Public bug reported: Upstream: tbd Debian: 10.0-1 Ubuntu: 8.4.4-1.1ubuntu6
Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the Oracular Release Notes: https://discourse.ubuntu.com/c/release/38 ### New Debian Changes ### frr (10.0-1) unstable; urgency=medium * IRDP module is no longer packaged (slated to be removed upstream) * added mkdir+chown /var/lib/frr which is now used by FRR * sysconfdir and localstatedir configure args are no longer needed * NB: refer to never-released 8.5.2-1 changes below! * Link libatomic unconditionally (closes: #1067077) * known to not build on hppa due to struct.calcsize python exception -- David Lamparter <equinox-deb...@diac24.net> Tue, 30 Apr 2024 19:36:44 +0200 frr (10.0-0.2) unstable; urgency=medium * Non-maintainer upload. * Linking with atomic like armel to fix FTBFS. -- Daniel Baumann <daniel.baum...@progress-linux.org> Sat, 27 Apr 2024 07:44:24 +0200 frr (10.0-0.1) unstable; urgency=medium * Non-maintainer upload. * New upstream release. * Bumping libyang2 build-depends to required version. * Removing CVE-2024-27913.patch, included upstream. * Adding now explicit configure flag to keep enabled building zebra_irdp. -- Daniel Baumann <daniel.baum...@progress-linux.org> Sat, 27 Apr 2024 05:46:52 +0200 frr (9.1-0.1) unstable; urgency=high * Non-maintainer upload. * New upstream release (Closes: #1042473, #1055852): - CVE-2023-3748: parsing certain babeld unicast hello messages that are intended to be ignored. This issue may allow an attacker to send specially crafted hello messages with the unicast flag set, the interval field set to 0, or any TLV that contains a sub-TLV with the Mandatory flag set to enter an infinite loop and cause a denial of service. - CVE-2023-38407: bgpd/bgp_label.c attempts to read beyond the end of the stream during labeled unicast parsing. - CVE-2023-41361: bgpd/bgp_open.c does not check for an overly large length of the rcv software version. - CVE-2023-46752: It mishandles malformed MP_REACH_NLRI data, leading to a crash. - CVE-2023-46753: A crash can occur for a crafted BGP UPDATE message without mandatory attributes, e.g., one with only an unknown transit attribute. - CVE-2023-47234: A crash can occur when processing a crafted BGP UPDATE message with a MP_UNREACH_NLRI attribute and additional NLRI data (that lacks mandatory path attributes). - CVE-2023-47235: A crash can occur when a malformed BGP UPDATE message with an EOR is processed, because the presence of EOR does not lead to a treat-as-withdraw outcome. * Updating patches: - removing CVE-2023-38802.patch, included upstream. - removing CVE-2023-41358.patch, included upstream. - removing CVE-2023-41360.patch, included upstream. - removing unapplied CVE-2023-41361.patch, included upstream. - adding CVE-2024-27913.patch from upstream: ospf_te_parse_te in ospfd/ospf_te.c allows remote attackers to cause a denial of service (ospfd daemon crash) via a malformed OSPF LSA packet, because of an attempted access to a missing attribute field (Closes: #1065144). * Updating build-depends: - adding now required protobuf-c-compiler to build-depends. - adding now required libprotobuf-c-dev to build-depends. - adding new libmgmt_be_nb.so to frr.install. - removing obsolete lsb-base. - prefering new pkgconf over old pkg-config. * Updating override_dh_auto_clean to fix FTBFS when built twice in a row (Closes: #1044470): - call dh_auto_clean which is safe to run now. - remove tests/.pytest_cache. * Removing obsolete doc-base. -- Daniel Baumann <daniel.baum...