supplier of updated quagga package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Tue, 26 Nov 2013 00:32:42 +0100 Source: quagga Binary: quagga quagga-dbg quagga-doc Architecture: source amd64 all Version: 0.99.22.4-1+wheezy1 Distribution: stable-security Urgency: high Maintainer: Christian Hammers <c...@debian.org> Changed-By: Christian Hammers <c...@debian.org> Description: quagga - BGP/OSPF/RIP routing daemon quagga-dbg - BGP/OSPF/RIP routing daemon (debug symbols) quagga-doc - documentation files for quagga Closes: 681088 687124 690013 694852 710147 726724 730513 Changes: quagga (0.99.22.4-1+wheezy1) stable-security; urgency=high . * SECURITY: CVE-2013-6051 - a bug in Quagga 0.99.21 that could let bgpd crash on receiving normal, valid BGP updates. Closes: #730513 . quagga (0.99.22.4-1) unstable; urgency=high . * SECURITY: "ospfd: CVE-2013-2236, stack overrun in apiserver . the OSPF API-server (exporting the LSDB and allowing announcement of Opaque-LSAs) writes past the end of fixed on-stack buffers. This leads to an exploitable stack overflow. . For this condition to occur, the following two conditions must be true: - Quagga is configured with --enable-opaque-lsa - ospfd is started with the "-a" command line option . If either of these does not hold, the relevant code is not executed and the issue does not get triggered." Closes: #726724 . * New upstream release - ospfd: protect vs. VU#229804 (malformed Router-LSA) (Quagga is said to be non-vulnerable but still adds some protection) . quagga (0.99.22.1-2) unstable; urgency=low . * Added autopkgtests (thanks to Yolanda Robla). Closes: #710147 * Added "status" command to init script (thanks to James Andrewartha). Closes: #690013 * Added "libsnmp-dev" to Build-Deps. There not needed for the official builds but for people who compile Quagga themselves to activate the SNMP feature (which for licence reasons cannot be done by Debian). Thanks to Ben Winslow). Closes: #694852 * Changed watchquagga_options to an array so that quotes can finally be used as expected. Closes: #681088 * Fixed bug that prevented restarting only the watchquagga daemon (thanks to Harald Kappe). Closes: #687124 . quagga (0.99.22.1-1) unstable; urgency=low . * New upstream release - ospfd restore nexthop IP for p2p interfaces - ospfd: fix LSA initialization for build without opaque LSA - ripd: correctly redistribute ifindex routes (BZ#664) - bgpd: fix lost passwords of grouped neighbors * Removed 91_ld_as_needed.diff as it was found in the upstream source. . quagga (0.99.22-1) unstable; urgency=low . * New upstream release. - [bgpd] The semantics of default-originate route-map have changed. The route-map is now used to advertise the default route conditionally. The old behaviour which allowed to set attributes on the originated default route is no longer supported. - [bgpd] this version of bgpd implements draft-idr-error-handling. This was added in 0.99.21 and may not be desirable. If you need a version without this behaviour, please use 0.99.20.1. There will be a runtime configuration switch for this in future versions. - [isisd] is in "beta" state. - [ospf6d] is in "alpha/experimental" state - More changes are documented in the upstream changelog! * debian/watch: Adjusted to new savannah.gnu.org site, thanks to Bart Martens. * debian/patches/99_CVE-2012-1820_bgp_capability_orf.diff removed as its in the changelog. * debian/patches/99_distribute_list.diff removed as its in the changelog. * debian/patches/10_doc__Makefiles__makeinfo-force.diff removed as it was just for Debian woody. Checksums-Sha1: 9f71d94454e158536db8e8cee80e9cd9cc292d6f 1516 quagga_0.99.22.4-1+wheezy1.dsc 73019bf915ff4fe7cd497f11579c05f35fe09df5 2352406 quagga_0.99.22.4.orig.tar.gz f151836b02ac08545f4de2339cabffe8ebb32c74 39757 quagga_0.99.22.4-1+wheezy1.debian.tar.gz 7bf5f1511d24727c0307e340e8b0e9174f05d50c 1723840 quagga_0.99.22.4-1+wheezy1_amd64.deb 5076fd8dc65147c51842776777b8933bfd52246c 2527312 quagga-dbg_0.99.22.4-1+wheezy1_amd64.deb b5ac416e25f732b77ec1ada0cebac5f2fecdffa7 656250 quagga-doc_0.99.22.4-1+wheezy1_all.deb Checksums-Sha256: 5953f2cc0d7cf8eb73c7d2eec34728735983c0afe66d0196ca372570a6651de5 1516 quagga_0.99.22.4-1+wheezy1.dsc cbe48d5cc57bbaa07cfd8362ba598447dc94aa866ddc5794e57172709d36ba79 2352406 quagga_0.99.22.4.orig.tar.gz a15a24ea871281abe588830ff5e1828b0ddea7b5e582f1b8180d172be78a28c9 39757 quagga_0.99.22.4-1+wheezy1.debian.tar.gz 1cf2610d17801d863efcdeddaf93bed6fa4a9289a5897f5e58b56bc447a807e2 1723840 quagga_0.99.22.4-1+wheezy1_amd64.deb 2da21382eb241b0224e273ea63c76d735c7947d9854b96296634d6701c497caa 2527312 quagga-dbg_0.99.22.4-1+wheezy1_amd64.deb fc9dd49c9d755e01ad96688e45815883d822b6baaa1a7460185bea1292d61b89 656250 quagga-doc_0.99.22.4-1+wheezy1_all.deb Files: de9f16b9374a6b4167b246599712dd23 1516 net optional quagga_0.99.22.4-1+wheezy1.dsc 27ef98abb1820bae19eb71f631a10853 2352406 net optional quagga_0.99.22.4.orig.tar.gz 0266632837c85abab719901a734808a4 39757 net optional quagga_0.99.22.4-1+wheezy1.debian.tar.gz e088c7c7893e8a1abd1bcd5bb4b77572 1723840 net optional quagga_0.99.22.4-1+wheezy1_amd64.deb 6b40bc9eb9d00eb7a2a7f34eec311d74 2527312 debug extra quagga-dbg_0.99.22.4-1+wheezy1_amd64.deb b9972e2d123a2d9c225bfcca63573c2a 656250 net optional quagga-doc_0.99.22.4-1+wheezy1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlKT+l4ACgkQkR9K5oahGOa3rwCgu/31CsDttTdxHGTiU8xwm+/j tK0AoIQyt1bNAmtyK26GtiZAM4K3PPYM =sZX6 -----END PGP SIGNATURE-----
--- End Message ---