@progress-linux.org> Fri, 08 Mar 2024 23:21:21 +0100 frr (8.5.2-1) UNRELEASED; urgency=medium * new upstream release FRR 8.5.2 * cleaned up outdated debian/README files * build against libunwind. Results in better backtraces captured for both crashes and non-crash deviations from expected operations. (libunwind is used automatically if present, this also fixes an uncontrolled build environment influence on the result binaries by always requiring it.) * this version was never uploaded to Debian, the changelog entry is here for reference. -- David Lamparter <equinox-deb...@diac24.net> Sat, 15 Jul 2023 08:33:59 -0700 frr (8.4.4-1.1) unstable; urgency=high * Non-maintainer upload by the Security Team. * Upstream fixes for CVE-2023-38802, CVE-2023-41358, CVE-2023-41360 -- Aron Xu <a...@debian.org> Fri, 01 Sep 2023 16:57:41 +0800 frr (8.4.4-1) unstable; urgency=medium * new upstream release FRR 8.4.4 ### Old Ubuntu Delta ### frr (8.4.4-1.1ubuntu6) noble; urgency=medium * No-change rebuild for c-ares t64. -- Matthias Klose <d...@ubuntu.com> Tue, 16 Apr 2024 11:56:13 +0200 frr (8.4.4-1.1ubuntu5) noble; urgency=medium * No-change rebuild for CVE-2024-3094 -- Steve Langasek <steve.langa...@ubuntu.com> Sun, 31 Mar 2024 05:25:32 +0000 frr (8.4.4-1.1ubuntu4) noble; urgency=medium * SECURITY UPDATE: DoS via malformed OSPF LSA packet - debian/patches/CVE-2024-27913.patch: solved crash in OSPF TE parsing in ospfd/ospf_te.c. - CVE-2024-27913 -- Marc Deslauriers <marc.deslauri...@ubuntu.com> Tue, 05 Mar 2024 08:25:28 -0500 frr (8.4.4-1.1ubuntu3) noble; urgency=medium * SECURITY UPDATE: read beyond stream during labeled unicast parsing - debian/patches/CVE-2023-38407.patch: fix use beyond end of stream of labeled unicast parsing in bgpd/bgp_label.c. - CVE-2023-38407 * SECURITY UPDATE: crash via MP_UNREACH_NLRI attribute - debian/patches/CVE-2023-47234.patch: ignore handling NLRIs if we received MP_UNREACH_NLRI in bgpd/bgp_attr.c, bgpd/bgp_attr.h, bgpd/bgp_packet.c. - CVE-2023-47234 * SECURITY UPDATE: crash via malformed BGP UPDATE message - debian/patches/CVE-2023-47235.patch: treat EOR as withdrawn to avoid unwanted handling of malformed attrs in bgpd/bgp_attr.c. - CVE-2023-47235 -- Marc Deslauriers <marc.deslauri...@ubuntu.com> Thu, 16 Nov 2023 09:19:43 -0500 frr (8.4.4-1.1ubuntu2) noble; urgency=medium * SECURITY UPDATE: DoS via MP_REACH_NLRI data - debian/patches/CVE-2023-46752.patch: handle MP_REACH_NLRI malformed packets with session reset in bgpd/bgp_attr.c, bgpd/bgp_attr.h, bgpd/bgp_packet.c. - CVE-2023-46752 * SECURITY UPDATE: DoS via BGP UPDATE without mandatory attributes - debian/patches/CVE-2023-46753.patch: check mandatory attributes more carefully for UPDATE message in bgpd/bgp_attr.c. - CVE-2023-46753 -- Marc Deslauriers <marc.deslauri...@ubuntu.com> Wed, 01 Nov 2023 14:12:59 -0400 frr (8.4.4-1.1ubuntu1) mantic; urgency=medium * Merge with Debian unstable (LP: #2033921). Remaining changes: - Fix logging with Ubuntu's unprivileged rsyslog (LP #1958162): + d/frr.postinst: change log files ownership + d/frr.logrotate: change rotated log file ownership -- Andreas Hasenack <andr...@canonical.com> Fri, 01 Sep 2023 15:15:39 -0300 ** Affects: frr (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge upgrade-software-version ** Changed in: frr (Ubuntu) Milestone: None => ubuntu-24.07 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064404 Title: Merge frr from Debian unstable for oracular To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/frr/+bug/2064404/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs