--- quagga-0.99.17.orig/debian/quagga.init.d +++ quagga-0.99.17/debian/quagga.init.d @@ -0,0 +1,257 @@ +#!/bin/bash +# +### BEGIN INIT INFO +# Provides: quagga +# Required-Start: $local_fs $network $remote_fs $syslog +# Required-Stop: $local_fs $network $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: start and stop the Quagga routing suite +# Description: Quagga is a routing suite for IP routing protocols like +# BGP, OSPF, RIP and others. This script contols the main +# daemon "quagga" as well as the individual protocol daemons. +### END INIT INFO +# + +PATH=/bin:/usr/bin:/sbin:/usr/sbin +D_PATH=/usr/lib/quagga +C_PATH=/etc/quagga +DAEMONS="zebra bgpd ripd ripngd ospfd ospf6d isisd" # keep zebra first! + +# Print the name of the pidfile. +pidfile() +{ + echo "/var/run/quagga/$1.pid" +} + +# Check if daemon is started by using the pidfile. +started() +{ + [ -e `pidfile $1` ] && kill -0 `cat \`pidfile $1\`` 2> /dev/null && return 0 + return 1 +} + +# Loads the config via vtysh -b if configured to do so. +vtysh_b () +{ + # Rember, that all variables have been incremented by 1 in convert_daemon_prios() + if [ "$vtysh_enable" = 2 -a -f $C_PATH/Quagga.conf ]; then + /usr/bin/vtysh -b + fi +} + +# Check if the daemon is activated and if its executable and config files +# are in place. +# params: daemon name +# returns: 0=ok, 1=error +check_daemon() +{ + # If the integrated config file is used the others are not checked. + if [ -r "$C_PATH/Quagga.conf" ]; then + return 0 + fi + + # vtysh_enable has no config file nor binary so skip check. + # (What is this good for? IIRC it was a "daemons" entry somewhen) + if [ $1 != "vtysh_enable" ]; then + # check for daemon binary + if [ ! -x "$D_PATH/$1" ]; then return 1; fi + + # check for config file + if [ ! -r "$C_PATH/$1.conf" ]; then + echo -n " (not started without config file)" + return 1 + fi + fi + return 0 +} + +# Starts the server if it's not alrady running according to the pid file. +# The Quagga daemons creates the pidfile when starting. +start() +{ + echo -n " $1" + if ! check_daemon $1; then return; fi + + start-stop-daemon \ + --start \ + --pidfile=`pidfile $1` \ + --exec "$D_PATH/$1" \ + -- \ + `eval echo "$""$1""_options"` + +} + +# Stop the daemon given in the parameter, printing its name to the terminal. +stop() +{ + if ! started "$1" ; then + echo -n " ($1)" + return 0 + else + PIDFILE=`pidfile $1` + PID=`cat $PIDFILE 2>/dev/null` + start-stop-daemon --stop --quiet --oknodo --exec "$D_PATH/$1" + # + # Now we have to wait until $DAEMON has _really_ stopped. + # + if test -n "$PID" && kill -0 $PID 2>/dev/null; then + echo -n " (waiting) ." + cnt=0 + while kill -0 $PID 2>/dev/null; do + cnt=`expr $cnt + 1` + if [ $cnt -gt 60 ]; then + # Waited 120 secs now, fail. + echo -n "Failed.. " + break + fi + sleep 2 + echo -n "." + done + fi + echo -n " $1" + rm -f `pidfile $1` + fi +} + +# Converts values from /etc/quagga/daemons to all-numeric values. +convert_daemon_prios() +{ + for name in $DAEMONS zebra vtysh_enable; do + # First, assign the value set by the user to $value + eval value=\$$name + + # Daemon not activated or entry missing? + if [ "$value" = "no" -o "$value" = "" ]; then value=0; fi + + # These strings parsed for backwards compatibility. + if [ "$value" = "yes" -o "$value" = "true" ]; then value=1; fi + + # Zebra is threatened special. It must be between 0=off and the first + # user assigned value "1" so we increase all other enabled daemons' values. + if [ "$name" != "zebra" -a "$value" -gt 0 ]; then value=`expr "$value" + 1`; fi + + # If e.g. name is zebra then we set "zebra=yes". + eval $name=$value + done +} + +# Stops all daemons that have a lower level of priority than the given. +# (technically if daemon_prio >= wanted_prio) +stop_prio() +{ + local wanted_prio + local daemon_prio + local daemon_list + + wanted_prio=$1 + daemon_list=${2:-$DAEMONS} + + echo -n "Stopping Quagga daemons (prio:$wanted_prio):" + + for prio_i in `seq 10 -1 $wanted_prio`; do + for daemon_name in $daemon_list; do + eval daemon_prio=\$$daemon_name + if [ $daemon_prio -eq $prio_i ]; then + stop "$daemon_name" + fi + done + done + echo "." +} + +# Starts all daemons that have a higher level of priority than the given. +# (technically if daemon_prio <= wanted_prio) +start_prio() +{ + local wanted_prio + local daemon_prio + local daemon_list + + wanted_prio=$1 + daemon_list=${2:-$DAEMONS} + + echo -n "Starting Quagga daemons (prio:$wanted_prio):" + + for prio_i in `seq 1 $wanted_prio`; do + for daemon_name in $daemon_list; do + eval daemon_prio=\$$daemon_name + if [ $daemon_prio -eq $prio_i ]; then + start "$daemon_name" + fi + done + done + echo "." +} + +######################################################### +# Main program # +######################################################### + +# Config broken but script must exit silently. +[ ! -r "$C_PATH/daemons" ] && exit 0 + +# Load configuration +. "$C_PATH/daemons" +. "$C_PATH/debian.conf" + +# Set priority of un-startable daemons to 'no' and substitute 'yes' to '0' +convert_daemon_prios + +# Just for me :-) +if [ "$DEBIAN_SCRIPT_DEBUG" != "" ]; then + for name in $DAEMONS zebra vtysh_enable; do + echo -n "$name="; eval echo \$$name + done +fi + +if [ ! -d /var/run/quagga ]; then + mkdir -p /var/run/quagga + chown quagga:quagga /var/run/quagga + chmod 755 /var/run/quagga +fi + +case "$1" in + start) + # Try to load this necessary (at least for 2.6) module. + if [ -d /lib/modules/`uname -r` ] ; then + echo "Loading capability module if not yet done." + set +e; LC_ALL=C modprobe -a capability 2>&1 | egrep -v "(not found|Can't locate)"; set -e + fi + + # Start all daemons + cd $C_PATH/ + start_prio 10 $2 + vtysh_b + ;; + + 1|2|3|4|5|6|7|8|9|10) + # Stop/start daemons for the appropriate priority level + stop_prio $1 + start_prio $1 + vtysh_b + ;; + + stop|0) + # Stop all daemons at level '0' or 'stop' + stop_prio 0 $2 + + echo "Removing all routes made by zebra." + ip route flush proto zebra + ;; + + restart|force-reload) + $0 stop $2 + sleep 1 + $0 start $2 + ;; + + *) + echo "Usage: /etc/init.d/quagga {start|stop|restart|force-reload|} [daemon]" + echo " E.g. '/etc/init.d/quagga 5' would start all daemons with a prio 1-5." + echo " Read /usr/share/doc/quagga/README.Debian for details." + exit 1 + ;; +esac + +exit 0 --- quagga-0.99.17.orig/debian/quagga-doc.docs +++ quagga-0.99.17/debian/quagga-doc.docs @@ -0,0 +1,9 @@ +AUTHORS +NEWS +README +REPORTING-BUGS +doc/quagga.pdf +doc/BGP-TypeCode +doc/draft-zebra-00.txt +doc/mpls/ +bgpd/BGP4-MIB.txt --- quagga-0.99.17.orig/debian/copyright +++ quagga-0.99.17/debian/copyright @@ -0,0 +1,27 @@ +This package was debianized by Christian Hammers on +2003-07-01 based on the Debian package "zebra". + +The sources were downloaded from http://www.quagga.net/ + +Copyright 1996-2003 by the original Zebra authors: + Kunihiro Ishiguro + Toshiaki Takada + Yasuhiro Ohara + +Copyright 2003-2009 by the Quagga Project, mostly Paul Jakma + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + +A copy of the GPL can be found in /usr/share/common-licenses/GPL. --- quagga-0.99.17.orig/debian/control +++ quagga-0.99.17/debian/control @@ -0,0 +1,41 @@ +Source: quagga +Section: net +Priority: optional +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Christian Hammers +Uploaders: Florian Weimer +Build-Depends: debhelper (>= 5), libncurses5-dev, libreadline-dev, texlive-latex-base, texlive-generic-recommended, libpam0g-dev | libpam-dev, libcap-dev, texinfo (>= 4.7), dpatch, imagemagick, ghostscript, groff, po-debconf, autotools-dev, hardening-wrapper, libpcre3-dev, gawk, chrpath +Standards-Version: 3.8.4 +Homepage: http://www.quagga.net/ + +Package: quagga +Architecture: any +Depends: ${shlibs:Depends}, logrotate (>= 3.2-11), iproute, ${misc:Depends} +Pre-Depends: adduser +Conflicts: zebra, zebra-pj +Replaces: zebra, zebra-pj +Suggests: snmpd +Description: BGP/OSPF/RIP routing daemon + GNU Quagga is free software which manages TCP/IP based routing protocols. + It supports BGP4, BGP4+, OSPFv2, OSPFv3, IS-IS, RIPv1, RIPv2, and RIPng as + well as the IPv6 versions of these. + . + As the precessor Zebra has been considered orphaned, the Quagga project + has been formed by members of the zebra mailing list and the former + zebra-pj project to continue developing. + . + Quagga uses threading if the kernel supports it, but can also run on + kernels that do not support threading. Each protocol has its own daemon. + . + It is more than a routed replacement, it can be used as a Route Server and + a Route Reflector. + +Package: quagga-doc +Section: doc +Architecture: all +Depends: ${misc:Depends} +Suggests: quagga +Description: documentation files for quagga + This package includes info files for quagga, a free software which manages + TCP/IP based routing protocols. It supports BGP4, BGP4+, OSPFv2, OSPFv3, + IS-IS, RIPv1, RIPv2, and RIPng as well as the IPv6 versions of these. --- quagga-0.99.17.orig/debian/rules +++ quagga-0.99.17/debian/rules @@ -0,0 +1,210 @@ +#!/usr/bin/make -f + +export DH_VERBOSE=1 +export DEB_BUILD_HARDENING=1 + +T=$(CURDIR)/debian/tmp/ +Z=$(CURDIR)/debian/quagga/ +ZD=$(CURDIR)/debian/quagga-doc/ + +include /usr/share/dpatch/dpatch.make + +ifeq ($(WANT_SNMP), 1) + USE_SNMP=--enable-snmp + $(warning "DEBIAN: SNMP enabled, sorry for your inconvenience") +else + $(warning "DEBIAN: SNMP disabled, see README.Debian") +endif + +configure: patch configure-stamp +configure-stamp: + dh_testdir + + # Quagga needs /proc to check some BSD vs Linux specific stuff. + # Else it fails with an obscure error message pointing out + # that IPCTL_FORWARDING is an undefined symbol which is not very + # helpful. + @if ! [ -d /proc/1 ]; then \ + echo "./configure needs a mounted /proc"; \ + exit 1; \ + fi + + # Update config.* + cp /usr/share/misc/config.guess . + cp /usr/share/misc/config.sub . + + # according to redhad/quagga.spec as of 2003-08-18 with Debian hardening and PCRE-Posix + LIBS=-lpcreposix \ + ./configure \ + --prefix=/usr \ + --libexecdir=/usr/lib/quagga \ + --sbindir=/usr/lib/quagga \ + --sysconfdir=/etc/quagga \ + --localstatedir=/var/run/quagga \ + --enable-exampledir=$(T)/usr/share/doc/quagga/examples/ \ + \ + $(USE_SNMP) \ + --enable-vtysh \ + --enable-isisd \ + --enable-watchquagga \ + --enable-ospf-te \ + --enable-opaque-lsa \ + --enable-ipv6 \ + --enable-ospfclient=yes \ + --enable-ospfapi=yes \ + --enable-multipath=64 \ + --enable-user=quagga \ + --enable-group=quagga \ + --enable-vty-group=quaggavty \ + --enable-configfile-mask=0640 \ + --enable-logfile-mask=0640 \ + --enable-rtadv \ + --enable-tcp-md5 \ + --enable-gcc-rdynamic \ + \ + --with-libpam + + if ! diff -b -IHAVE_SNMP -IHAVE_NETSNMP -IUCD_COMPAT -IGETIFADDR debian/my/config.h.reference config.h; then \ + echo; \ + echo "WARNING: Please compare with debian/my/config.h.reference"; \ + echo; \ + if [ "`hostname`" = "james" ]; then exit 1; fi; \ + fi + + touch $@ + + +build: configure build-stamp +build-stamp: + @echo "#42# entering build" + dh_testdir + + $(MAKE) + + # doc/ is a bit crazy + $(MAKE) -C doc quagga.pdf || true # pdfetex fails with exit code 1 but still produces a good looking .pdf + rm -vf doc/quagga.info + $(MAKE) -C doc quagga.info + rm -vf doc/quagga.info.html* + + touch build-stamp + + +clean: clean-patched unpatch +clean-patched: + @echo "#42# entering clean" + dh_testdir + dh_testroot + rm -f configure-stamp build-stamp install-stamp + + # Those will be updated from /usr/share/misc + rm -f config.guess config.sub + + [ ! -f Makefile ] || $(MAKE) distclean + @echo "BEGIN CRUFT" + @rm -vf */Makefile doc/quagga.fns doc/quagga.info doc/quagga.kys doc/quagga.tmp doc/quagga.pdf doc/quagga.info-* + @rm -vf lib/version.c doc/stamp-vti + @rm -vf vtysh/vtysh_cmd.c + @rm -vf doc/fig*.pdf doc/version.texi + @echo "END CRUFT" + + # why? + @if [ -e config.log ]; then echo "CONFIG.LOG STILL THERE"; rm config.log; fi + + debconf-updatepo + dh_clean + + +install: build + @echo "#42# entering install" + dh_testdir + dh_testroot + dh_clean -k + + $(MAKE) install \ + prefix=$(T)/usr \ + libexecdir=$(T)/usr/lib/quagga \ + sbindir=$(T)/usr/lib/quagga \ + sysconfdir=$(T)/etc/quagga \ + mandir=$(T)/usr/share/man \ + localstatedir=$(T)/var/run/quagga \ + infodir=$(T)/usr/share/info + + # cleaning up the info dir + rm -f $(T)/usr/share/info/dir* + + # install config files + mkdir -p $(T)/etc/quagga/ + cp debian/my/debian.conf $(T)/etc/quagga/ + cp debian/my/daemons $(T)/etc/quagga/ + perl -pi -e 's#^!log file #!log file /var/log/quagga/#' $(T)/usr/share/doc/quagga/examples/*sample* + + # installing the Quagga specific SNMP MIB + mkdir -p $(T)/usr/share/snmp/mibs/ + install -m 644 ./zebra/GNOME-PRODUCT-ZEBRA-MIB $(T)/usr/share/snmp/mibs/ + + # make lintian happy + mkdir -p $(T)/usr/share/lintian/overrides/ + cp debian/quagga.lintian-overrides $(T)/usr/share/lintian/overrides/quagga + + # strip rpath + chrpath --delete --keepgoing $(T)/usr/lib/quagga/* $(T)/usr/bin/vtysh || true + +# Build architecture-independent files here. +binary-indep: build install + dh_testdir + dh_testroot + + dh_installdirs -i + dh_movefiles -i + dh_link -i + + dh_installchangelogs -i + dh_installdebconf -i + dh_installdocs -i + dh_installexamples -i + dh_installinfo -i + dh_installman -i + + dh_compress -i + dh_fixperms -i + dh_installdeb -i + dh_shlibdeps -i + dh_gencontrol -i + dh_md5sums -i + dh_builddeb -i + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot + + dh_installdirs -a + dh_movefiles -a + dh_link -a + + dh_installchangelogs -a ChangeLog + dh_installdebconf -a + dh_installdocs -a + dh_installexamples -a + dh_installinit -a + dh_installpam -a + dh_installlogrotate + dh_installman -a + + dh_strip -a + dh_compress -a + dh_fixperms -a + dh_makeshlibs -a + dh_installdeb -a + # dh_shlibdeps: removed "-L quagga" for Woody backport compatibility. + dh_shlibdeps -a -l debian/quagga/usr/lib + dh_gencontrol -a + dh_md5sums -a + dh_builddeb -a + +source diff: + @echo >&2 'source and diff are obsolete - use dpkg-source -b'; false + +binary: binary-indep binary-arch +.PHONY: clean clean-patched configure build binary binary-indep binary-arch install patch unpatch --- quagga-0.99.17.orig/debian/quagga-doc.files +++ quagga-0.99.17/debian/quagga-doc.files @@ -0,0 +1 @@ +usr/share/info --- quagga-0.99.17.orig/debian/README.Debian.Woody +++ quagga-0.99.17/debian/README.Debian.Woody @@ -0,0 +1,5 @@ +I maintain woody backports of Quagga, too. They are available at + + http://www.lathspell.de/linux/debian/ + +-christian- --- quagga-0.99.17.orig/debian/quagga.lintian-overrides +++ quagga-0.99.17/debian/quagga.lintian-overrides @@ -0,0 +1,4 @@ +quagga: non-dev-pkg-with-shlib-symlink usr/lib/libospfapiclient.so.0.0.0 usr/lib/libospfapiclient.so +quagga: non-dev-pkg-with-shlib-symlink usr/lib/libospf.so.0.0.0 usr/lib/libospf.so +quagga: non-dev-pkg-with-shlib-symlink usr/lib/libzebra.so.0.0.0 usr/lib/libzebra.so +quagga: package-name-doesnt-match-sonames libospf0 libospfapiclient0 libzebra0 --- quagga-0.99.17.orig/debian/quagga-doc.info +++ quagga-0.99.17/debian/quagga-doc.info @@ -0,0 +1 @@ +doc/quagga.info* --- quagga-0.99.17.orig/debian/watch +++ quagga-0.99.17/debian/watch @@ -0,0 +1,6 @@ +# Example watch control file for uscan +# Rename this file to "watch" and then you can run the "uscan" command +# to check for upstream updates and more. +# Site Directory Pattern Version Script +version=2 +http://www.quagga.net/download/quagga-(.*)\.tar\.gz debian uupdate --- quagga-0.99.17.orig/debian/README.source +++ quagga-0.99.17/debian/README.source @@ -0,0 +1,2 @@ +This package uses dpatch to manage all modifications to the upstream +source. See /usr/share/doc/dpatch/README.source.gz for more information. --- quagga-0.99.17.orig/debian/quagga.manpages +++ quagga-0.99.17/debian/quagga.manpages @@ -0,0 +1,8 @@ +doc/bgpd.8 +doc/ospf6d.8 +doc/ospfd.8 +doc/ripd.8 +doc/ripngd.8 +doc/vtysh.1 +doc/zebra.8 +doc/isisd.8 --- quagga-0.99.17.orig/debian/quagga.postinst +++ quagga-0.99.17/debian/quagga.postinst @@ -0,0 +1,17 @@ +#!/bin/bash -e + +if [ -n "$DEBIAN_SCRIPT_DEBUG" ]; then set -v -x; DEBIAN_SCRIPT_TRACE=1; fi +${DEBIAN_SCRIPT_TRACE:+ echo "#42#DEBUG# RUNNING $0 $*"} + +# This is most likely due to the answer "no" to the "really stop the server" +# question in the prerm script. +if [ "$1" = "abort-upgrade" ]; then + exit 0 +fi + +. /usr/share/debconf/confmodule + +db_stop + +#DEBHELPER# + --- quagga-0.99.17.orig/debian/quagga.prerm +++ quagga-0.99.17/debian/quagga.prerm @@ -0,0 +1,38 @@ +#!/bin/bash -e + +. /usr/share/debconf/confmodule + +if [ -n "$DEBIAN_SCRIPT_DEBUG" ]; then set -v -x; DEBIAN_SCRIPT_TRACE=1; fi +${DEBIAN_SCRIPT_TRACE:+ echo "#42#DEBUG# RUNNING $0 $*"} + +# prerm remove +# old-prerm upgrade new-version +# new-prerm failed-upgrade old-version +# conflictor's-prerm remove in-favour package new-version +# deconfigured's-prerm deconfigure in-favour package-being-installed version removing conflicting-package +case $1 in + remove|upgrade) + # Trying to prevents the user from cutting his network connection if + # one or more servers seem to be started. + if [ -n "`ls /var/run/quagga/*.pid 2>/dev/null`" ]; then + db_fset quagga/really_stop seen false || true + db_input high quagga/really_stop || true + db_go || true + db_get quagga/really_stop || true + if [ "$RET" = "false" ]; then + db_stop + echo "*** As requested via Debconf, the Quagga daemon will not stop! ***" 1>&2 + exit 1 + fi + fi + ;; + + failed-upgrade) + # If quagga/really_stop was negated then this script exits with return + # code 1 and is called again with "failed-upgrade". Well, exit again. + exit 1 + ;; + +esac + +#DEBHELPER# --- quagga-0.99.17.orig/debian/quagga.docs +++ quagga-0.99.17/debian/quagga.docs @@ -0,0 +1,4 @@ +tools +debian/README.Debian +debian/README.Debian.Woody +debian/README.Debian.MD5 --- quagga-0.99.17.orig/debian/changelog +++ quagga-0.99.17/debian/changelog @@ -0,0 +1,1046 @@ +quagga (0.99.17-1ubuntu0.2) maverick-security; urgency=low + + * SECURITY UPDATE: arbitrary code execution via malformed Inter Area + Prefix LSA + - debian/patches/99_CVE-2011-3323.dpatch: check lengths in + ospf6d/{ospf6_abr.h,ospf6_asbr.h,ospf6_intra.h,ospf6_lsa.h, + ospf6_message.c,ospf6_message.h,ospf6_proto.h} + - CVE-2011-3323 + * SECURITY UPDATE: denial of sevice via crafted Link-State-Advertisement + - debian/patches/99_CVE-2011-3324.dpatch: change assert to warning in + ospf6d/ospf6_lsa.c. + - CVE-2011-3324 + * SECURITY UPDATE: denial of service via crafted Hello packet + - debian/patches/99_CVE-2011-3325.dpatch: add extra checks to + ospfd/ospf_packet.c. + - CVE-2011-3325 + * SECURITY UPDATE: denial of service via unknown Link-State-Advertisements + types + - debian/patches/99_CVE-2011-3326.dpatch: exit if LSA type is unknown + in ospfd/ospf_flood.c. + - CVE-2011-3326 + * SECURITY UPDATE: arbitrary code execution via Extended Communities path + attribute + - debian/patches/99_CVE-2011-3327.dpatch: properly check size in + bgpd/bgp_ecommunity.c. + - CVE-2011-3327 + + -- Marc Deslauriers Fri, 07 Oct 2011 10:19:05 -0400 + +quagga (0.99.17-1ubuntu0.1) maverick-security; urgency=low + + * SECURITY UPDATE: denial of service via malformed extended communities + - debian/patches/99_quagga-extcom.dpatch: ignore malformed extended + communities in bgpd/bgp_attr.c. + - CVE-2010-1674 + * SECURITY UPDATE: denial of service via AS_PATHLIMIT + - debian/patches/99_no-aspathlimit.dpatch: remove AS_PATHLIMIT support + in bgpd/bgp_attr.c. + - CVE-2010-1675 + + -- Marc Deslauriers Wed, 23 Mar 2011 14:05:22 -0400 + +quagga (0.99.17-1) unstable; urgency=high + + * SECURITY: + "This release provides two important bugfixes, which address remote crash + possibility in bgpd discovered by CROSS team.": + 1. Stack buffer overflow by processing certain Route-Refresh messages + CVE-2010-2948 + 2. DoS (crash) while processing certain BGP update AS path messages + CVE-2010-2949 + Closes: #594262 + + -- Christian Hammers Wed, 25 Aug 2010 00:52:48 +0200 + +quagga (0.99.16-1) unstable; urgency=low + + * New upstream release. Closes: #574527 + * Added chrpath to debian/rules to fix rpath problems that lintian spottet. + + -- Christian Hammers Sun, 21 Mar 2010 17:05:40 +0100 + +quagga (0.99.15-2) unstable; urgency=low + + * Applied patch for off-by-one bug in ospf6d that caused a segmentation + fault when using the "area a.b.c.d filter-list prefix" command (thanks + to Steinar H. Gunderson). Closes: 519488 + + -- Christian Hammers Sun, 14 Feb 2010 20:02:03 +0100 + +quagga (0.99.15-1) unstable; urgency=low + + * New upstream release + "This fixes some annoying little ospfd and ospf6d regressions, which made + 0.99.14 a bit of a problem release (...) This release still contains a + regression in the "no ip address ..." command, at least on Linux. + See bug #486, which contains a workaround patch. This release should be + considered a 1.0.0 release candidate. Please test this release as widely + as possible." + * Fixed wrong port number in zebra.8 (thanks to Thijs Kinkhorst). + Closes: #517860 + * Added Russian Debconf tanslation (thanks to Yuri Kozlov). + Closes: #539464 + * Removed so-version in build-dep to libreadline-dev on request of + Matthias Klose. + * Added README.source with reference to dpatch as suggested by lintian. + * Bumped standards versionto 3.8.3. + + -- Christian Hammers Sun, 13 Sep 2009 18:12:06 +0200 + +quagga (0.99.14-1) unstable; urgency=low + + * New upstream release + "This release contains a regression fix for ospf6d, various small fixes + and some hopefully very significant bgpd stability fixes. + This release should be considered a 1.0.0 release candidate. Please test + this release as widely as possible." + * Fixes bug with premature LSA aging in ospf6d. Closes: #535030 + * Fixes section number in zebra.8 manpage. Closes: #517860 + + -- Christian Hammers Sat, 25 Jul 2009 00:40:38 +0200 + +quagga (0.99.13-2) unstable; urgency=low + + * Added Japanese Debconf translation (thanks to Hideki Yamane). + Closes: #510714 + * When checking for obsoleted config options in preinst, print filename + where it occures (thanks to Michael Bussmann). Closes: #339489 + + -- Christian Hammers Sun, 19 Jul 2009 17:13:23 +0200 + +quagga (0.99.13-1) unstable; urgency=low + + * New upstream release + "This release is contains a number of small fixes, for potentially + irritating issues, as well as small enhancements to vtysh and support + for linking to PCRE (a much faster regex library)." + * Added build-dep to gawk as configure required it for memtypes.awk + * Replaced build-dep to gs-gpl with ghostscript as requested by lintian + * Minor changes to copyright and control files to make lintian happy. + + -- Christian Hammers Wed, 24 Jun 2009 17:53:28 +0200 + +quagga (0.99.12-1) unstable; urgency=high + + * New upstream release + "This release fixes an urgent bug in bgpd where it could hit an assert + if it received a long AS_PATH with a 4-byte ASN." Noteworthy bugfixes: + + [bgpd] Fix bgp ipv4/ipv6 accept handling + + [bgpd] AS4 bugfix by Chris Caputo + + [bgpd] Allow accepted peers to progress even if realpeer is in Connect + + [ospfd] Switch Fletcher checksum back to old ospfd version + + -- Christian Hammers Mon, 22 Jun 2009 00:16:33 +0200 + +quagga (0.99.11-1) unstable; urgency=low + + * New upstream release + "Most regressions in 0.99 over 0.98 are now believed to be fixed. This + release should be considered a release-candidate for a new stable series." + + bgpd: Preliminary UI and Linux-IPv4 support for TCP-MD5 merged + + zebra: ignore dead routes in RIB update + + [ospfd] Default route needs to be refreshed after neighbour state change + + [zebra:netlink] Set proto/scope on all route update messages + * Removed debian/patches/20_*bgp*md5*.dpatch due to upstream support. + + -- Christian Hammers Thu, 09 Oct 2008 22:56:38 +0200 + +quagga (0.99.10-1) unstable; urgency=medium + + * New upstream release + + bgpd: 4-Byte AS Number support + + Sessions were incorrectly reset if a partial AS-Pathlimit attribute + was received. + + Advertisement of Multi-Protocol prefixes (i.e. non-IPv4) had been + broken in the 0.99.9 release. Closes: #467656 + + -- Christian Hammers Tue, 08 Jul 2008 23:32:42 +0200 + +quagga (0.99.9-6) unstable; urgency=low + + * Fixed FTBFS by adding a build-dep to libpcre3-dev (thanks to Luk Claes). + Closes: #469891 + + -- Christian Hammers Sat, 12 Apr 2008 12:53:51 +0200 + +quagga (0.99.9-5) unstable; urgency=low + + * C.J. Adams-Collier and Paul Jakma suggested to build against libpcre3 + which is supposed to be faster. + + -- Christian Hammers Sun, 02 Mar 2008 13:19:42 +0100 + +quagga (0.99.9-4) unstable; urgency=low + + * Added hardening-wrapper to the build-deps (thanks to Moritz Muehlenhoff). + + -- Christian Hammers Tue, 29 Jan 2008 22:33:56 +0100 + +quagga (0.99.9-3) unstable; urgency=low + + * Replaced the BGP patch by a new one so that the package builds again + with kernels above 2.6.21! + * debian/control: + + Moved quagga-doc to section doc to make lintian happy. + * Added Spanish debconf translation (thanks to Carlos Galisteo de Cabo). + Closes: #428574 + * debian/control: (thanks to Marco Rodrigues) + + Bump Standards-Version to 3.7.3 (no changes needed). + + Add Homepage field. + + -- Christian Hammers Mon, 28 Jan 2008 22:29:18 +0100 + +quagga (0.99.9-2.1) unstable; urgency=low + + * Non-maintainer upload. + * debian/rules: fixed bashisms. (Closes: #459122) + + -- Miguel Angel Ruiz Manzano Tue, 22 Jan 2008 14:37:21 -0300 + +quagga (0.99.9-2) unstable; urgency=low + + * Added CVE id for the security bug to the last changelog entry. + Closes: 442133 + + -- Christian Hammers Tue, 25 Sep 2007 22:01:31 +0200 + +quagga (0.99.9-1) unstable; urgency=high + + * SECURITY: + "This release fixes two potential DoS conditions in bgpd, reported by Mu + Security, where a bgpd could be crashed if a peer sent a malformed OPEN + message or a malformed COMMUNITY attribute. Only configured peers can do + this, hence we consider these issues to be very low impact." CVE-2007-4826 + + -- Christian Hammers Wed, 12 Sep 2007 21:12:41 +0200 + +quagga (0.99.8-1) unstable; urgency=low + + * New upstream version. + + -- Christian Hammers Fri, 17 Aug 2007 00:07:04 +0200 + +quagga (0.99.7-3) unstable; urgency=medium + + * Applied patch for FTBFS with linux-libc-dev (thanks to Andrew J. Schorr + and Lucas Nussbaum). Closes: #429003 + + -- Christian Hammers Fri, 22 Jun 2007 21:34:55 +0200 + +quagga (0.99.7-2) unstable; urgency=low + + * Added Florian Weimar as co-maintainer. Closes: 421977 + * Added Dutch debconf translation (thanks to Bart Cornelis). + Closes: #420932 + * Added Portuguese debconf translation (thanks to Rui Branco). + Closes: #421185 + * Improved package description (thanks to Reuben Thomas). + Closes: #418933 + * Added CVE Id to 0.99.6-5 changelog entry. + + -- Christian Hammers Wed, 02 May 2007 20:27:12 +0200 + +quagga (0.99.7-1) unstable; urgency=low + + * New upstream release. Closes: #421553 + + -- Christian Hammers Mon, 30 Apr 2007 14:22:34 +0200 + +quagga (0.99.6-6) unstable; urgency=medium + + * Fixes FTBFS with tetex-live. Closes: #420468 + + -- Christian Hammers Mon, 23 Apr 2007 21:34:13 +0200 + +quagga (0.99.6-5) unstable; urgency=high + + * SECURITY: + The bgpd daemon was vulnerable to a Denial-of-Service. Configured peers + could cause a Quagga bgpd to, typically, assert() and abort. The DoS + could be triggered by peers by sending an UPDATE message with a crafted, + malformed Multi-Protocol reachable/unreachable NLRI attribute. + This is CVE-2007-1995 and Quagga Bug#354. Closes: #418323 + + -- Christian Hammers Thu, 12 Apr 2007 23:21:58 +0200 + +quagga (0.99.6-4) unstable; urgency=low + + * Improved note in README.Debian for SNMP self-builders (thanks to Matthias + Wamser). Closes: #414788 + + -- Christian Hammers Wed, 14 Mar 2007 02:18:57 +0100 + +quagga (0.99.6-3) unstable; urgency=low + + * Updated German Debconf translation (thanks to Matthias Julius). + Closes: #409327 + + -- Christian Hammers Sat, 10 Feb 2007 15:06:16 +0100 + +quagga (0.99.6-2) unstable; urgency=low + + * Updated config.guess/config.sub as suggested by lintian. + * Corrected README.Debian text regarding the WANT_SNMP flag. + + -- Christian Hammers Sun, 17 Dec 2006 01:45:37 +0100 + +quagga (0.99.6-1) unstable; urgency=low + + * New upstream release. Closes: #402361 + + -- Christian Hammers Mon, 11 Dec 2006 00:28:09 +0100 + +quagga (0.99.5-5) unstable; urgency=high + + * Changed Depends on adduser to Pre-Depends to avoid uninstallability + in certain cases (thanks to Steve Langasek, Lucas Nussbaum). + Closes: #398562 + + -- Christian Hammers Wed, 15 Nov 2006 17:46:34 +0100 + +quagga (0.99.5-4) unstable; urgency=low + + * Added default PAM file and some explanations regarding PAM authentication + of vtysh which could prevent the start at boot-time when used wrong. + Now PAM permits anybody to access the vtysh tool (a malicious user could + build his own vtysh without PAM anyway) and the access is controled by + the read/write permissions of the vtysh socket which are only granted to + users belonging to the quaggavty group (thanks to Wakko Warner). + Closes: #389496 + * Added "case" to prerm script so that the Debconf question is not called a + second time in e.g. "new-prerm abort-upgrade" after being NACKed in the + old-prerm. + + -- Christian Hammers Fri, 3 Nov 2006 01:22:15 +0100 + +quagga (0.99.5-3) unstable; urgency=medium + + * Backport CVS fix for an OSPF DD Exchange regression (thanks to Matt + Brown). Closes: #391040 + + -- Christian Hammers Wed, 25 Oct 2006 19:47:11 +0200 + +quagga (0.99.5-2) unstable; urgency=medium + + * Added LSB info section to initscript. + * Removed unnecessary depends to libncurses5 to make checklib happy. + The one to libcap should remain though as it is just temporarily + unused. + + -- Christian Hammers Thu, 21 Sep 2006 00:04:07 +0200 + +quagga (0.99.5-1) unstable; urgency=low + + * New upstream release. Closes: #38704 + * Upstream fixes ospfd documentary inconsistency. Closes: #347897 + * Changed debconf question in prerm to "high" (thanks to Rafal Pietrak). + + -- Christian Hammers Mon, 11 Sep 2006 23:43:42 +0200 + +quagga (0.99.4-4) unstable; urgency=low + + * Recreate /var/run if not present because /var is e.g. on a tmpfs + filesystem (thanks to Martin Pitt). Closes: #376142 + * Removed nonexistant option from ospfd.8 manpage (thanks to + David Medberry). Closes: 378274 + + -- Christian Hammers Sat, 15 Jul 2006 20:22:12 +0200 + +quagga (0.99.4-3) unstable; urgency=low + + * Removed invalid semicolon from rules file (thanks to Philippe Gramoulle). + + -- Christian Hammers Tue, 27 Jun 2006 23:36:07 +0200 + +quagga (0.99.4-2) unstable; urgency=high + + * Set urgency to high as 0.99.4-1 fixes a security problem! + * Fixed building of the info file. + + -- Christian Hammers Sun, 14 May 2006 23:04:28 +0200 + +quagga (0.99.4-1) unstable; urgency=low + + * New upstream release to fix a security problem in the telnet interface + of the BGP daemon which could be used for DoS attacks (CVE-2006-2276). + Closes: 366980 + + -- Christian Hammers Sat, 13 May 2006 19:54:40 +0200 + +quagga (0.99.3-3) unstable; urgency=low + + * Added CVE numbers for the security patch in 0.99.3-2. + + -- Christian Hammers Sat, 6 May 2006 17:14:22 +0200 + +quagga (0.99.3-2) unstable; urgency=high + + * SECURITY: + Added security bugfix patch from upstream BTS for security problem + that could lead to injected routes when using RIPv1. + CVE-2006-2223 - missing configuration to disable RIPv1 or require + plaintext or MD5 authentication + CVE-2006-2224 - lack of enforcement of RIPv2 authentication requirements + Closes: #365940 + * First amd64 upload. + + -- Christian Hammers Thu, 4 May 2006 00:22:09 +0200 + +quagga (0.99.3-1) unstable; urgency=low + + * New upstream release + + -- Christian Hammers Wed, 25 Jan 2006 13:37:27 +0100 + +quagga (0.99.2-1) unstable; urgency=low + + * New upstream release + Closes: #330248, #175553 + + -- Christian Hammers Wed, 16 Nov 2005 00:25:52 +0100 + +quagga (0.99.1-7) unstable; urgency=low + + * Changed debian/rules check for mounted /proc directory to check + for /proc/1 as not all systems (e.g. 2.6 arm kernels) have + /proc/kcore which is a optional feature only (thanks to Lennert + Buytenhek). Closes: #335695 + * Added Swedish Debconf translation (thanks to Daniel Nylander). + Closes: #331367 + + -- Christian Hammers Thu, 27 Oct 2005 20:53:19 +0200 + +quagga (0.99.1-6) unstable; urgency=low + + * Fixed debconf dependency as requested by Joey Hess. + + -- Christian Hammers Mon, 26 Sep 2005 20:47:35 +0200 + +quagga (0.99.1-5) unstable; urgency=low + + * Rebuild with libreadline5-dev as build-dep as requested by + Matthias Klose. Closes: #326306 + * Made initscript more fault tolerant against missing lines in + /etc/quagga/daemons (thanks to Ralf Hildebrandt). Closes: #323774 + * Added dependency to adduser. + + -- Christian Hammers Tue, 13 Sep 2005 21:42:17 +0200 + +quagga (0.99.1-4) unstable; urgency=low + + * Added French Debconf translation (thanks to Mohammed Adnene Trojette). + Closes: #319324 + * Added Czech Debconf translation (thanks to Miroslav Kure). + Closes: #318127 + + -- Christian Hammers Sun, 31 Jul 2005 04:19:41 +0200 + +quagga (0.99.1-3) unstable; urgency=low + + * A Debconf question now asks the admin before upgrading if the daemon + should really be stopped as this could lead to the loss of network + connectivity or BGP flaps (thanks to Michael Horn and Achilleas Kotsis). + Also added a hint about setting Quagga "on hold" to README.Debian. + Closes: #315467 + * Added patch to build on Linux/ARM. + + -- Christian Hammers Sun, 10 Jul 2005 22:19:38 +0200 + +quagga (0.99.1-2) unstable; urgency=low + + * Fixed SNMP enabled command in debian/rules (thanks to Christoph Kluenter). + Closes: #306840 + + -- Christian Hammers Sat, 4 Jun 2005 14:04:01 +0200 + +quagga (0.99.1-1) unstable; urgency=low + + * New upstream version. Among others: + - BGP graceful restart and "match ip route-source" added + - support for interface renaming + - improved threading for better responsivness under load + * Switched to dpatch to make diffs cleaner. + * Made autoreconf unnecessary. + * Replaced quagga.dvi and quagga.ps by quagga.pdf in quagga-doc. + (the PostScript would have needed Makefile corrections and PDF + is more preferable anyway) + * Added isisd to the list of daemons in /etc/init.d/quagga (thanks + to Ernesto Elbe). + * Added hint for "netlink-listen: overrun" messages (thanks to + Hasso Tepper). + * Added preinst check that bails out if old smux options are in use + as Quagga would not start up else anyway (thanks to Bjorn Mork). + Closes: #308320 + + -- Christian Hammers Fri, 13 May 2005 01:18:24 +0200 + +quagga (0.98.3-7) unstable; urgency=high + + * Removed SNMP support as linking against NetSNMP introduced a dependency + to OpenSSL which is not compatible to the GPL which governs this + application (thanks to Faidon Liambotis). See README.Debian for more + information. Closes: #306840 + * Changed listening address of ospf6d and ripngd from 127.0.0.1 to "::1". + * Added build-dep to groff to let drafz-zebra-00.txt build correctly. + + -- Christian Hammers Wed, 4 May 2005 20:08:14 +0200 + +quagga (0.98.3-6) testing-proposed-updates; urgency=high + + * Removed "Recommends kernel-image-2.4" as aptitude then + installes a kernel-image for an arbitrary architecture as long + as it fullfill that recommendation which can obviously fatal + at the next reboot :) Also it is a violation of the policy + which mandates a reference to real packages (thanks to Holger Levsen). + Closes: #307281 + + -- Christian Hammers Tue, 3 May 2005 22:53:39 +0200 + +quagga (0.98.3-5) unstable; urgency=high + + * The patch which tried to remove the OpenSSL dependency, which is + not only unneccessary but also a violation of the licence and thus RC, + stopped working a while ago, since autoreconf is no longer run before + building the binaries. So now ./configure is patched directly (thanks + to Faidon Liambotis for reporting). Closes: #306840 + * Raised Debhelper compatibility level from 3 to 4. Nothing changed. + * Added build-dep to texinfo (>= 4.7) to ease work for www.backports.org. + + -- Christian Hammers Fri, 29 Apr 2005 02:31:03 +0200 + +quagga (0.98.3-4) unstable; urgency=low + + * Removed Debconf upgrade note as it was considered a Debconf abuse + and apart from that so obvious that it was not even worth to be + put into NEWS.Debian (thanks to Steve Langasek). Closes: #306384 + + -- Christian Hammers Wed, 27 Apr 2005 00:10:24 +0200 + +quagga (0.98.3-3) unstable; urgency=medium + + * Adding the debconf module due to a lintian suggestion is a very + bad idea if no db_stop is called as the script hangs then (thanks + to Tore Anderson for reporting). Closes: #306324 + + -- Christian Hammers Mon, 25 Apr 2005 21:55:58 +0200 + +quagga (0.98.3-2) unstable; urgency=low + + * Added debconf confmodule to postinst as lintian suggested. + + -- Christian Hammers Sun, 24 Apr 2005 13:16:00 +0200 + +quagga (0.98.3-1) unstable; urgency=low + + * New upstream release. + Mmost notably fixes last regression in bgpd (reannounce of prefixes + with changed attributes works again), race condition in netlink + handling while using IPv6, MTU changes handling in ospfd and several + crashes in ospfd, bgpd and ospf6d. + + -- Christian Hammers Mon, 4 Apr 2005 12:51:24 +0200 + +quagga (0.98.2-2) unstable; urgency=low + + * Added patch to let Quagga compile with gcc-4.0 (thanks to + Andreas Jochens). Closes: #300949 + + -- Christian Hammers Fri, 25 Mar 2005 19:33:30 +0100 + +quagga (0.98.2-1) unstable; urgency=medium + + * Quoting the upstream announcement: + The 0.98.1 release unfortunately was a brown paper bag release with + respect to ospfd. [...] 0.98.2 has been released, with one crucial change + to fix the unfortunate mistake in 0.98.1, which caused problems if + ospfd became DR. + * Note: the upstream tarball had a strange problem, apparently redhat.spec + was twice in it? At least debuild gave a strange error message so I + unpacked it by hand. No changes were made to the .orig.tar.gz! + + -- Christian Hammers Fri, 4 Feb 2005 01:31:36 +0100 + +quagga (0.98.1-1) unstable; urgency=medium + + * New upstream version + "fixing a fatal OSPF + MD5 auth regression, and a non-fatal high-load + regression in bgpd which were present in the 0.98.0 release." + * Upstream version fixes bug in ospfd that could lead to crash when OSPF + packages had a MTU > 1500. Closes: #290566 + * Added notice regarding capability kernel support to README.Debian + (thanks to Florian Weimer). Closes: #291509 + * Changed permission setting in postinst script (thanks to Bastian Blank). + Closes: #292690 + + -- Christian Hammers Tue, 1 Feb 2005 02:01:27 +0100 + +quagga (0.98.0-3) unstable; urgency=low + + * Fixed problem in init script. Closes: #290317 + * Removed obsolete "smux peer enable" patch. + + -- Christian Hammers Fri, 14 Jan 2005 17:37:27 +0100 + +quagga (0.98.0-2) unstable; urgency=low + + * Updated broken TCP MD5 patch for BGP (thanks to John P. Looney + for telling me). + + -- Christian Hammers Thu, 13 Jan 2005 02:03:54 +0100 + +quagga (0.98.0-1) unstable; urgency=low + + * New upstream release + * Added kernel-image-2.6 as alternative to 2.4 to the recommends + (thanks to Faidon Liambotis). Closes: #289530 + + -- Christian Hammers Mon, 10 Jan 2005 19:36:17 +0100 + +quagga (0.97.5-1) unstable; urgency=low + + * New upstream version. + * Added Czech debconf translation (thanks to Miroslav Kure). + Closes: #287293 + * Added Brazilian debconf translation (thanks to Andre Luis Lopes). + Closes: #279352 + + -- Christian Hammers Wed, 5 Jan 2005 23:49:57 +0100 + +quagga (0.97.4-2) unstable; urgency=low + + * Fixed quagga.info build problem. + + -- Christian Hammers Wed, 5 Jan 2005 22:38:01 +0100 + +quagga (0.97.4-1) unstable; urgency=low + + * New upstream release. + + -- Christian Hammers Tue, 4 Jan 2005 01:45:22 +0100 + +quagga (0.97.3-2) unstable; urgency=low + + * Included isisd in the daemon list. + * Wrote an isisd manpage. + * It is now ensured that zebra is always the last daemon to be stopped. + * (Thanks to Hasso Tepper for mailing me a long list of suggestions + which lead to this release) + + -- Christian Hammers Sat, 18 Dec 2004 13:14:55 +0100 + +quagga (0.97.3-1) unstable; urgency=medium + + * New upstream version. + - Fixes important OSPF bug. + * Added ht-20040911-smux.patch regarding Quagga bug #112. + * Updated ht-20041109-0.97.3-bgp-md5.patch for BGP with TCP MD5 + (thanks to Matthias Wamser). + + -- Christian Hammers Tue, 9 Nov 2004 17:45:26 +0100 + +quagga (0.97.2-4) unstable; urgency=low + + * Added Portuguese debconf translation (thanks to Andre Luis Lopes). + Closes: #279352 + * Disabled ospfapi server by default on recommendation of Paul Jakma. + + -- Christian Hammers Sun, 7 Nov 2004 15:07:05 +0100 + +quagga (0.97.2-3) unstable; urgency=low + + * Added Andrew Schorrs VTY Buffer patch from the [quagga-dev 1729]. + + -- Christian Hammers Tue, 2 Nov 2004 00:46:56 +0100 + +quagga (0.97.2-2) unstable; urgency=low + + * Changed file and directory permissions and ownerships according to a + suggestion from Paul Jakma. Still not perfect though. + * Fixed upstream vtysh.conf.sample file. + * "ip ospf network broadcast" is now saved correctly. Closes: #244116 + * Daemon options are now in /etc/quagga/debian.conf to be user + configurable (thanks to Simon Raven and Hasso Tepper). Closes: #266715 + + -- Christian Hammers Tue, 26 Oct 2004 23:35:45 +0200 + +quagga (0.97.2-1) unstable; urgency=low + + * New upstream version. + Closes: #254541 + * Fixed warning on unmodular kernels (thanks to Christoph Biedl). + Closes: #277973 + + -- Christian Hammers Mon, 25 Oct 2004 00:47:04 +0200 + +quagga (0.97.1-2) unstable; urgency=low + + * Version 0.97 introduced shared libraries. They are now included. + (thanks to Raf D'Halleweyn). Closes: #277446 + + -- Christian Hammers Wed, 20 Oct 2004 15:32:06 +0200 + +quagga (0.97.1-1) unstable; urgency=low + + * New upstream version. + * Removed some obsolete files from debian/patches. + * Added patch from upstream bug 113. Closes: #254541 + * Added patch from upstream that fixes a compilation problem in the + ospfclient code (thanks to Hasso Tepper). + * Updated German debconf translation (thanks to Jens Nachtigall) + Closes: #277059 + + -- Christian Hammers Mon, 18 Oct 2004 01:16:35 +0200 + +quagga (0.96.5-11) unstable; urgency=low + + * Fixed /tmp/buildd/* paths in binaries. + For some unknown reason the upstream Makefile modified a .h file at + the end of the "debian/rules build" target. During the following + "make install" one library got thus be re*compiled* - with /tmp/buildd + paths as sysconfdir (thanks to Peder Chr. Norgaard). Closes: #274050 + + -- Christian Hammers Fri, 1 Oct 2004 01:21:02 +0200 + +quagga (0.96.5-10) unstable; urgency=medium + + * The BGP routing daemon might freeze on network disturbances when + their peer is also a Quagga/Zebra router. + Applied patch from http://bugzilla.quagga.net/show_bug.cgi?id=102 + which has been confirmed by the upstream author. + (thanks to Gunther Stammwitz) + * Changed --enable-pam to --with-libpam (thanks to Hasso Tepper). + Closes: #264562 + * Added patch for vtysh (thanks to Hasso Tepper). Closes: #215919 + + -- Christian Hammers Mon, 9 Aug 2004 15:33:02 +0200 + +quagga (0.96.5-9) unstable; urgency=low + + * Rewrote the documentation chapter about SNMP support. Closes: #195653 + * Added MPLS docs. + + -- Christian Hammers Thu, 29 Jul 2004 21:01:52 +0200 + +quagga (0.96.5-8) unstable; urgency=low + + * Adjusted a grep in the initscript to also match a modprobe message + from older modutils packages (thanks to Faidon Paravoid). + + -- Christian Hammers Wed, 28 Jul 2004 21:19:02 +0200 + +quagga (0.96.5-7) unstable; urgency=low + + * Added a "cd /etc/quagga/" to the init script as quagga tries to load + the config file first from the current working dir and then from the + config dir which could lead to confusion (thanks to Marco d'Itri). + Closes: #255078 + * Removed warning regarding problems with the Debian kernels from + README.Debian as they are no longer valid (thanks to Raphael Hertzog). + Closes: #257580 + * Added patch from Hasso Tepper that makes "terminal length 0" work + in vtysh (thanks to Matthias Wamser). Closes: #252579 + + -- Christian Hammers Thu, 8 Jul 2004 21:53:21 +0200 + +quagga (0.96.5-6) unstable; urgency=low + + * Try to load the capability module as it is needed now. + + -- Christian Hammers Tue, 8 Jun 2004 23:25:29 +0200 + +quagga (0.96.5-5) unstable; urgency=low + + * Changed the homedir of the quagga user to /etc/quagga/ to allow + admins to put ~/.ssh/authorized_keys there (thanks to Matthias Wamser). + Closes: #252577 + + -- Christian Hammers Sat, 5 Jun 2004 14:47:31 +0200 + +quagga (0.96.5-4) unstable; urgency=medium + + * Fixed rules file to use the renamed ./configure option --enable-tcp-md5 + (thanks to Matthias Wamser). Closes: #252141 + + -- Christian Hammers Tue, 1 Jun 2004 22:58:32 +0200 + +quagga (0.96.5-3) unstable; urgency=low + + * Provided default binary package name to all build depends that were + virtual packages (thanks to Goswin von Brederlow). Closes: #251625 + + -- Christian Hammers Sat, 29 May 2004 22:48:53 +0200 + +quagga (0.96.5-2) unstable; urgency=low + + * New upstream version. + * New md5 patch version (thanks to Niklas Jakobsson and Hasso Tepper). + Closes: #250985 + * Fixes info file generation (thanks to Peder Chr. Norgaard). + Closes: #250992 + * Added catalan debconf translation (thanks to Aleix Badia i Bosch). + Closes: #250118 + * PATCHES: + This release contains BGP4 MD5 support which requires a kernel patch + to work. See /usr/share/doc/quagga/README.Debian.MD5. + (The patch is ht-20040525-0.96.5-bgp-md5.patch from Hasso Tepper) + + -- Christian Hammers Thu, 27 May 2004 20:09:37 +0200 + +quagga (0.96.5-1) unstable; urgency=low + + * New upstream version. + * PATCHES: + This release contains BGP4 MD5 support which also requires a kernel patch. + See /usr/share/doc/quagga/README.Debian.MD5 and search for CAN-2004-0230. + + -- Christian Hammers Sun, 16 May 2004 17:40:40 +0200 + +quagga (0.96.4x-10) unstable; urgency=low + + * SECURITY: + This release contains support for MD5 for BGP which is one suggested + prevention of the actually long known TCP SYN/RST attacks which got + much news in the last days as ideas were revealed that made them much + easier probable agains especially the BGP sessions than commonly known. + There are a lot of arguments agains the MD5 approach but some ISPs + started to require it. + See: CAN-2004-0230, http://www.us-cert.gov/cas/techalerts/TA04-111A.html + * PATCHES: + This release contains the MD5 patch from Hasso Tepper. It also seems to + required a kernel patch. See /usr/share/doc/quagga/README.Debian.MD5. + + -- Christian Hammers Thu, 29 Apr 2004 01:01:38 +0200 + +quagga (0.96.4x-9) unstable; urgency=low + + * Fixed daemon loading order (thanks to Matt Kemner). + * Fixed typo in init script (thanks to Charlie Brett). Closes: #238582 + + -- Christian Hammers Sun, 4 Apr 2004 15:32:18 +0200 + +quagga (0.96.4x-8) unstable; urgency=low + + * Patched upstream source so that quagga header files end up in + /usr/include/quagga/. Closes: #233792 + + -- Christian Hammers Mon, 23 Feb 2004 01:42:53 +0100 + +quagga (0.96.4x-7) unstable; urgency=low + + * Fixed info file installation (thanks to Holger Dietze). Closes: #227579 + * Added Japanese translation (thanks to Hideki Yamane). Closes: #227812 + + -- Christian Hammers Sun, 18 Jan 2004 17:28:29 +0100 + +quagga (0.96.4x-6) unstable; urgency=low + + * Added dependency to iproute. + * Initscript now checks not only for the pid file but also for the + daemons presence (thanks to Phil Gregory). Closes: #224389 + * Added my patch to configure file permissions. + + -- Christian Hammers Mon, 15 Dec 2003 22:34:29 +0100 + +quagga (0.96.4x-5) unstable; urgency=low + + * Added patch which gives bgpd the CAP_NET_RAW capability to allow it + to bind to special IPv6 link-local interfaces (Thanks to Bastian Blank). + Closes: #222930 + * Made woody backport easier by applying Colin Watsons po-debconf hack. + Thanks to Marc Haber for suggesting it. Closes: #223527 + * Made woody backport easier by applying a patch that removes some + obscure whitespaces inside an C macro. (Thanks to Marc Haber). + Closes: #223529 + * Now uses /usr/bin/pager. Closes: #204070 + * Added note about the "official woody backports" on my homepage. + + -- Christian Hammers Mon, 15 Dec 2003 20:39:06 +0100 + +quagga (0.96.4x-4) unstable; urgency=high + + * SECURITY: + Fixes another bug that was originally reported against Zebra. + . + http://rhn.redhat.com/errata/RHSA-2003-307.html + Herbert Xu reported that Zebra can accept spoofed messages sent on the + kernel netlink interface by other users on the local machine. This could + lead to a local denial of service attack. The Common Vulnerabilities and + Exposures project (cve.mitre.org) has assigned the name CAN-2003-0858 to + this issue. + + * Minor improvements to init script (thanks to Iustin Pop). + Closes: #220938 + + -- Christian Hammers Sat, 22 Nov 2003 13:27:57 +0100 + +quagga (0.96.4x-3) unstable; urgency=low + + * Changed "more" to "/usr/bin/pager" as default pager if $PAGER or + $VTYSH_PAGER is not set (thanks to Bastian Blank). Closes: #204070 + * Made the directory (but not the config/log files!) world accessible + again on user request (thanks to Anand Kumria)). Closes: #213129 + * No longer providing sample configuration in /etc/quagga/. They are + now only available in /usr/share/doc/quagga/ to avoid accidently + using them without changing the adresses (thanks to Marc Haber). + Closes: #215918 + + -- Christian Hammers Sun, 16 Nov 2003 16:59:30 +0100 + +quagga (0.96.4x-2) unstable; urgency=low + + * Fixed permission problem with pidfile (thanks to Kir Kostuchenko). + Closes: #220938 + + -- Christian Hammers Sun, 16 Nov 2003 14:24:08 +0100 + +quagga (0.96.4x-1) unstable; urgency=low + + * Reupload of 0.96.4. Last upload-in-a-hurry produced a totally + crappy .tar.gz file. Closes: #220621 + + -- Christian Hammers Fri, 14 Nov 2003 19:45:57 +0100 + +quagga (0.96.4-1) unstable; urgency=high + + * SECURITY: Remote DoS of protocol daemons. + Fix for a remote triggerable crash in vty layer. The management + ports ("telnet myrouter ospfd") should not be open to the internet! + + * New upstream version. + - OSPF bugfixes. + - Some improvements for bgp and rip. + + -- Christian Hammers Thu, 13 Nov 2003 11:52:27 +0100 + +quagga (0.96.3-3) unstable; urgency=low + + * Fixed pid file generation by substituting the daemons "-d" by the + start-stop-daemon option "--background" (thanks to Micha Gaisser). + Closes: #218103 + + -- Christian Hammers Wed, 29 Oct 2003 05:17:49 +0100 + +quagga (0.96.3-2) unstable; urgency=low + + * Readded GNOME-PRODUCT-ZEBRA-MIB. + + -- Christian Hammers Thu, 23 Oct 2003 06:17:03 +0200 + +quagga (0.96.3-1) unstable; urgency=medium + + * New upstream version. + * Removed -u and -e in postrm due to problems with debhelper and userdel + (thanks to Adam Majer and Jaakko Niemi). Closes: #216770 + * Removed SNMP MIBs as they are now included in libsnmp-base (thanks to + David Engel and Peter Gervai). Closes: #216138, #216086 + * Fixed seq command in init script (thanks to Marc Haber). Closes: #215915 + * Improved /proc check (thanks to Marc Haber). Closes: #212331 + + -- Christian Hammers Thu, 23 Oct 2003 03:42:02 +0200 + +quagga (0.96.2-9) unstable; urgency=medium + + * Removed /usr/share/info/dir.* which were accidently there and prevented + the installation by dpkg (thanks to Simon Raven). Closes: #212614 + * Reworded package description (thanks to Anand Kumria). Closes: #213125 + * Added french debconf translation (thanks to Christian Perrier). + Closes: #212803 + + -- Christian Hammers Tue, 7 Oct 2003 13:26:58 +0200 + +quagga (0.96.2-8) unstable; urgency=low + + * debian/rules now checks if /proc is mounted as ./configure needs + it but just fails with an obscure error message if it is absent. + (Thanks to Norbert Tretkowski). Closes: #212331 + + -- Christian Hammers Tue, 23 Sep 2003 12:57:38 +0200 + +quagga (0.96.2-7) unstable; urgency=low + + * Last build was rejected due to a buggy dpkg-dev version. Rebuild. + + -- Christian Hammers Mon, 22 Sep 2003 20:34:12 +0200 + +quagga (0.96.2-6) unstable; urgency=low + + * Fixed init script so that is is now possible to just start + the bgpd but not the zebra daemon. Also daemons are now actually + started in the order defined their priority. (Thanks to Thomas Kaehn + and Jochen Friedrich) Closes: #210924 + + -- Christian Hammers Fri, 19 Sep 2003 21:17:02 +0200 + +quagga (0.96.2-5) unstable; urgency=low + + * For using quagga as BGP route server or similar, it is not + wanted to have the zebra daemon running too. For this reason + it can now be disabled in /etc/quagga/daemons, too. + (Thanks to Jochen Friedrich). Closes: #210924 + * Attached *unapplied* patch for the ISIS protocol. I did not dare + to apply it as long as upstream does not do it but this way give + users the possibilities to use it if they like to. + (Thanks to Remco van Mook) + + -- Christian Hammers Wed, 17 Sep 2003 19:57:31 +0200 + +quagga (0.96.2-4) unstable; urgency=low + + * Enabled IPV6 router advertisement feature by default on user request + (thanks to Jochen Friedrich and Hasso Tepper). Closes: #210732 + * Updated GNU autoconf to let it build on hppa/parisc64 (thanks to + lamont). Closes: #210492 + + -- Christian Hammers Sat, 13 Sep 2003 14:11:13 +0200 + +quagga (0.96.2-3) unstable; urgency=medium + + * Removed unnecessary "-lcrypto" to avoid dependency against OpenSSL + which would require further copyright addtions. + + -- Christian Hammers Wed, 10 Sep 2003 01:37:28 +0200 + +quagga (0.96.2-2) unstable; urgency=low + + * Added note that config files of quagga are in /etc/quagga and + not /etc/zebra for the zebra users that migrate to quagga. + (Thanks to Roberto Suarez Soto for the idea) + * Fixed setgid rights in /etc/quagga. + + -- Christian Hammers Wed, 27 Aug 2003 14:05:39 +0200 + +quagga (0.96.2-1) unstable; urgency=low + + * This package has formally been known as "zebra-pj"! + * New upstream release. + Fixes "anoying OSPF problem". + * Modified group ownerships so that vtysh can now be used by normal + uses if they are in the quaggavty group. + + -- Christian Hammers Mon, 25 Aug 2003 23:40:14 +0200 + +quagga (0.96.1-1) unstable; urgency=low + + * Zebra-pj, the fork of zebra has been renamed to quagga as the original + upstream author asked the new project membed not to use "zebra" in the + name. zebra-pj is obsolete. + + -- Christian Hammers Mon, 18 Aug 2003 23:37:20 +0200 + +zebra-pj (0.94+cvs20030721-1) unstable; urgency=low + + * New CVS build. + - OSPF changes (integration of the OSPF API?) + - code cleanups (for ipv6?) + * Tightened Build-Deps to gcc-2.95 as 3.x does not compile a stable ospfd. + This is a known problem and has been discussed on the mailing list. + No other solutions so far. + + -- Christian Hammers Mon, 21 Jul 2003 23:52:00 +0200 + +zebra-pj (0.94+cvs20030701-1) unstable; urgency=low + + * Initial Release. + + -- Christian Hammers Tue, 1 Jul 2003 01:58:06 +0200 --- quagga-0.99.17.orig/debian/quagga.dirs +++ quagga-0.99.17/debian/quagga.dirs @@ -0,0 +1,7 @@ +etc/logrotate.d/ +etc/quagga/ +usr/share/doc/quagga/ +usr/share/doc/quagga/examples/ +usr/share/lintian/overrides/ +usr/share/snmp/mibs/ +var/log/quagga/ --- quagga-0.99.17.orig/debian/quagga.config +++ quagga-0.99.17/debian/quagga.config @@ -0,0 +1,4 @@ +#!/bin/bash -e + +. /usr/share/debconf/confmodule + --- quagga-0.99.17.orig/debian/quagga.postrm +++ quagga-0.99.17/debian/quagga.postrm @@ -0,0 +1,12 @@ +#!/bin/bash -e + +if [ -n "$DEBIAN_SCRIPT_DEBUG" ]; then set -v -x; DEBIAN_SCRIPT_TRACE=1; fi +${DEBIAN_SCRIPT_TRACE:+ echo "#42#DEBUG# RUNNING $0 $*"} +# set -u not because of debhelper + +if [ "$1" = "purge" ]; then + rm -rf /etc/quagga /var/run/quagga /var/log/quagga + userdel quagga >/dev/null 2>&1 || true +fi + +#DEBHELPER# --- quagga-0.99.17.orig/debian/compat +++ quagga-0.99.17/debian/compat @@ -0,0 +1 @@ +5 --- quagga-0.99.17.orig/debian/quagga.templates +++ quagga-0.99.17/debian/quagga.templates @@ -0,0 +1,6 @@ +Template: quagga/really_stop +Type: boolean +Default: false +_Description: Do you really want to stop the Quagga daemon? + WARNING: The Quagga routing daemon has to be stopped to proceed. This + could lead to BGP flaps or loss of network connectivity. --- quagga-0.99.17.orig/debian/quagga.preinst +++ quagga-0.99.17/debian/quagga.preinst @@ -0,0 +1,78 @@ +#!/bin/bash + +if [ -n "$DEBIAN_SCRIPT_DEBUG" ]; then set -v -x; DEBIAN_SCRIPT_TRACE=1; fi +${DEBIAN_SCRIPT_TRACE:+ echo "#42#DEBUG# RUNNING $0 $*"} +set -e +set -u + +# creating quaggavty group if it isn't already there +if ! getent group quaggavty >/dev/null; then + addgroup --system quaggavty >/dev/null +fi + +# creating quagga group if it isn't already there +if ! getent group quagga >/dev/null; then + addgroup --system quagga >/dev/null +fi + +# creating quagga user if he isn't already there +if ! getent passwd quagga >/dev/null; then + adduser \ + --system \ + --ingroup quagga \ + --home /var/run/quagga/ \ + --gecos "Quagga routing suite" \ + --shell /bin/false \ + quagga >/dev/null +fi + +# Do not change permissions when upgrading as it would violate policy. +if [ "$1" = "install" ]; then + # Logfiles are group readable in case users were put into the quagga group. + d=/var/log/quagga/ + mkdir -p $d + chown -R quagga:quagga $d + chmod u=rwx,go=rx $d + find $d -type f -print0 | xargs -0 --no-run-if-empty chmod u=rw,g=r,o= + + # Strict permissions for the sockets. + d=/var/run/quagga/ + mkdir -p $d + chown -R quagga:quagga $d + chmod u=rwx,go=rx $d + find $d -type f -print0 | xargs -0 --no-run-if-empty chmod u=rw,go= + + # Config files. Vtysh does not have access to the individual daemons config file + d=/etc/quagga/ + mkdir -p $d + chown quagga:quaggavty $d + chmod ug=rwx,o=rx $d + find $d -type f -print0 | xargs -0 --no-run-if-empty chown quagga:quagga + find $d -type f -print0 | xargs -0 --no-run-if-empty chmod u=rw,g=r,o= + + # Exceptions for vtysh. + f=$d/vtysh.conf + if [ -f $f ]; then + chown quagga:quaggavty $f + chmod u=rw,g=r,o= $f + fi + + # Exceptions for vtysh. + f=$d/Quagga.conf + if [ -f $d/Zebra.conf ]; then + mv $d/Zebra.conf $f + fi + if [ -f $f ]; then + chown quagga:quaggavty $f + chmod u=rw,g=r,o= $f + fi +fi + +# No -q so that the filename is displayed. But on stderr due to debhelper. +if grep ^smux /etc/quagga/*.conf >&2 2>/dev/null; then + echo "The currently used smux options will no longer work so remove them!" >&2 + echo "See /usr/share/doc/quagga/README.Debian for more information." >&2 + exit 1 +fi + +#DEBHELPER# --- quagga-0.99.17.orig/debian/quagga.files +++ quagga-0.99.17/debian/quagga.files @@ -0,0 +1,16 @@ +etc/quagga/ +usr/bin/vtysh +usr/include/quagga/ +usr/lib/ +usr/share/doc/quagga/ +usr/share/lintian/overrides/ +usr/share/man/man1/vtysh.1 +usr/share/man/man8 +usr/share/man/man8/bgpd.8 +usr/share/man/man8/ospf6d.8 +usr/share/man/man8/ospfd.8 +usr/share/man/man8/ripd.8 +usr/share/man/man8/ripngd.8 +usr/share/man/man8/zebra.8 +usr/share/man/man8/isisd.8 +usr/share/snmp/mibs/ --- quagga-0.99.17.orig/debian/README.Debian.MD5 +++ quagga-0.99.17/debian/README.Debian.MD5 @@ -0,0 +1,3 @@ +As of Quagga-0.99.11 the TCP MD5 Signature support of the linux kernel +is used. This requires the Debian package linux-image-2.6.26-* or newer. +Self compiled kernels must have CONFIG_TCP_MD5SIG enabled. --- quagga-0.99.17.orig/debian/README.Maintainer +++ quagga-0.99.17/debian/README.Maintainer @@ -0,0 +1,29 @@ +# +# Apply patches +# +for i in debian/patches/*.dpatch; do echo -e "#\n# $i\n#"; patch --fuzz=3 --dry-run -p1 < $i; done + +# +# Update GNU autoconf stuff (>= libtool 1.4) according to #176829 +# (Probably no longer neccessary as ltmain is up to date) +# +# libtoolize --force --copy +# ACLOCAL=aclocal-1.8 AUTOMAKE=automake-1.8 autoreconf2.50 + +# +# Filename transition from zebra to quagga +# + +Files that keep their names + /usr/bin/vtysh + +Files that got an -pj suffix + /etc/default/zebra -> /etc/quagga/debian.conf + /etc/init.d/zebra -> /etc/init.d/quagga + /etc/zebra/ -> /etc/quagga/ + /usr/share/doc/zebra/ -> /usr/share/doc/quagga/ + /var/log/zebra/ -> /var/log/quagga/ + /var/run/ -> /var/run/quagga/ + +Files that were moved + /usr/sbin/* -> /usr/lib/quagga/ --- quagga-0.99.17.orig/debian/README.Debian +++ quagga-0.99.17/debian/README.Debian @@ -0,0 +1,109 @@ +* SAFETY MEASURES: +================== + +Please consider setting this package "on hold" by typing + echo "quagga hold" | dpkg --set-selections +and verifying this using + dpkg --get-selections | grep 'hold$' + +Setting a package "on hold" means that it will not automatically be upgraded. +Instead apt-get only displays a warning saying that a new version would be +available forcing you to explicitly type "apt-get install quagga" to upgrade it. + + +* What is quagga? +================= + +http://www.quagga.net/ +> Quagga is a routing software suite, providing implementations of OSPFv2, +> OSPFv3, RIP v1 and v2, RIPv3 and BGPv4 for Unix platforms, particularly +> FreeBSD and Linux and also NetBSD, to mention a few. Quagga is a fork of GNU +> Zebra which was developed by Kunihiro Ishiguro. Development of GNU Zebra +> slowed dramatically to the point where eventually GNU Zebra was forked into +> Quagga. + +> The Quagga tree is an attempt to provide a zebra tree with at least the +> bug-fixes, which have accumulated, applied, while tracking any significant +> changes made to the zebra.org tree. Ultimately, this tree hopes to revitalise +> development of this code base. + +I packaged zebra-pj which was then renamed to quagga to get people used to it +and offer Debian users the choice which versions they like to use. I hope this +brings quagga some feedback and helps it evolving to a good successor of the +orphaned zebra. + + -- Christian Hammers , Jul/Aug 2003 + + +* Why has SNMP support been disabled? +===================================== +Quagga used to link against the NetSNMP libraries to provide SNMP +support. Those libraries sadly link against the OpenSSL libraries +to provide crypto support for SNMPv3 among others. +OpenSSL now is not compatible with the GNU GENERAL PUBLIC LICENSE (GPL) +licence that Quagga is distributed under. For more explanation read: + http://www.gnome.org/~markmc/openssl-and-the-gpl.html + http://www.gnu.org/licenses/gpl-faq.html#GPLIncompatibleLibs +Updating the licence to explecitly allow linking against OpenSSL +would requite the affirmation of all people that ever contributed +a significant part to Zebra or Quagga and thus are the collective +"copyright holder". That's too much work. Using a shrinked down +version of NetSNMP without OpenSSL or convincing the NetSNMP people +to change to GnuTLS are maybe good solutions but not reachable +during the last days before the Sarge release :-( + + *BUT* + +It is allowed by the used licence mix that you fetch the sources and +build Quagga yourself with SNMP with + + # export WANT_SNMP=1 + # apt-get -b source quagga +Just distributing it in binary form, linked against OpenSSL, is forbidden. + + +* Daemon selection: +=================== + +The Debian package uses /etc/quagga/daemons to tell the +initscript which daemons to start. It's in the format += +with no spaces (it's simply source-d into the initscript). +Default is not to start anything, since it can hose your +system's routing table if not set up properly. + +Priorities were suggested by Dancer . +They're used to start the Quagga daemons in more than one step +(for example start one or two at network initialization and the +rest later). The number of Quagga daemons being small, priorities +must be between 1 and 9, inclusive (or the initscript has to be +changed). /etc/init.d/quagga then can be started as + +/etc/init.d/quagga > + +where priority 0 is the same as 'stop', priority 10 or 'start' +means 'start all' + + +* Error message "privs_init: initial cap_set_proc failed": +========================================================== + +This error message means that "capability support" has to be built +into the kernel. + + +* Error message "netlink-listen: overrun: No buffer space available": +===================================================================== + +If this message occurs the receive buffer should be increased by adding the +following to /etc/sysctl.conf and "--nl-bufsize" to /etc/quagga/debian.conf. +> net.core.rmem_default = 262144 +> net.core.rmem_max = 262144 +See message #4525 from 2005-05-09 in the quagga-users mailing list. + + +* vtysh immediately exists: +=========================== + +Check /etc/pam.d/quagga, it probably denies access to your user. The passwords +configured in /etc/quagga/Quagga.conf are only for telnet access. --- quagga-0.99.17.orig/debian/quagga.pam +++ quagga-0.99.17/debian/quagga.pam @@ -0,0 +1,3 @@ +# Any user may call vtysh but only those belonging to the group quaggavty can +# actually connect to the socket and use the program. +auth sufficient pam_permit.so --- quagga-0.99.17.orig/debian/quagga.logrotate +++ quagga-0.99.17/debian/quagga.logrotate @@ -0,0 +1,17 @@ +/var/log/quagga/*.log { + daily + sharedscripts + missingok + compress + rotate 14 + create 640 quagga quaggavty + + postrotate + for i in zebra bgpd ripd ospfd ripngd ospf6d isisd; do + if [ -e /var/run/quagga/$i.pid ] ; then + kill -USR1 `cat /var/run/quagga/$i.pid` + fi + + done + endscript +} --- quagga-0.99.17.orig/debian/po/templates.pot +++ quagga-0.99.17/debian/po/templates.pot @@ -0,0 +1,31 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR , YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: ch@debian.org\n" +"POT-Creation-Date: 2006-07-15 20:31+0200\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME \n" +"Language-Team: LANGUAGE \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../quagga.templates:1001 +msgid "Do you really want to stop the Quagga daemon?" +msgstr "" + +#. Type: boolean +#. Description +#: ../quagga.templates:1001 +msgid "" +"WARNING: The Quagga routing daemon has to be stopped to proceed. This could " +"lead to BGP flaps or loss of network connectivity." +msgstr "" --- quagga-0.99.17.orig/debian/po/fr.po +++ quagga-0.99.17/debian/po/fr.po @@ -0,0 +1,42 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: quagga 0.99.1-3\n" +"Report-Msgid-Bugs-To: ch@debian.org\n" +"POT-Creation-Date: 2006-07-15 20:31+0200\n" +"PO-Revision-Date: 2005-07-21 10:52+0200\n" +"Last-Translator: Mohammed Adnène Trojette\n" +"Language-Team: French \n" +"Language: fr\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=iso-8859-15\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../quagga.templates:1001 +msgid "Do you really want to stop the Quagga daemon?" +msgstr "Faut-il vraiment arrêter le démon Quagga ?" + +#. Type: boolean +#. Description +#: ../quagga.templates:1001 +msgid "" +"WARNING: The Quagga routing daemon has to be stopped to proceed. This could " +"lead to BGP flaps or loss of network connectivity." +msgstr "" +"Veuillez noter que le démon de routage Quagga doit être arrêté avant de " +"poursuivre cette installation. Cela peut provoquer des incohérences BGP ou " +"des pertes de connectivité." --- quagga-0.99.17.orig/debian/po/sv.po +++ quagga-0.99.17/debian/po/sv.po @@ -0,0 +1,40 @@ +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# Developers do not need to manually edit POT or PO files. +# , fuzzy +# +# +msgid "" +msgstr "" +"Project-Id-Version: quagga 0.99.1-6\n" +"Report-Msgid-Bugs-To: ch@debian.org\n" +"POT-Creation-Date: 2006-07-15 20:31+0200\n" +"PO-Revision-Date: 2005-10-04 06:56+0200\n" +"Last-Translator: Daniel Nylander \n" +"Language-Team: Swedish \n" +"Language: sv\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=iso-8859-1\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../quagga.templates:1001 +msgid "Do you really want to stop the Quagga daemon?" +msgstr "Vill du stoppa Quagga-daemonen?" + +#. Type: boolean +#. Description +#: ../quagga.templates:1001 +msgid "" +"WARNING: The Quagga routing daemon has to be stopped to proceed. This could " +"lead to BGP flaps or loss of network connectivity." +msgstr "" +"VARNING: routingdaemonen Quagga måste stoppas för att fortsätta. Detta kan " +"leda till BGP-flaps eller att nätverksförbindelsen avbryts." --- quagga-0.99.17.orig/debian/po/POTFILES.in +++ quagga-0.99.17/debian/po/POTFILES.in @@ -0,0 +1 @@ +[type: gettext/rfc822deb] quagga.templates --- quagga-0.99.17.orig/debian/po/de.po +++ quagga-0.99.17/debian/po/de.po @@ -0,0 +1,34 @@ +# translation of po-debconf template to German +# Copyright (C) 2007, Matthias Julius +# This file is distributed under the same license as the quagga package. +# +# Matthias Julius , 2007. +msgid "" +msgstr "" +"Project-Id-Version: quagga 0.99.6-2\n" +"Report-Msgid-Bugs-To: ch@debian.org\n" +"POT-Creation-Date: 2006-07-15 20:31+0200\n" +"PO-Revision-Date: 2007-02-01 19:32-0500\n" +"Last-Translator: Matthias Julius \n" +"Language-Team: German \n" +"Language: de\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" + +#. Type: boolean +#. Description +#: ../quagga.templates:1001 +msgid "Do you really want to stop the Quagga daemon?" +msgstr "Möchten Sie den Quagga-Daemon wirklich beenden?" + +#. Type: boolean +#. Description +#: ../quagga.templates:1001 +msgid "" +"WARNING: The Quagga routing daemon has to be stopped to proceed. This could " +"lead to BGP flaps or loss of network connectivity." +msgstr "" +"Warnung: Um fortzufahren muss der Quagga-Routing-Daemon beendet werden. Dies " +"könnte zu BGP-Flaps oder Verlust der Netzwerkverbindung führen." --- quagga-0.99.17.orig/debian/po/es.po +++ quagga-0.99.17/debian/po/es.po @@ -0,0 +1,57 @@ +# quagga translation to spanish +# Copyright (C) 2004 Software in the Public Interest +# This file is distributed under the same license as the quagga package. +# +# Changes: +# - Initial translation +# Carlos Galisteo de Cabo , 2007 +# +# +# Traductores, si no conoce el formato PO, merece la pena leer la +# documentación de gettext, especialmente las secciones dedicadas a este +# formato, por ejemplo ejecutando: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Equipo de traducción al español, por favor lean antes de traducir +# los siguientes documentos: +# +# - El proyecto de traducción de Debian al español +# http://www.debian.org/intl/spanish/coordinacion +# especialmente las notas de traducción en +# http://www.debian.org/intl/spanish/notas +# +# - La guía de traducción de po's de debconf: +# /usr/share/doc/po-debconf/README-trans +# o http://www.debian.org/intl/l10n/po-debconf/README-trans +# +msgid "" +msgstr "" +"Project-Id-Version: quagga_0.99.7-2\n" +"Report-Msgid-Bugs-To: ch@debian.org\n" +"POT-Creation-Date: 2006-07-15 20:31+0200\n" +"PO-Revision-Date: 2007-05-08 12:39+0200\n" +"Last-Translator: Carlos Galisteo \n" +"Language-Team: \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=ISO-8859-15\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" + +#. Type: boolean +#. Description +#: ../quagga.templates:1001 +msgid "Do you really want to stop the Quagga daemon?" +msgstr "¿Está seguro de que quiere detener el servicio «Quagga»?" + +#. Type: boolean +#. Description +#: ../quagga.templates:1001 +msgid "" +"WARNING: The Quagga routing daemon has to be stopped to proceed. This could " +"lead to BGP flaps or loss of network connectivity." +msgstr "" +"ADVERTENCIA: Debe detenerse el servicio de encaminamiento «Quagga» para " +"continuar. Ésto podría provocar intermitencias en BGP o pérdidas de " +"conectividad." --- quagga-0.99.17.orig/debian/po/ru.po +++ quagga-0.99.17/debian/po/ru.po @@ -0,0 +1,37 @@ +# translation of ru.po to Russian +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# +# Yuri Kozlov , 2009. +msgid "" +msgstr "" +"Project-Id-Version: quagga 0.99.13-1\n" +"Report-Msgid-Bugs-To: ch@debian.org\n" +"POT-Creation-Date: 2006-07-15 20:31+0200\n" +"PO-Revision-Date: 2009-07-19 09:04+0400\n" +"Last-Translator: Yuri Kozlov \n" +"Language-Team: Russian \n" +"Language: ru\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#. Type: boolean +#. Description +#: ../quagga.templates:1001 +msgid "Do you really want to stop the Quagga daemon?" +msgstr "ДейÑтвительно оÑтановить Ñлужбу Quagga?" + +#. Type: boolean +#. Description +#: ../quagga.templates:1001 +msgid "" +"WARNING: The Quagga routing daemon has to be stopped to proceed. This could " +"lead to BGP flaps or loss of network connectivity." +msgstr "" +"ПРЕДУПРЕЖДЕÐИЕ: Ð”Ð»Ñ Ð¿Ñ€Ð¾Ð´Ð¾Ð»Ð¶ÐµÐ½Ð¸Ñ Ñ€Ð°Ð±Ð¾Ñ‚Ñ‹ Ñлужба маршрутизации Quagga должна " +"быть оÑтановлена. Это может привеÑти к переÑтройке таблиц BGP или потере " +"ÑвÑзноÑти узлов Ñети." --- quagga-0.99.17.orig/debian/po/nl.po +++ quagga-0.99.17/debian/po/nl.po @@ -0,0 +1,35 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR , YEAR. +# +msgid "" +msgstr "" +"Project-Id-Version: quagga\n" +"Report-Msgid-Bugs-To: ch@debian.org\n" +"POT-Creation-Date: 2006-07-15 20:31+0200\n" +"PO-Revision-Date: 2007-03-15 18:49+0100\n" +"Last-Translator: Bart Cornelis \n" +"Language-Team: debian-l10n-dutch \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Poedit-Language: Dutch\n" + +#. Type: boolean +#. Description +#: ../quagga.templates:1001 +msgid "Do you really want to stop the Quagga daemon?" +msgstr "Bent u zeker dat u de Quagga-achtergronddienst wilt stoppen?" + +#. Type: boolean +#. Description +#: ../quagga.templates:1001 +msgid "" +"WARNING: The Quagga routing daemon has to be stopped to proceed. This could " +"lead to BGP flaps or loss of network connectivity." +msgstr "" +"WAARSCHUWING: De Quagga 'routing'-achtergronddienst dient stopgezet te " +"worden voor u verder gaat. Dit kan BGP-flaps en verliezen van " +"netwerkverbinding veroorzaken." --- quagga-0.99.17.orig/debian/po/pt.po +++ quagga-0.99.17/debian/po/pt.po @@ -0,0 +1,34 @@ +# Portuguese translations for quagga package. +# Copyright (C) 2007 Miguel Figueiredo +# This file is distributed under the same license as the quagga package. +# Miguel Figueiredo , 2007. +# +msgid "" +msgstr "" +"Project-Id-Version: quagga 0.99.6-6\n" +"Report-Msgid-Bugs-To: ch@debian.org\n" +"POT-Creation-Date: 2006-07-15 20:31+0200\n" +"PO-Revision-Date: 2007-04-26 23:07+0100\n" +"Last-Translator: Miguel Figueiredo \n" +"Language-Team: Portuguese \n" +"Language: pt\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Type: boolean +#. Description +#: ../quagga.templates:1001 +msgid "Do you really want to stop the Quagga daemon?" +msgstr "Deseja mesmo parar o daemon Quagga?" + +#. Type: boolean +#. Description +#: ../quagga.templates:1001 +msgid "" +"WARNING: The Quagga routing daemon has to be stopped to proceed. This could " +"lead to BGP flaps or loss of network connectivity." +msgstr "" +"AVISO: O daemon de routing tem de ser parado para continuar. Isto pode levar " +"a distúrbio do BGP ou perda da ligação de rede." --- quagga-0.99.17.orig/debian/po/ja.po +++ quagga-0.99.17/debian/po/ja.po @@ -0,0 +1,32 @@ +# Copyright (C) 2008 Christian Hammers +# This file is distributed under the same license as quagga package. +# Hideki Yamane (Debian-JP) , 2008. +# +msgid "" +msgstr "" +"Project-Id-Version: quagga 0.99.11-1\n" +"Report-Msgid-Bugs-To: ch@debian.org\n" +"POT-Creation-Date: 2006-07-15 20:31+0200\n" +"PO-Revision-Date: 2008-12-28 22:26+0900\n" +"Last-Translator: Hideki Yamane (Debian-JP) \n" +"Language-Team: Japanese \n" +"Language: ja\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../quagga.templates:1001 +msgid "Do you really want to stop the Quagga daemon?" +msgstr "Quagga デーモンを本当ã«åœæ­¢ã—ã¾ã™ã‹?" + +#. Type: boolean +#. Description +#: ../quagga.templates:1001 +msgid "" +"WARNING: The Quagga routing daemon has to be stopped to proceed. This could " +"lead to BGP flaps or loss of network connectivity." +msgstr "" +"警告: Quagga ルーティングデーモンã®åœæ­¢ãŒå®Ÿæ–½ã•ã‚Œã¾ã—ãŸã€‚ã“ã‚Œã«ã‚ˆã£ã¦ BGP " +"ルートフラップã®ç™ºç”Ÿã‚„ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æŽ¥ç¶šã®åˆ‡æ–­ãŒèµ·ã“ã•ã‚Œã‚‹å¯èƒ½æ€§ãŒã‚ã‚Šã¾ã™ã€‚" --- quagga-0.99.17.orig/debian/po/cs.po +++ quagga-0.99.17/debian/po/cs.po @@ -0,0 +1,41 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: quagga\n" +"Report-Msgid-Bugs-To: ch@debian.org\n" +"POT-Creation-Date: 2006-07-15 20:31+0200\n" +"PO-Revision-Date: 2005-07-13 18:52+0200\n" +"Last-Translator: Miroslav Kure \n" +"Language-Team: Czech \n" +"Language: cs\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../quagga.templates:1001 +msgid "Do you really want to stop the Quagga daemon?" +msgstr "Opravdu chcete zastavit daemon Quagga?" + +#. Type: boolean +#. Description +#: ../quagga.templates:1001 +msgid "" +"WARNING: The Quagga routing daemon has to be stopped to proceed. This could " +"lead to BGP flaps or loss of network connectivity." +msgstr "" +"VAROVÃNÃ: Abyste mohli pokraÄovat, musí se smÄ›rovací daemon Quagga " +"pozastavit. To může vést ke zpanikaÅ™ení BGP nebo ke ztrátÄ› konektivity." --- quagga-0.99.17.orig/debian/patches/99_CVE-2011-3325.dpatch +++ quagga-0.99.17/debian/patches/99_CVE-2011-3325.dpatch @@ -0,0 +1,94 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +# Description: fix denial of service via crafted Hello packet +# Origin: Debian (0.99.17-2+squeeze3) quagga update + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' quagga-0.99.17~/ospfd/ospf_packet.c quagga-0.99.17/ospfd/ospf_packet.c +--- quagga-0.99.17~/ospfd/ospf_packet.c 2010-08-19 05:32:24.000000000 -0400 ++++ quagga-0.99.17/ospfd/ospf_packet.c 2011-10-07 10:01:32.134409295 -0400 +@@ -2258,6 +2258,13 @@ + return -1; + } + ++ /* Valid OSPFv2 packet types are 1 through 5 inclusive. */ ++ if (ospfh->type < 1 || ospfh->type > 5) ++ { ++ zlog_warn ("interface %s: invalid packet type %u", IF_NAME (oi), ospfh->type); ++ return -1; ++ } ++ + /* Check Area ID. */ + if (!ospf_check_area_id (oi, ospfh)) + { +@@ -2367,15 +2374,29 @@ + return 0; + } + +- /* Adjust size to message length. */ ++ /* Advance from IP header to OSPF header (iph->ip_hl has been verified ++ by ospf_recv_packet() to be correct). */ + stream_forward_getp (ibuf, iph->ip_hl * 4); +- +- /* Get ospf packet header. */ ++ ++ /* Make sure the OSPF header is really there. */ ++ if (stream_get_endp (ibuf) - stream_get_getp (ibuf) < OSPF_HEADER_SIZE) ++ { ++ zlog_debug ("ospf_read: ignored OSPF packet with undersized (%u bytes) header", ++ stream_get_endp (ibuf) - stream_get_getp (ibuf)); ++ return -1; ++ } ++ ++ /* Now it is safe to access all fields of OSPF packet header. */ + ospfh = (struct ospf_header *) STREAM_PNT (ibuf); + + /* associate packet with ospf interface */ + oi = ospf_if_lookup_recv_if (ospf, iph->ip_src, ifp); + ++ /* ospf_verify_header() relies on a valid "oi" and thus can be called only ++ after the passive/backbone/other checks below are passed. These checks ++ in turn access the fields of unverified "ospfh" structure for their own ++ purposes and must remain very accurate in doing this. */ ++ + /* If incoming interface is passive one, ignore it. */ + if (oi && OSPF_IF_PASSIVE_STATUS (oi) == OSPF_IF_PASSIVE) + { +@@ -2466,6 +2487,17 @@ + return 0; + } + ++ /* Verify more OSPF header fields. */ ++ ret = ospf_verify_header (ibuf, oi, iph, ospfh); ++ if (ret < 0) ++ { ++ if (IS_DEBUG_OSPF_PACKET (0, RECV)) ++ zlog_debug ("ospf_read[%s]: Header check failed, " ++ "dropping.", ++ inet_ntoa (iph->ip_src)); ++ return ret; ++ } ++ + /* Show debug receiving packet. */ + if (IS_DEBUG_OSPF_PACKET (ospfh->type - 1, RECV)) + { +@@ -2485,20 +2517,6 @@ + zlog_debug ("-----------------------------------------------------"); + } + +- /* Some header verification. */ +- ret = ospf_verify_header (ibuf, oi, iph, ospfh); +- if (ret < 0) +- { +- if (IS_DEBUG_OSPF_PACKET (ospfh->type - 1, RECV)) +- { +- zlog_debug ("ospf_read[%s/%s]: Header check failed, " +- "dropping.", +- ospf_packet_type_str[ospfh->type], +- inet_ntoa (iph->ip_src)); +- } +- return ret; +- } +- + stream_forward_getp (ibuf, OSPF_HEADER_SIZE); + + /* Adjust size to message length. */ --- quagga-0.99.17.orig/debian/patches/99_CVE-2011-3323.dpatch +++ quagga-0.99.17/debian/patches/99_CVE-2011-3323.dpatch @@ -0,0 +1,806 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +# Description: fix arbitrary code execution via malformed Inter Area Prefix LSA +# Origin: Debian (0.99.17-2+squeeze3) quagga update, plus extra include + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' quagga-0.99.17~/ospf6d/ospf6_abr.h quagga-0.99.17/ospf6d/ospf6_abr.h +--- quagga-0.99.17~/ospf6d/ospf6_abr.h 2010-08-19 05:32:24.000000000 -0400 ++++ quagga-0.99.17/ospf6d/ospf6_abr.h 2011-10-07 09:59:31.922406214 -0400 +@@ -22,6 +22,9 @@ + #ifndef OSPF6_ABR_H + #define OSPF6_ABR_H + ++/* for struct ospf6_route */ ++#include "ospf6_route.h" ++ + /* Debug option */ + extern unsigned char conf_debug_ospf6_abr; + #define OSPF6_DEBUG_ABR_ON() \ +@@ -32,6 +32,7 @@ + (conf_debug_ospf6_abr) + + /* Inter-Area-Prefix-LSA */ ++#define OSPF6_INTER_PREFIX_LSA_MIN_SIZE 4U /* w/o IPv6 prefix */ + struct ospf6_inter_prefix_lsa + { + u_int32_t metric; +@@ -39,6 +40,7 @@ + }; + + /* Inter-Area-Router-LSA */ ++#define OSPF6_INTER_ROUTER_LSA_FIX_SIZE 12U + struct ospf6_inter_router_lsa + { + u_char mbz; +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' quagga-0.99.17~/ospf6d/ospf6_asbr.h quagga-0.99.17/ospf6d/ospf6_asbr.h +--- quagga-0.99.17~/ospf6d/ospf6_asbr.h 2010-08-19 05:32:24.000000000 -0400 ++++ quagga-0.99.17/ospf6d/ospf6_asbr.h 2011-10-07 09:59:31.922406214 -0400 +@@ -44,6 +44,7 @@ + }; + + /* AS-External-LSA */ ++#define OSPF6_AS_EXTERNAL_LSA_MIN_SIZE 4U /* w/o IPv6 prefix */ + struct ospf6_as_external_lsa + { + u_int32_t bits_metric; +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' quagga-0.99.17~/ospf6d/ospf6_intra.h quagga-0.99.17/ospf6d/ospf6_intra.h +--- quagga-0.99.17~/ospf6d/ospf6_intra.h 2010-08-19 05:32:24.000000000 -0400 ++++ quagga-0.99.17/ospf6d/ospf6_intra.h 2011-10-07 09:59:31.922406214 -0400 +@@ -69,6 +69,7 @@ + conf_debug_ospf6_brouter_specific_area_id == (area_id)) + + /* Router-LSA */ ++#define OSPF6_ROUTER_LSA_MIN_SIZE 4U + struct ospf6_router_lsa + { + u_char bits; +@@ -77,6 +78,7 @@ + }; + + /* Link State Description in Router-LSA */ ++#define OSPF6_ROUTER_LSDESC_FIX_SIZE 16U + struct ospf6_router_lsdesc + { + u_char type; +@@ -105,6 +107,7 @@ + (((struct ospf6_router_lsdesc *)(x))->neighbor_router_id) + + /* Network-LSA */ ++#define OSPF6_NETWORK_LSA_MIN_SIZE 4U + struct ospf6_network_lsa + { + u_char reserved; +@@ -113,6 +116,7 @@ + }; + + /* Link State Description in Router-LSA */ ++#define OSPF6_NETWORK_LSDESC_FIX_SIZE 4U + struct ospf6_network_lsdesc + { + u_int32_t router_id; +@@ -121,6 +125,7 @@ + (((struct ospf6_network_lsdesc *)(x))->router_id) + + /* Link-LSA */ ++#define OSPF6_LINK_LSA_MIN_SIZE 24U /* w/o 1st IPv6 prefix */ + struct ospf6_link_lsa + { + u_char priority; +@@ -131,6 +136,7 @@ + }; + + /* Intra-Area-Prefix-LSA */ ++#define OSPF6_INTRA_PREFIX_LSA_MIN_SIZE 12U /* w/o 1st IPv6 prefix */ + struct ospf6_intra_prefix_lsa + { + u_int16_t prefix_num; +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' quagga-0.99.17~/ospf6d/ospf6_lsa.h quagga-0.99.17/ospf6d/ospf6_lsa.h +--- quagga-0.99.17~/ospf6d/ospf6_lsa.h 2010-08-19 05:32:24.000000000 -0400 ++++ quagga-0.99.17/ospf6d/ospf6_lsa.h 2011-10-07 09:59:31.922406214 -0400 +@@ -79,6 +79,7 @@ + (ntohs (type) & OSPF6_LSTYPE_SCOPE_MASK) + + /* LSA Header */ ++#define OSPF6_LSA_HEADER_SIZE 20U + struct ospf6_lsa_header + { + u_int16_t age; /* LS age */ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' quagga-0.99.17~/ospf6d/ospf6_message.c quagga-0.99.17/ospf6d/ospf6_message.c +--- quagga-0.99.17~/ospf6d/ospf6_message.c 2010-08-19 05:32:24.000000000 -0400 ++++ quagga-0.99.17/ospf6d/ospf6_message.c 2011-10-07 09:59:31.926406216 -0400 +@@ -39,6 +39,11 @@ + #include "ospf6_neighbor.h" + #include "ospf6_interface.h" + ++/* for structures and macros ospf6_lsa_examin() needs */ ++#include "ospf6_abr.h" ++#include "ospf6_asbr.h" ++#include "ospf6_intra.h" ++ + #include "ospf6_flood.h" + #include "ospf6d.h" + +@@ -46,6 +51,34 @@ + const char *ospf6_message_type_str[] = + { "Unknown", "Hello", "DbDesc", "LSReq", "LSUpdate", "LSAck" }; + ++/* Minimum (besides the standard OSPF packet header) lengths for OSPF ++ packets of particular types, offset is the "type" field. */ ++const u_int16_t ospf6_packet_minlen[OSPF6_MESSAGE_TYPE_ALL] = ++{ ++ 0, ++ OSPF6_HELLO_MIN_SIZE, ++ OSPF6_DB_DESC_MIN_SIZE, ++ OSPF6_LS_REQ_MIN_SIZE, ++ OSPF6_LS_UPD_MIN_SIZE, ++ OSPF6_LS_ACK_MIN_SIZE ++}; ++ ++/* Minimum (besides the standard LSA header) lengths for LSAs of particular ++ types, offset is the "LSA function code" portion of "LSA type" field. */ ++const u_int16_t ospf6_lsa_minlen[OSPF6_LSTYPE_SIZE] = ++{ ++ 0, ++ /* 0x2001 */ OSPF6_ROUTER_LSA_MIN_SIZE, ++ /* 0x2002 */ OSPF6_NETWORK_LSA_MIN_SIZE, ++ /* 0x2003 */ OSPF6_INTER_PREFIX_LSA_MIN_SIZE, ++ /* 0x2004 */ OSPF6_INTER_ROUTER_LSA_FIX_SIZE, ++ /* 0x4005 */ OSPF6_AS_EXTERNAL_LSA_MIN_SIZE, ++ /* 0x2006 */ 0, ++ /* 0x2007 */ OSPF6_AS_EXTERNAL_LSA_MIN_SIZE, ++ /* 0x0008 */ OSPF6_LINK_LSA_MIN_SIZE, ++ /* 0x2009 */ OSPF6_INTRA_PREFIX_LSA_MIN_SIZE ++}; ++ + /* print functions */ + + static void +@@ -227,51 +260,6 @@ + /* Receive function */ + #define MSG_OK 0 + #define MSG_NG 1 +-static int +-ospf6_header_examin (struct in6_addr *src, struct in6_addr *dst, +- struct ospf6_interface *oi, struct ospf6_header *oh) +-{ +- u_char type; +- type = OSPF6_MESSAGE_TYPE_CANONICAL (oh->type); +- +- /* version check */ +- if (oh->version != OSPFV3_VERSION) +- { +- if (IS_OSPF6_DEBUG_MESSAGE (type, RECV)) +- zlog_debug ("Message with unknown version"); +- return MSG_NG; +- } +- +- /* Area-ID check */ +- if (oh->area_id != oi->area->area_id) +- { +- if (oh->area_id == BACKBONE_AREA_ID) +- { +- if (IS_OSPF6_DEBUG_MESSAGE (type, RECV)) +- zlog_debug ("Message may be via Virtual Link: not supported"); +- return MSG_NG; +- } +- +- if (IS_OSPF6_DEBUG_MESSAGE (type, RECV)) +- zlog_debug ("Area-ID mismatch"); +- return MSG_NG; +- } +- +- /* Instance-ID check */ +- if (oh->instance_id != oi->instance_id) +- { +- if (IS_OSPF6_DEBUG_MESSAGE (type, RECV)) +- zlog_debug ("Instance-ID mismatch"); +- return MSG_NG; +- } +- +- /* Router-ID check */ +- if (oh->router_id == oi->area->ospf6->router_id) +- zlog_warn ("Detect duplicate Router-ID"); +- +- return MSG_OK; +-} +- + static void + ospf6_hello_recv (struct in6_addr *src, struct in6_addr *dst, + struct ospf6_interface *oi, struct ospf6_header *oh) +@@ -283,9 +271,6 @@ + int neighborchange = 0; + int backupseen = 0; + +- if (ospf6_header_examin (src, dst, oi, oh) != MSG_OK) +- return; +- + hello = (struct ospf6_hello *) + ((caddr_t) oh + sizeof (struct ospf6_header)); + +@@ -817,9 +802,6 @@ + struct ospf6_neighbor *on; + struct ospf6_dbdesc *dbdesc; + +- if (ospf6_header_examin (src, dst, oi, oh) != MSG_OK) +- return; +- + on = ospf6_neighbor_lookup (oh->router_id, oi); + if (on == NULL) + { +@@ -869,9 +851,6 @@ + struct ospf6_lsdb *lsdb = NULL; + struct ospf6_lsa *lsa; + +- if (ospf6_header_examin (src, dst, oi, oh) != MSG_OK) +- return; +- + on = ospf6_neighbor_lookup (oh->router_id, oi); + if (on == NULL) + { +@@ -946,6 +925,433 @@ + thread_add_event (master, ospf6_lsupdate_send_neighbor, on, 0); + } + ++/* Verify, that the specified memory area contains exactly N valid IPv6 ++ prefixes as specified by RFC5340, A.4.1. */ ++static unsigned ++ospf6_prefixes_examin ++( ++ struct ospf6_prefix *current, /* start of buffer */ ++ unsigned length, ++ const u_int32_t req_num_pfxs /* always compared with the actual number of prefixes */ ++) ++{ ++ u_char requested_pfx_bytes; ++ u_int32_t real_num_pfxs = 0; ++ ++ while (length) ++ { ++ if (length < OSPF6_PREFIX_MIN_SIZE) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: undersized IPv6 prefix header", __func__); ++ return MSG_NG; ++ } ++ /* safe to look deeper */ ++ if (current->prefix_length > IPV6_MAX_BITLEN) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: invalid PrefixLength (%u bits)", __func__, current->prefix_length); ++ return MSG_NG; ++ } ++ /* covers both fixed- and variable-sized fields */ ++ requested_pfx_bytes = OSPF6_PREFIX_MIN_SIZE + OSPF6_PREFIX_SPACE (current->prefix_length); ++ if (requested_pfx_bytes > length) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: undersized IPv6 prefix", __func__); ++ return MSG_NG; ++ } ++ /* next prefix */ ++ length -= requested_pfx_bytes; ++ current = (struct ospf6_prefix *) ((caddr_t) current + requested_pfx_bytes); ++ real_num_pfxs++; ++ } ++ if (real_num_pfxs != req_num_pfxs) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: IPv6 prefix number mismatch (%u required, %u real)", ++ __func__, req_num_pfxs, real_num_pfxs); ++ return MSG_NG; ++ } ++ return MSG_OK; ++} ++ ++/* Verify an LSA to have a valid length and dispatch further (where ++ appropriate) to check if the contents, including nested IPv6 prefixes, ++ is properly sized/aligned within the LSA. Note that this function gets ++ LSA type in network byte order, uses in host byte order and passes to ++ ospf6_lstype_name() in network byte order again. */ ++static unsigned ++ospf6_lsa_examin (struct ospf6_lsa_header *lsah, const u_int16_t lsalen, const u_char headeronly) ++{ ++ struct ospf6_intra_prefix_lsa *intra_prefix_lsa; ++ struct ospf6_as_external_lsa *as_external_lsa; ++ struct ospf6_link_lsa *link_lsa; ++ unsigned exp_length; ++ u_int8_t ltindex; ++ u_int16_t lsatype; ++ ++ /* In case an additional minimum length constraint is defined for current ++ LSA type, make sure that this constraint is met. */ ++ lsatype = ntohs (lsah->type); ++ ltindex = lsatype & OSPF6_LSTYPE_FCODE_MASK; ++ if ++ ( ++ ltindex < OSPF6_LSTYPE_SIZE && ++ ospf6_lsa_minlen[ltindex] && ++ lsalen < ospf6_lsa_minlen[ltindex] + OSPF6_LSA_HEADER_SIZE ++ ) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: undersized (%u B) LSA", __func__, lsalen); ++ return MSG_NG; ++ } ++ switch (lsatype) ++ { ++ case OSPF6_LSTYPE_ROUTER: ++ /* RFC5340 A.4.3, LSA header + OSPF6_ROUTER_LSA_MIN_SIZE bytes followed ++ by N>=0 interface descriptions. */ ++ if ((lsalen - OSPF6_LSA_HEADER_SIZE - OSPF6_ROUTER_LSA_MIN_SIZE) % OSPF6_ROUTER_LSDESC_FIX_SIZE) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: interface description alignment error", __func__); ++ return MSG_NG; ++ } ++ break; ++ case OSPF6_LSTYPE_NETWORK: ++ /* RFC5340 A.4.4, LSA header + OSPF6_NETWORK_LSA_MIN_SIZE bytes ++ followed by N>=0 attached router descriptions. */ ++ if ((lsalen - OSPF6_LSA_HEADER_SIZE - OSPF6_NETWORK_LSA_MIN_SIZE) % OSPF6_NETWORK_LSDESC_FIX_SIZE) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: router description alignment error", __func__); ++ return MSG_NG; ++ } ++ break; ++ case OSPF6_LSTYPE_INTER_PREFIX: ++ /* RFC5340 A.4.5, LSA header + OSPF6_INTER_PREFIX_LSA_MIN_SIZE bytes ++ followed by 3-4 fields of a single IPv6 prefix. */ ++ if (headeronly) ++ break; ++ return ospf6_prefixes_examin ++ ( ++ (struct ospf6_prefix *) ((caddr_t) lsah + OSPF6_LSA_HEADER_SIZE + OSPF6_INTER_PREFIX_LSA_MIN_SIZE), ++ lsalen - OSPF6_LSA_HEADER_SIZE - OSPF6_INTER_PREFIX_LSA_MIN_SIZE, ++ 1 ++ ); ++ case OSPF6_LSTYPE_INTER_ROUTER: ++ /* RFC5340 A.4.6, fixed-size LSA. */ ++ if (lsalen > OSPF6_LSA_HEADER_SIZE + OSPF6_INTER_ROUTER_LSA_FIX_SIZE) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: oversized (%u B) LSA", __func__, lsalen); ++ return MSG_NG; ++ } ++ break; ++ case OSPF6_LSTYPE_AS_EXTERNAL: /* RFC5340 A.4.7, same as A.4.8. */ ++ case OSPF6_LSTYPE_TYPE_7: ++ /* RFC5340 A.4.8, LSA header + OSPF6_AS_EXTERNAL_LSA_MIN_SIZE bytes ++ followed by 3-4 fields of IPv6 prefix and 3 conditional LSA fields: ++ 16 bytes of forwarding address, 4 bytes of external route tag, ++ 4 bytes of referenced link state ID. */ ++ if (headeronly) ++ break; ++ as_external_lsa = (struct ospf6_as_external_lsa *) ((caddr_t) lsah + OSPF6_LSA_HEADER_SIZE); ++ exp_length = OSPF6_LSA_HEADER_SIZE + OSPF6_AS_EXTERNAL_LSA_MIN_SIZE; ++ /* To find out if the last optional field (Referenced Link State ID) is ++ assumed in this LSA, we need to access fixed fields of the IPv6 ++ prefix before ospf6_prefix_examin() confirms its sizing. */ ++ if (exp_length + OSPF6_PREFIX_MIN_SIZE > lsalen) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: undersized (%u B) LSA header", __func__, lsalen); ++ return MSG_NG; ++ } ++ /* forwarding address */ ++ if (CHECK_FLAG (as_external_lsa->bits_metric, OSPF6_ASBR_BIT_F)) ++ exp_length += 16; ++ /* external route tag */ ++ if (CHECK_FLAG (as_external_lsa->bits_metric, OSPF6_ASBR_BIT_T)) ++ exp_length += 4; ++ /* referenced link state ID */ ++ if (as_external_lsa->prefix.u._prefix_referenced_lstype) ++ exp_length += 4; ++ /* All the fixed-size fields (mandatory and optional) must fit. I.e., ++ this check does not include any IPv6 prefix fields. */ ++ if (exp_length > lsalen) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: undersized (%u B) LSA header", __func__, lsalen); ++ return MSG_NG; ++ } ++ /* The last call completely covers the remainder (IPv6 prefix). */ ++ return ospf6_prefixes_examin ++ ( ++ (struct ospf6_prefix *) ((caddr_t) as_external_lsa + OSPF6_AS_EXTERNAL_LSA_MIN_SIZE), ++ lsalen - exp_length, ++ 1 ++ ); ++ case OSPF6_LSTYPE_LINK: ++ /* RFC5340 A.4.9, LSA header + OSPF6_LINK_LSA_MIN_SIZE bytes followed ++ by N>=0 IPv6 prefix blocks (with N declared beforehand). */ ++ if (headeronly) ++ break; ++ link_lsa = (struct ospf6_link_lsa *) ((caddr_t) lsah + OSPF6_LSA_HEADER_SIZE); ++ return ospf6_prefixes_examin ++ ( ++ (struct ospf6_prefix *) ((caddr_t) link_lsa + OSPF6_LINK_LSA_MIN_SIZE), ++ lsalen - OSPF6_LSA_HEADER_SIZE - OSPF6_LINK_LSA_MIN_SIZE, ++ ntohl (link_lsa->prefix_num) /* 32 bits */ ++ ); ++ case OSPF6_LSTYPE_INTRA_PREFIX: ++ /* RFC5340 A.4.10, LSA header + OSPF6_INTRA_PREFIX_LSA_MIN_SIZE bytes ++ followed by N>=0 IPv6 prefixes (with N declared beforehand). */ ++ if (headeronly) ++ break; ++ intra_prefix_lsa = (struct ospf6_intra_prefix_lsa *) ((caddr_t) lsah + OSPF6_LSA_HEADER_SIZE); ++ return ospf6_prefixes_examin ++ ( ++ (struct ospf6_prefix *) ((caddr_t) intra_prefix_lsa + OSPF6_INTRA_PREFIX_LSA_MIN_SIZE), ++ lsalen - OSPF6_LSA_HEADER_SIZE - OSPF6_INTRA_PREFIX_LSA_MIN_SIZE, ++ ntohs (intra_prefix_lsa->prefix_num) /* 16 bits */ ++ ); ++ } ++ /* No additional validation is possible for unknown LSA types, which are ++ themselves valid in OPSFv3, hence the default decision is to accept. */ ++ return MSG_OK; ++} ++ ++/* Verify if the provided input buffer is a valid sequence of LSAs. This ++ includes verification of LSA blocks length/alignment and dispatching ++ of deeper-level checks. */ ++static unsigned ++ospf6_lsaseq_examin ++( ++ struct ospf6_lsa_header *lsah, /* start of buffered data */ ++ size_t length, ++ const u_char headeronly, ++ /* When declared_num_lsas is not 0, compare it to the real number of LSAs ++ and treat the difference as an error. */ ++ const u_int32_t declared_num_lsas ++) ++{ ++ u_int32_t counted_lsas = 0; ++ ++ while (length) ++ { ++ u_int16_t lsalen; ++ if (length < OSPF6_LSA_HEADER_SIZE) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: undersized (%u B) trailing (#%u) LSA header", ++ __func__, length, counted_lsas); ++ return MSG_NG; ++ } ++ /* save on ntohs() calls here and in the LSA validator */ ++ lsalen = OSPF6_LSA_SIZE (lsah); ++ if (lsalen < OSPF6_LSA_HEADER_SIZE) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: malformed LSA header #%u, declared length is %u B", ++ __func__, counted_lsas, lsalen); ++ return MSG_NG; ++ } ++ if (headeronly) ++ { ++ /* less checks here and in ospf6_lsa_examin() */ ++ if (MSG_OK != ospf6_lsa_examin (lsah, lsalen, 1)) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: anomaly in header-only %s LSA #%u", __func__, ++ ospf6_lstype_name (lsah->type), counted_lsas); ++ return MSG_NG; ++ } ++ lsah = (struct ospf6_lsa_header *) ((caddr_t) lsah + OSPF6_LSA_HEADER_SIZE); ++ length -= OSPF6_LSA_HEADER_SIZE; ++ } ++ else ++ { ++ /* make sure the input buffer is deep enough before further checks */ ++ if (lsalen > length) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: anomaly in %s LSA #%u: declared length is %u B, buffered length is %u B", ++ __func__, ospf6_lstype_name (lsah->type), counted_lsas, lsalen, length); ++ return MSG_NG; ++ } ++ if (MSG_OK != ospf6_lsa_examin (lsah, lsalen, 0)) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: anomaly in %s LSA #%u", __func__, ++ ospf6_lstype_name (lsah->type), counted_lsas); ++ return MSG_NG; ++ } ++ lsah = (struct ospf6_lsa_header *) ((caddr_t) lsah + lsalen); ++ length -= lsalen; ++ } ++ counted_lsas++; ++ } ++ ++ if (declared_num_lsas && counted_lsas != declared_num_lsas) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: #LSAs declared (%u) does not match actual (%u)", ++ __func__, declared_num_lsas, counted_lsas); ++ return MSG_NG; ++ } ++ return MSG_OK; ++} ++ ++/* Verify a complete OSPF packet for proper sizing/alignment. */ ++static unsigned ++ospf6_packet_examin (struct ospf6_header *oh, const unsigned bytesonwire) ++{ ++ struct ospf6_lsupdate *lsupd; ++ unsigned test; ++ ++ /* length, 1st approximation */ ++ if (bytesonwire < OSPF6_HEADER_SIZE) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: undersized (%u B) packet", __func__, bytesonwire); ++ return MSG_NG; ++ } ++ /* Now it is safe to access header fields. */ ++ if (bytesonwire != ntohs (oh->length)) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: packet length error (%u real, %u declared)", ++ __func__, bytesonwire, ntohs (oh->length)); ++ return MSG_NG; ++ } ++ /* version check */ ++ if (oh->version != OSPFV3_VERSION) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: invalid (%u) protocol version", __func__, oh->version); ++ return MSG_NG; ++ } ++ /* length, 2nd approximation */ ++ if ++ ( ++ oh->type < OSPF6_MESSAGE_TYPE_ALL && ++ ospf6_packet_minlen[oh->type] && ++ bytesonwire < OSPF6_HEADER_SIZE + ospf6_packet_minlen[oh->type] ++ ) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: undersized (%u B) %s packet", __func__, ++ bytesonwire, ospf6_message_type_str[oh->type]); ++ return MSG_NG; ++ } ++ /* type-specific deeper validation */ ++ switch (oh->type) ++ { ++ case OSPF6_MESSAGE_TYPE_HELLO: ++ /* RFC5340 A.3.2, packet header + OSPF6_HELLO_MIN_SIZE bytes followed ++ by N>=0 router-IDs. */ ++ if (0 == (bytesonwire - OSPF6_HEADER_SIZE - OSPF6_HELLO_MIN_SIZE) % 4) ++ return MSG_OK; ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: alignment error in %s packet", ++ __func__, ospf6_message_type_str[oh->type]); ++ return MSG_NG; ++ case OSPF6_MESSAGE_TYPE_DBDESC: ++ /* RFC5340 A.3.3, packet header + OSPF6_DB_DESC_MIN_SIZE bytes followed ++ by N>=0 header-only LSAs. */ ++ test = ospf6_lsaseq_examin ++ ( ++ (struct ospf6_lsa_header *) ((caddr_t) oh + OSPF6_HEADER_SIZE + OSPF6_DB_DESC_MIN_SIZE), ++ bytesonwire - OSPF6_HEADER_SIZE - OSPF6_DB_DESC_MIN_SIZE, ++ 1, ++ 0 ++ ); ++ break; ++ case OSPF6_MESSAGE_TYPE_LSREQ: ++ /* RFC5340 A.3.4, packet header + N>=0 LS description blocks. */ ++ if (0 == (bytesonwire - OSPF6_HEADER_SIZE - OSPF6_LS_REQ_MIN_SIZE) % OSPF6_LSREQ_LSDESC_FIX_SIZE) ++ return MSG_OK; ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: alignment error in %s packet", ++ __func__, ospf6_message_type_str[oh->type]); ++ return MSG_NG; ++ case OSPF6_MESSAGE_TYPE_LSUPDATE: ++ /* RFC5340 A.3.5, packet header + OSPF6_LS_UPD_MIN_SIZE bytes followed ++ by N>=0 full LSAs (with N declared beforehand). */ ++ lsupd = (struct ospf6_lsupdate *) ((caddr_t) oh + OSPF6_HEADER_SIZE); ++ test = ospf6_lsaseq_examin ++ ( ++ (struct ospf6_lsa_header *) ((caddr_t) lsupd + OSPF6_LS_UPD_MIN_SIZE), ++ bytesonwire - OSPF6_HEADER_SIZE - OSPF6_LS_UPD_MIN_SIZE, ++ 0, ++ ntohl (lsupd->lsa_number) /* 32 bits */ ++ ); ++ break; ++ case OSPF6_MESSAGE_TYPE_LSACK: ++ /* RFC5340 A.3.6, packet header + N>=0 header-only LSAs. */ ++ test = ospf6_lsaseq_examin ++ ( ++ (struct ospf6_lsa_header *) ((caddr_t) oh + OSPF6_HEADER_SIZE + OSPF6_LS_ACK_MIN_SIZE), ++ bytesonwire - OSPF6_HEADER_SIZE - OSPF6_LS_ACK_MIN_SIZE, ++ 1, ++ 0 ++ ); ++ break; ++ default: ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: invalid (%u) message type", __func__, oh->type); ++ return MSG_NG; ++ } ++ if (test != MSG_OK && IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: anomaly in %s packet", __func__, ospf6_message_type_str[oh->type]); ++ return test; ++} ++ ++/* Verify particular fields of otherwise correct received OSPF packet to ++ meet the requirements of RFC. */ ++static int ++ospf6_rxpacket_examin (struct ospf6_interface *oi, struct ospf6_header *oh, const unsigned bytesonwire) ++{ ++ char buf[2][INET_ADDRSTRLEN]; ++ ++ if (MSG_OK != ospf6_packet_examin (oh, bytesonwire)) ++ return MSG_NG; ++ ++ /* Area-ID check */ ++ if (oh->area_id != oi->area->area_id) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (oh->type, RECV)) ++ { ++ if (oh->area_id == BACKBONE_AREA_ID) ++ zlog_debug ("%s: Message may be via Virtual Link: not supported", __func__); ++ else ++ zlog_debug ++ ( ++ "%s: Area-ID mismatch (my %s, rcvd %s)", __func__, ++ inet_ntop (AF_INET, &oi->area->area_id, buf[0], INET_ADDRSTRLEN), ++ inet_ntop (AF_INET, &oh->area_id, buf[1], INET_ADDRSTRLEN) ++ ); ++ } ++ return MSG_NG; ++ } ++ ++ /* Instance-ID check */ ++ if (oh->instance_id != oi->instance_id) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (oh->type, RECV)) ++ zlog_debug ("%s: Instance-ID mismatch (my %u, rcvd %u)", __func__, oi->instance_id, oh->instance_id); ++ return MSG_NG; ++ } ++ ++ /* Router-ID check */ ++ if (oh->router_id == oi->area->ospf6->router_id) ++ { ++ zlog_warn ("%s: Duplicate Router-ID (%s)", __func__, inet_ntop (AF_INET, &oh->router_id, buf[0], INET_ADDRSTRLEN)); ++ return MSG_NG; ++ } ++ return MSG_OK; ++} ++ + static void + ospf6_lsupdate_recv (struct in6_addr *src, struct in6_addr *dst, + struct ospf6_interface *oi, struct ospf6_header *oh) +@@ -955,9 +1361,6 @@ + unsigned long num; + char *p; + +- if (ospf6_header_examin (src, dst, oi, oh) != MSG_OK) +- return; +- + on = ospf6_neighbor_lookup (oh->router_id, oi); + if (on == NULL) + { +@@ -1035,8 +1438,6 @@ + struct ospf6_lsdb *lsdb = NULL; + + assert (oh->type == OSPF6_MESSAGE_TYPE_LSACK); +- if (ospf6_header_examin (src, dst, oi, oh) != MSG_OK) +- return; + + on = ospf6_neighbor_lookup (oh->router_id, oi); + if (on == NULL) +@@ -1201,11 +1602,6 @@ + zlog_err ("Excess message read"); + return 0; + } +- else if (len < sizeof (struct ospf6_header)) +- { +- zlog_err ("Deficient message read"); +- return 0; +- } + + oi = ospf6_interface_lookup_by_ifindex (ifindex); + if (oi == NULL || oi->area == NULL) +@@ -1213,8 +1609,22 @@ + zlog_debug ("Message received on disabled interface"); + return 0; + } ++ if (CHECK_FLAG (oi->flag, OSPF6_INTERFACE_PASSIVE)) ++ { ++ if (IS_OSPF6_DEBUG_MESSAGE (OSPF6_MESSAGE_TYPE_UNKNOWN, RECV)) ++ zlog_debug ("%s: Ignore message on passive interface %s", ++ __func__, oi->interface->name); ++ return 0; ++ } + + oh = (struct ospf6_header *) recvbuf; ++ if (ospf6_rxpacket_examin (oi, oh, len) != MSG_OK) ++ return 0; ++ ++ /* Being here means, that no sizing/alignment issues were detected in ++ the input packet. This renders the additional checks performed below ++ and also in the type-specific dispatching functions a dead code, ++ which can be dismissed in a cleanup-focused review round later. */ + + /* Log */ + if (IS_OSPF6_DEBUG_MESSAGE (oh->type, RECV)) +@@ -1251,14 +1661,6 @@ + } + } + +- if (CHECK_FLAG (oi->flag, OSPF6_INTERFACE_PASSIVE)) +- { +- if (IS_OSPF6_DEBUG_MESSAGE (oh->type, RECV)) +- zlog_debug ("Ignore message on passive interface %s", +- oi->interface->name); +- return 0; +- } +- + switch (oh->type) + { + case OSPF6_MESSAGE_TYPE_HELLO: +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' quagga-0.99.17~/ospf6d/ospf6_message.h quagga-0.99.17/ospf6d/ospf6_message.h +--- quagga-0.99.17~/ospf6d/ospf6_message.h 2010-08-19 05:32:24.000000000 -0400 ++++ quagga-0.99.17/ospf6d/ospf6_message.h 2011-10-07 09:59:31.922406214 -0400 +@@ -52,6 +52,7 @@ + (ospf6_message_type_str[ OSPF6_MESSAGE_TYPE_CANONICAL (T) ]) + + /* OSPFv3 packet header */ ++#define OSPF6_HEADER_SIZE 16U + struct ospf6_header + { + u_char version; +@@ -67,6 +68,7 @@ + #define OSPF6_MESSAGE_END(H) ((caddr_t) (H) + ntohs ((H)->length)) + + /* Hello */ ++#define OSPF6_HELLO_MIN_SIZE 20U + struct ospf6_hello + { + u_int32_t interface_id; +@@ -80,6 +82,7 @@ + }; + + /* Database Description */ ++#define OSPF6_DB_DESC_MIN_SIZE 12U + struct ospf6_dbdesc + { + u_char reserved1; +@@ -96,7 +99,9 @@ + #define OSPF6_DBDESC_IBIT (0x04) /* initial bit */ + + /* Link State Request */ ++#define OSPF6_LS_REQ_MIN_SIZE 0U + /* It is just a sequence of entries below */ ++#define OSPF6_LSREQ_LSDESC_FIX_SIZE 12U + struct ospf6_lsreq_entry + { + u_int16_t reserved; /* Must Be Zero */ +@@ -106,6 +111,7 @@ + }; + + /* Link State Update */ ++#define OSPF6_LS_UPD_MIN_SIZE 4U + struct ospf6_lsupdate + { + u_int32_t lsa_number; +@@ -113,6 +119,7 @@ + }; + + /* Link State Acknowledgement */ ++#define OSPF6_LS_ACK_MIN_SIZE 0U + /* It is just a sequence of LSA Headers */ + + /* Function definition */ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' quagga-0.99.17~/ospf6d/ospf6_proto.h quagga-0.99.17/ospf6d/ospf6_proto.h +--- quagga-0.99.17~/ospf6d/ospf6_proto.h 2010-08-19 05:32:24.000000000 -0400 ++++ quagga-0.99.17/ospf6d/ospf6_proto.h 2011-10-07 09:59:31.926406216 -0400 +@@ -73,6 +73,7 @@ + #define OSPF6_OPT_V6 (1 << 0) /* IPv6 forwarding Capability */ + + /* OSPF6 Prefix */ ++#define OSPF6_PREFIX_MIN_SIZE 4U /* .length == 0 */ + struct ospf6_prefix + { + u_int8_t prefix_length; --- quagga-0.99.17.orig/debian/patches/90_configure_ncurses.dpatch +++ quagga-0.99.17/debian/patches/90_configure_ncurses.dpatch @@ -0,0 +1,51 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 99-unnamed.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: To make checklib happy. See: +## DP: http://rerun.lefant.net/checklib/log.quagga_0.99.5-1.html + +@DPATCH@ + +--- old/configure.orig 2010-03-09 11:55:56.000000000 +0100 ++++ new/configure 2010-03-21 18:58:43.000000000 +0100 +@@ -24663,7 +24663,8 @@ + $as_echo_n "(cached) " >&6 + else + ac_check_lib_save_LIBS=$LIBS +-LIBS="-ltermcap $LIBS" ++#42#DEBIAN# LIBS="-ltermcap $LIBS" ++LIBS="$LIBS" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext + /* end confdefs.h. */ + +@@ -24694,7 +24695,8 @@ + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_termcap_tputs" >&5 + $as_echo "$ac_cv_lib_termcap_tputs" >&6; } + if test "x$ac_cv_lib_termcap_tputs" = x""yes; then : +- LIBREADLINE="$LIBREADLINE -ltermcap" ++ #42#DEBIAN# LIBREADLINE="$LIBREADLINE -ltermcap" ++ LIBREADLINE="$LIBREADLINE " + else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for tputs in -ltinfo" >&5 + $as_echo_n "checking for tputs in -ltinfo... " >&6; } +@@ -24741,7 +24743,8 @@ + $as_echo_n "(cached) " >&6 + else + ac_check_lib_save_LIBS=$LIBS +-LIBS="-lcurses $LIBS" ++#42#DEBIAN# LIBS="-lcurses $LIBS" ++LIBS="$LIBS" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext + /* end confdefs.h. */ + +@@ -24811,7 +24814,8 @@ + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ncurses_tputs" >&5 + $as_echo "$ac_cv_lib_ncurses_tputs" >&6; } + if test "x$ac_cv_lib_ncurses_tputs" = x""yes; then : +- LIBREADLINE="$LIBREADLINE -lncurses" ++ #42#DEBIAN# LIBREADLINE="$LIBREADLINE -lncurses" ++ LIBREADLINE="$LIBREADLINE" + fi + + --- quagga-0.99.17.orig/debian/patches/00list +++ quagga-0.99.17/debian/patches/00list @@ -0,0 +1,14 @@ +10_doc__Makefiles__makeinfo-force.dpatch +20_ospf6_area_argv.dpatch +50_vtysh__vtysh.conf.sample.dpatch +75_vtysh__vtysh.c__PAGER.dpatch +80_vtysh__vtysh.c__privs.dpatch +82_vtysh__vtysh_user.c__pam.dpatch +90_configure_ncurses.dpatch +99_no-aspathlimit +99_quagga-extcom +99_CVE-2011-3323 +99_CVE-2011-3324 +99_CVE-2011-3325 +99_CVE-2011-3326 +99_CVE-2011-3327 --- quagga-0.99.17.orig/debian/patches/99_CVE-2011-3327.dpatch +++ quagga-0.99.17/debian/patches/99_CVE-2011-3327.dpatch @@ -0,0 +1,36 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +# Description: fix arbitrary code execution via Extended Communities path attribute +# Origin: Debian (0.99.17-2+squeeze3) quagga update + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' quagga-0.99.17~/bgpd/bgp_ecommunity.c quagga-0.99.17/bgpd/bgp_ecommunity.c +--- quagga-0.99.17~/bgpd/bgp_ecommunity.c 2010-08-19 05:32:24.000000000 -0400 ++++ quagga-0.99.17/bgpd/bgp_ecommunity.c 2011-10-07 10:01:54.522409867 -0400 +@@ -619,6 +619,13 @@ + + for (i = 0; i < ecom->size; i++) + { ++ /* Make it sure size is enough. */ ++ while (str_pnt + ECOMMUNITY_STR_DEFAULT_LEN >= str_size) ++ { ++ str_size *= 2; ++ str_buf = XREALLOC (MTYPE_ECOMMUNITY_STR, str_buf, str_size); ++ } ++ + /* Space between each value. */ + if (! first) + str_buf[str_pnt++] = ' '; +@@ -662,13 +669,6 @@ + break; + } + +- /* Make it sure size is enough. */ +- while (str_pnt + ECOMMUNITY_STR_DEFAULT_LEN >= str_size) +- { +- str_size *= 2; +- str_buf = XREALLOC (MTYPE_ECOMMUNITY_STR, str_buf, str_size); +- } +- + /* Put string into buffer. */ + if (encode == ECOMMUNITY_ENCODE_AS4) + { --- quagga-0.99.17.orig/debian/patches/20_ospf6_area_argv.dpatch +++ quagga-0.99.17/debian/patches/20_ospf6_area_argv.dpatch @@ -0,0 +1,62 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## by Christian Hammers +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Debian Bug #519488 and Quagga Bug #530 +## DP: Simple off-by-one due to the previous argv++ + +@DPATCH@ + +--- old/ospf6d/ospf6_area.c 2009-07-28 18:35:45.000000000 +0200 ++++ new/ospf6d/ospf6_area.c 2010-02-14 19:58:11.000000000 +0100 +@@ -445,14 +445,14 @@ DEFUN (area_filter_list, + argc--; + argv++; + +- plist = prefix_list_lookup (AFI_IP6, argv[1]); +- if (strncmp (argv[2], "in", 2) == 0) ++ plist = prefix_list_lookup (AFI_IP6, argv[0]); ++ if (strncmp (argv[1], "in", 2) == 0) + { + PREFIX_LIST_IN (area) = plist; + if (PREFIX_NAME_IN (area)) + free (PREFIX_NAME_IN (area)); + +- PREFIX_NAME_IN (area) = strdup (argv[1]); ++ PREFIX_NAME_IN (area) = strdup (argv[0]); + ospf6_abr_reimport (area); + } + else +@@ -461,7 +461,7 @@ DEFUN (area_filter_list, + if (PREFIX_NAME_OUT (area)) + free (PREFIX_NAME_OUT (area)); + +- PREFIX_NAME_OUT (area) = strdup (argv[1]); ++ PREFIX_NAME_OUT (area) = strdup (argv[0]); + ospf6_abr_enable_area (area); + } + +@@ -487,11 +487,11 @@ DEFUN (no_area_filter_list, + argc--; + argv++; + +- plist = prefix_list_lookup (AFI_IP6, argv[1]); +- if (strncmp (argv[2], "in", 2) == 0) ++ plist = prefix_list_lookup (AFI_IP6, argv[0]); ++ if (strncmp (argv[1], "in", 2) == 0) + { + if (PREFIX_NAME_IN (area)) +- if (strcmp (PREFIX_NAME_IN (area), argv[1]) != 0) ++ if (strcmp (PREFIX_NAME_IN (area), argv[0]) != 0) + return CMD_SUCCESS; + + PREFIX_LIST_IN (area) = NULL; +@@ -504,7 +504,7 @@ DEFUN (no_area_filter_list, + else + { + if (PREFIX_NAME_OUT (area)) +- if (strcmp (PREFIX_NAME_OUT (area), argv[1]) != 0) ++ if (strcmp (PREFIX_NAME_OUT (area), argv[0]) != 0) + return CMD_SUCCESS; + + PREFIX_LIST_OUT (area) = NULL; --- quagga-0.99.17.orig/debian/patches/99_quagga-extcom.dpatch +++ quagga-0.99.17/debian/patches/99_quagga-extcom.dpatch @@ -0,0 +1,56 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +# Description: fix denial of service via malformed extended communities +# Origin: vendor, Debian's 0.99.17-2+squeeze2 release + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' quagga-0.99.17~/bgpd/bgp_attr.c quagga-0.99.17/bgpd/bgp_attr.c +--- quagga-0.99.17~/bgpd/bgp_attr.c 2011-03-23 14:05:12.286194796 -0400 ++++ quagga-0.99.17/bgpd/bgp_attr.c 2011-03-23 14:05:17.476194794 -0400 +@@ -1198,13 +1198,16 @@ + attr->community = NULL; + return 0; + } +- else +- { +- attr->community = +- community_parse ((u_int32_t *)stream_pnt (peer->ibuf), length); +- stream_forward_getp (peer->ibuf, length); +- } ++ ++ attr->community = ++ community_parse ((u_int32_t *)stream_pnt (peer->ibuf), length); ++ ++ /* XXX: fix community_parse to use stream API and remove this */ ++ stream_forward_getp (peer->ibuf, length); + ++ if (!attr->community) ++ return -1; ++ + attr->flag |= ATTR_FLAG_BIT (BGP_ATTR_COMMUNITIES); + + return 0; +@@ -1441,13 +1444,18 @@ + { + if (attr->extra) + attr->extra->ecommunity = NULL; ++ /* Empty extcomm doesn't seem to be invalid per se */ ++ return 0; + } +- else +- { +- (bgp_attr_extra_get (attr))->ecommunity = +- ecommunity_parse ((u_int8_t *)stream_pnt (peer->ibuf), length); +- stream_forward_getp (peer->ibuf, length); +- } ++ ++ (bgp_attr_extra_get (attr))->ecommunity = ++ ecommunity_parse ((u_int8_t *)stream_pnt (peer->ibuf), length); ++ /* XXX: fix ecommunity_parse to use stream API */ ++ stream_forward_getp (peer->ibuf, length); ++ ++ if (!attr->extra->ecommunity) ++ return -1; ++ + attr->flag |= ATTR_FLAG_BIT (BGP_ATTR_EXT_COMMUNITIES); + + return 0; --- quagga-0.99.17.orig/debian/patches/10_doc__Makefiles__makeinfo-force.dpatch +++ quagga-0.99.17/debian/patches/10_doc__Makefiles__makeinfo-force.dpatch @@ -0,0 +1,21 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 10_doc__Makefiles__makeinfo-force.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: makeinfo + +@DPATCH@ + +# +# This patch is just for the Woody Backport. +# +--- /tmp/Makefile.in 2005-01-05 22:37:02.000000000 +0100 ++++ new/doc/Makefile.in 2005-01-05 23:03:33.000000000 +0100 +@@ -191,6 +191,7 @@ + sysconfdir = @sysconfdir@ + target_alias = @target_alias@ + EPSTOPDF = epstopdf ++MAKEINFOFLAGS = --force + + # rather twisted logic because we have to build PDFs of the EPS figures + # and yet build one PDF, quagga.pdf, from texi source. Which means we cant --- quagga-0.99.17.orig/debian/patches/75_vtysh__vtysh.c__PAGER.dpatch +++ quagga-0.99.17/debian/patches/75_vtysh__vtysh.c__PAGER.dpatch @@ -0,0 +1,30 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 75_vtysh__vtysh.c__PAGER.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: vtysh__vtysh.c__PAGER + +@DPATCH@ + +--- old/vtysh/vtysh.c.orig 2004-10-18 01:23:16.000000000 +0200 ++++ new/vtysh/vtysh.c 2004-10-18 01:25:15.000000000 +0200 +@@ -240,10 +240,16 @@ + + pager_defined = getenv ("VTYSH_PAGER"); + +- if (pager_defined) ++ if (pager_defined) { + vtysh_pager_name = strdup (pager_defined); +- else +- vtysh_pager_name = strdup ("more"); ++ } else { ++ struct stat pager_stat; ++ if (stat("/usr/bin/pager", &pager_stat) == 0) { ++ vtysh_pager_name = strdup ("/usr/bin/pager"); ++ } else { ++ vtysh_pager_name = strdup ("more"); ++ } ++ } + } + + /* Command execution over the vty interface. */ --- quagga-0.99.17.orig/debian/patches/50_vtysh__vtysh.conf.sample.dpatch +++ quagga-0.99.17/debian/patches/50_vtysh__vtysh.conf.sample.dpatch @@ -0,0 +1,20 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 50_vtysh__vtysh.conf.sample.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: vtysh__vtysh.conf.sample + +@DPATCH@ + +--- old/vtysh/vtysh.conf.sample.orig 2004-10-30 23:07:40.000000000 +0200 ++++ new/vtysh/vtysh.conf.sample 2004-10-30 23:08:24.000000000 +0200 +@@ -1,7 +1,7 @@ + ! + ! Sample configuration file for vtysh. + ! +-!service integrated-vtysh-config ++service integrated-vtysh-config + !hostname quagga-router +-!username root nopassword ++username root nopassword + ! --- quagga-0.99.17.orig/debian/patches/99_CVE-2011-3324.dpatch +++ quagga-0.99.17/debian/patches/99_CVE-2011-3324.dpatch @@ -0,0 +1,29 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +# Description: fix denial of sevice via crafted Link-State-Advertisement +# Origin: Debian (0.99.17-2+squeeze3) quagga update + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' quagga-0.99.17~/ospf6d/ospf6_lsa.c quagga-0.99.17/ospf6d/ospf6_lsa.c +--- quagga-0.99.17~/ospf6d/ospf6_lsa.c 2010-08-19 05:32:24.000000000 -0400 ++++ quagga-0.99.17/ospf6d/ospf6_lsa.c 2011-10-07 09:59:46.386406585 -0400 +@@ -163,9 +163,19 @@ + return 1; + if (ntohs (lsa1->header->length) != ntohs (lsa2->header->length)) + return 1; ++ /* Going beyond LSA headers to compare the payload only makes sense, when both LSAs aren't header-only. */ ++ if (CHECK_FLAG (lsa1->flag, OSPF6_LSA_HEADERONLY) != CHECK_FLAG (lsa2->flag, OSPF6_LSA_HEADERONLY)) ++ { ++ zlog_warn ("%s: only one of two (%s, %s) LSAs compared is header-only", __func__, lsa1->name, lsa2->name); ++ return 1; ++ } ++ if (CHECK_FLAG (lsa1->flag, OSPF6_LSA_HEADERONLY)) ++ return 0; + + length = OSPF6_LSA_SIZE (lsa1->header) - sizeof (struct ospf6_lsa_header); +- assert (length > 0); ++ /* Once upper layer verifies LSAs received, length underrun should become a warning. */ ++ if (length <= 0) ++ return 0; + + return memcmp (OSPF6_LSA_HEADER_END (lsa1->header), + OSPF6_LSA_HEADER_END (lsa2->header), length); --- quagga-0.99.17.orig/debian/patches/99_no-aspathlimit.dpatch +++ quagga-0.99.17/debian/patches/99_no-aspathlimit.dpatch @@ -0,0 +1,89 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +# Description: fix denial of service via AS_PATHLIMIT +# Origin: vendor, Debian's 0.99.17-2+squeeze2 release + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' quagga-0.99.17~/bgpd/bgp_attr.c quagga-0.99.17/bgpd/bgp_attr.c +--- quagga-0.99.17~/bgpd/bgp_attr.c 2010-08-19 05:32:24.000000000 -0400 ++++ quagga-0.99.17/bgpd/bgp_attr.c 2011-03-23 14:05:01.866194798 -0400 +@@ -704,43 +704,6 @@ + } + } + +-/* Parse AS_PATHLIMIT attribute in an UPDATE */ +-static int +-bgp_attr_aspathlimit (struct peer *peer, bgp_size_t length, +- struct attr *attr, u_char flag, u_char *startp) +-{ +- bgp_size_t total; +- +- total = length + (CHECK_FLAG (flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3); +- +- if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS) +- || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) +- { +- zlog (peer->log, LOG_ERR, +- "AS-Pathlimit attribute flag isn't transitive %d", flag); +- bgp_notify_send_with_data (peer, +- BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR, +- startp, total); +- return -1; +- } +- +- if (length != 5) +- { +- zlog (peer->log, LOG_ERR, +- "AS-Pathlimit length, %u, is not 5", length); +- bgp_notify_send_with_data (peer, +- BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR, +- startp, total); +- return -1; +- } +- +- attr->pathlimit.ttl = stream_getc (BGP_INPUT(peer)); +- attr->pathlimit.as = stream_getl (BGP_INPUT(peer)); +- attr->flag |= ATTR_FLAG_BIT (BGP_ATTR_AS_PATHLIMIT); +- return 0; +-} + /* Get origin attribute of the update message. */ + static int + bgp_attr_origin (struct peer *peer, bgp_size_t length, +@@ -1709,9 +1672,6 @@ + case BGP_ATTR_EXT_COMMUNITIES: + ret = bgp_attr_ext_communities (peer, length, attr, flag); + break; +- case BGP_ATTR_AS_PATHLIMIT: +- ret = bgp_attr_aspathlimit (peer, length, attr, flag, startp); +- break; + default: + ret = bgp_attr_unknown (peer, attr, flag, type, length, startp); + break; +@@ -2265,25 +2225,7 @@ + stream_putl (s, attr->extra->aggregator_as); + stream_put_ipv4 (s, attr->extra->aggregator_addr.s_addr); + } +- +- /* AS-Pathlimit */ +- if (attr->pathlimit.ttl) +- { +- u_int32_t as = attr->pathlimit.as; +- +- /* should already have been done in announce_check(), +- * but just in case.. +- */ +- if (!as) +- as = peer->local_as; +- +- stream_putc (s, BGP_ATTR_FLAG_OPTIONAL|BGP_ATTR_FLAG_TRANS); +- stream_putc (s, BGP_ATTR_AS_PATHLIMIT); +- stream_putc (s, 5); +- stream_putc (s, attr->pathlimit.ttl); +- stream_putl (s, as); +- } +- ++ + /* Unknown transit attribute. */ + if (attr->extra && attr->extra->transit) + stream_put (s, attr->extra->transit->val, attr->extra->transit->length); --- quagga-0.99.17.orig/debian/patches/99_CVE-2011-3326.dpatch +++ quagga-0.99.17/debian/patches/99_CVE-2011-3326.dpatch @@ -0,0 +1,18 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +# Description: fix denial of service via unknown Link-State-Advertisements types +# Origin: Debian (0.99.17-2+squeeze3) quagga update + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' quagga-0.99.17~/ospfd/ospf_flood.c quagga-0.99.17/ospfd/ospf_flood.c +--- quagga-0.99.17~/ospfd/ospf_flood.c 2010-08-19 05:32:24.000000000 -0400 ++++ quagga-0.99.17/ospfd/ospf_flood.c 2011-10-07 10:01:42.886409568 -0400 +@@ -319,7 +319,8 @@ + procedure cannot overwrite the newly installed LSA until + MinLSArrival seconds have elapsed. */ + +- new = ospf_lsa_install (ospf, nbr->oi, new); ++ if (! (new = ospf_lsa_install (ospf, nbr->oi, new))) ++ return 0; /* unknown LSA type */ + + /* Acknowledge the receipt of the LSA by sending a Link State + Acknowledgment packet back out the receiving interface. */ --- quagga-0.99.17.orig/debian/patches/82_vtysh__vtysh_user.c__pam.dpatch +++ quagga-0.99.17/debian/patches/82_vtysh__vtysh_user.c__pam.dpatch @@ -0,0 +1,15 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 99-unnamed.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Adds explanation why vtysh does not work if PAM fails. + +@DPATCH@ + +--- old/vtysh/vtysh_user.c.orig 2006-11-03 01:53:58.000000000 +0100 ++++ new/vtysh/vtysh_user.c 2006-11-03 01:59:02.000000000 +0100 +@@ -60,2 +60,4 @@ vtysh_pam (const char *user) + ret = pam_authenticate (pamh, 0); ++ if (ret != PAM_SUCCESS) ++ printf("Not authenticated. Check /etc/pam.d/quagga.\n"); + /* printf ("ret %d\n", ret); */ --- quagga-0.99.17.orig/debian/patches/80_vtysh__vtysh.c__privs.dpatch +++ quagga-0.99.17/debian/patches/80_vtysh__vtysh.c__privs.dpatch @@ -0,0 +1,51 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 100_vtysh__vtysh.c__privs.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: vtysh__vtysh.c__privs + +@DPATCH@ + +--- old/vtysh/vtysh.c.orig 2004-10-30 23:16:08.000000000 +0200 ++++ new/vtysh/vtysh.c 2004-10-30 23:16:41.000000000 +0200 +@@ -26,6 +26,8 @@ + #include + #include + #include ++#include ++#include + + #include + #include +@@ -1638,6 +1646,9 @@ + FILE *fp; + char *integrate_sav = NULL; + ++ /* Setting file permissions */ ++ struct group *quagga_vty_group; ++ + integrate_sav = malloc (strlen (integrate_default) + + strlen (CONF_BACKUP_EXT) + 1); + strcpy (integrate_sav, integrate_default); +@@ -1669,6 +1680,21 @@ + vtysh_config_dump (fp); + + fclose (fp); ++ ++ errno = 0; ++ if ((quagga_vty_group = getgrnam(VTY_GROUP)) == NULL) ++ { ++ fprintf (stdout, "%% Can't get group %s: %s (%d)\n", ++ VTY_GROUP, strerror(errno), errno); ++ return CMD_WARNING; ++ } ++ ++ if ((chown(integrate_default, -1, quagga_vty_group->gr_gid)) != 0) ++ { ++ fprintf (stdout,"%% Can't chown configuration file %s: %s (%d)\n", ++ integrate_default, strerror(errno), errno); ++ return CMD_WARNING; ++ } + + if (chmod (integrate_default, CONFIGFILE_MASK) != 0) + { --- quagga-0.99.17.orig/debian/my/daemons +++ quagga-0.99.17/debian/my/daemons @@ -0,0 +1,27 @@ +# This file tells the quagga package which daemons to start. +# +# Entries are in the format: =(yes|no|priority) +# 0, "no" = disabled +# 1, "yes" = highest priority +# 2 .. 10 = lower priorities +# Read /usr/share/doc/quagga/README.Debian for details. +# +# Sample configurations for these daemons can be found in +# /usr/share/doc/quagga/examples/. +# +# ATTENTION: +# +# When activation a daemon at the first time, a config file, even if it is +# empty, has to be present *and* be owned by the user and group "quagga", else +# the daemon will not be started by /etc/init.d/quagga. The permissions should +# be u=rw,g=r,o=. +# When using "vtysh" such a config file is also needed. It should be owned by +# group "quaggavty" and set to ug=rw,o= though. Check /etc/pam.d/quagga, too. +# +zebra=no +bgpd=no +ospfd=no +ospf6d=no +ripd=no +ripngd=no +isisd=no --- quagga-0.99.17.orig/debian/my/config.h.reference +++ quagga-0.99.17/debian/my/config.h.reference @@ -0,0 +1,827 @@ +/* config.h. Generated from config.h.in by configure. */ +/* config.h.in. Generated from configure.ac by autoheader. */ + +/* Define if building universal (internal helper macro) */ +/* #undef AC_APPLE_UNIVERSAL_BUILD */ + +/* bgpd vty socket */ +#define BGP_VTYSH_PATH "/var/run/quagga/bgpd.vty" + +/* BSDI */ +/* #undef BSDI_NRL */ + +/* Mask for config files */ +#define CONFIGFILE_MASK 0640 + +/* Consumed Time Check */ +#define CONSUMED_TIME_CHECK 5000000 + +/* daemon vty directory */ +#define DAEMON_VTY_DIR "/var/run/quagga" + +/* Disable BGP installation to zebra */ +#define DISABLE_BGP_ANNOUNCE 0 + +/* GNU Linux */ +#define GNU_LINUX /**/ + +/* Define to 1 if you have the `alarm' function. */ +#define HAVE_ALARM 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_ARPA_INET_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_ASM_TYPES_H 1 + +/* Broken Alias */ +/* #undef HAVE_BROKEN_ALIASES */ + +/* Broken CMSG_FIRSTHDR */ +/* #undef HAVE_BROKEN_CMSG_FIRSTHDR */ + +/* BSD link-detect */ +/* #undef HAVE_BSD_LINK_DETECT */ + +/* Can pass ifindex in struct ip_mreq */ +/* #undef HAVE_BSD_STRUCT_IP_MREQ_HACK */ + +/* capabilities */ +#define HAVE_CAPABILITIES 1 + +/* Define to 1 if your system has a working `chown' function. */ +#define HAVE_CHOWN 1 + +/* Have monotonic clock */ +#define HAVE_CLOCK_MONOTONIC /**/ + +/* Define to 1 if you have the `daemon' function. */ +#define HAVE_DAEMON 1 + +/* Define to 1 if you have the declaration of `TCP_MD5SIG', and to 0 if you + don't. */ +#define HAVE_DECL_TCP_MD5SIG 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_DLFCN_H 1 + +/* Define to 1 if you don't have `vprintf' but do have `_doprnt.' */ +/* #undef HAVE_DOPRNT */ + +/* Define to 1 if you have the `dup2' function. */ +#define HAVE_DUP2 1 + +/* Define to 1 if you have the `fcntl' function. */ +#define HAVE_FCNTL 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_FCNTL_H 1 + +/* Define to 1 if your system has a working POSIX `fnmatch' function. */ +#define HAVE_FNMATCH 1 + +/* Define to 1 if you have the `fork' function. */ +#define HAVE_FORK 1 + +/* Define to 1 if you have the `ftruncate' function. */ +#define HAVE_FTRUNCATE 1 + +/* Define to 1 if you have the `getaddrinfo' function. */ +#define HAVE_GETADDRINFO 1 + +/* Define to 1 if you have the `getcwd' function. */ +#define HAVE_GETCWD 1 + +/* Define to 1 if you have the `gethostbyname' function. */ +#define HAVE_GETHOSTBYNAME 1 + +/* Define to 1 if you have the `getifaddrs' function. */ +#define HAVE_GETIFADDRS 1 + +/* Define to 1 if you have the `getpagesize' function. */ +#define HAVE_GETPAGESIZE 1 + +/* Define to 1 if you have the `gettimeofday' function. */ +#define HAVE_GETTIMEOFDAY 1 + +/* Glibc backtrace */ +#define HAVE_GLIBC_BACKTRACE /**/ + +/* GNU regexp library */ +#define HAVE_GNU_REGEX /**/ + +/* Define to 1 if you have the `if_indextoname' function. */ +#define HAVE_IF_INDEXTONAME 1 + +/* Define to 1 if you have the `if_nametoindex' function. */ +#define HAVE_IF_NAMETOINDEX 1 + +/* __inet_aton */ +#define HAVE_INET_ATON 1 + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_INET_ND_H */ + +/* Define to 1 if you have the `inet_ntoa' function. */ +#define HAVE_INET_NTOA 1 + +/* __inet_ntop */ +#define HAVE_INET_NTOP /**/ + +/* __inet_pton */ +#define HAVE_INET_PTON /**/ + +/* Define to 1 if you have the header file. */ +#define HAVE_INTTYPES_H 1 + +/* Linux IPv6 */ +#define HAVE_IPV6 1 + +/* IRDP */ +#define HAVE_IRDP /**/ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_KVM_H */ + +/* Capabilities */ +#define HAVE_LCAPS 1 + +/* Define to 1 if you have the `crypt' library (-lcrypt). */ +#define HAVE_LIBCRYPT 1 + +/* Define to 1 if you have the `kvm' library (-lkvm). */ +/* #undef HAVE_LIBKVM */ + +/* Have libm */ +#define HAVE_LIBM /**/ + +/* Define to 1 if you have the `nsl' library (-lnsl). */ +/* #undef HAVE_LIBNSL */ + +/* Define to 1 if you have the `pcreposix' library (-lpcreposix). */ +/* #undef HAVE_LIBPCREPOSIX */ + +/* Define to 1 if you have the `resolv' library (-lresolv). */ +/* #undef HAVE_LIBRESOLV */ + +/* Define to 1 if you have the `socket' library (-lsocket). */ +/* #undef HAVE_LIBSOCKET */ + +/* Define to 1 if you have the `umem' library (-lumem). */ +/* #undef HAVE_LIBUMEM */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_LIBUTIL_H */ + +/* Define to 1 if you have the `xnet' library (-lxnet). */ +/* #undef HAVE_LIBXNET */ + +/* Define to 1 if you have the header file. */ +#define HAVE_LIMITS_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_LINUX_VERSION_H 1 + +/* mallinfo */ +#define HAVE_MALLINFO /**/ + +/* Define to 1 if your system has a GNU libc compatible `malloc' function, and + to 0 otherwise. */ +#define HAVE_MALLOC 1 + +/* Define to 1 if you have the `memchr' function. */ +#define HAVE_MEMCHR 1 + +/* Define to 1 if you have the `memmove' function. */ +#define HAVE_MEMMOVE 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_MEMORY_H 1 + +/* Define to 1 if you have the `memset' function. */ +#define HAVE_MEMSET 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_NETDB_H 1 + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_NETINET6_IN6_H */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_NETINET6_IN6_VAR_H */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_NETINET6_ND6_H */ + +/* Define to 1 if you have the header file. */ +#define HAVE_NETINET_ICMP6_H 1 + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_NETINET_IN6_VAR_H */ + +/* Define to 1 if you have the header file. */ +#define HAVE_NETINET_IN_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_NETINET_IN_SYSTM_H 1 + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_NETINET_IN_VAR_H */ + +/* Define to 1 if you have the header file. */ +#define HAVE_NETINET_IP_ICMP_H 1 + +/* netlink */ +#define HAVE_NETLINK /**/ + +/* Net SNMP */ +/* #undef HAVE_NETSNMP */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_NET_IF_DL_H */ + +/* Define to 1 if you have the header file. */ +#define HAVE_NET_IF_H 1 + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_NET_IF_VAR_H */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_NET_NETOPT_H */ + +/* Define to 1 if you have the header file. */ +#define HAVE_NET_ROUTE_H 1 + +/* NET_RT_IFLIST */ +/* #undef HAVE_NET_RT_IFLIST */ + +/* OSPF Opaque LSA */ +#define HAVE_OPAQUE_LSA /**/ + +/* Have openpam.h */ +/* #undef HAVE_OPENPAM_H */ + +/* OSPF TE */ +#define HAVE_OSPF_TE /**/ + +/* Have pam_misc.h */ +#define HAVE_PAM_MISC_H /**/ + +/* Define to 1 if you have the `pow' function. */ +#define HAVE_POW 1 + +/* Solaris printstack */ +/* #undef HAVE_PRINTSTACK */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_PRIV_H */ + +/* /proc/net/dev */ +/* #undef HAVE_PROC_NET_DEV */ + +/* /proc/net/if_inet6 */ +/* #undef HAVE_PROC_NET_IF_INET6 */ + +/* prctl */ +#define HAVE_PR_SET_KEEPCAPS /**/ + +/* Define to 1 if your system has a GNU libc compatible `realloc' function, + and to 0 otherwise. */ +#define HAVE_REALLOC 1 + +/* Enable IPv6 Routing Advertisement support */ +#define HAVE_RTADV /**/ + +/* rusage */ +#define HAVE_RUSAGE /**/ + +/* Define to 1 if you have the `select' function. */ +#define HAVE_SELECT 1 + +/* Have setproctitle */ +/* #undef HAVE_SETPROCTITLE */ + +/* Define to 1 if you have the header file. */ +#define HAVE_SIGNAL_H 1 + +/* SNMP */ +/* #undef HAVE_SNMP */ + +/* Define to 1 if you have the `snprintf' function. */ +#define HAVE_SNPRINTF 1 + +/* Define to 1 if you have the `socket' function. */ +#define HAVE_SOCKET 1 + +/* Define to 1 if the system has the type `socklen_t'. */ +#define HAVE_SOCKLEN_T 1 + +/* getpflags */ +/* #undef HAVE_SOLARIS_CAPABILITIES */ + +/* Stack symbol decoding */ +#define HAVE_STACK_TRACE /**/ + +/* Define to 1 if `stat' has the bug that it succeeds when given the + zero-length file name argument. */ +/* #undef HAVE_STAT_EMPTY_STRING_BUG */ + +/* Define to 1 if you have the header file. */ +#define HAVE_STDDEF_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STDINT_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STDLIB_H 1 + +/* Define to 1 if you have the `strcasecmp' function. */ +#define HAVE_STRCASECMP 1 + +/* Define to 1 if you have the `strchr' function. */ +#define HAVE_STRCHR 1 + +/* Define to 1 if you have the `strcspn' function. */ +#define HAVE_STRCSPN 1 + +/* Define to 1 if you have the `strdup' function. */ +#define HAVE_STRDUP 1 + +/* Define to 1 if you have the `strerror' function. */ +#define HAVE_STRERROR 1 + +/* Define to 1 if you have the `strftime' function. */ +#define HAVE_STRFTIME 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STRINGS_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STRING_H 1 + +/* Define to 1 if you have the `strlcat' function. */ +/* #undef HAVE_STRLCAT */ + +/* Define to 1 if you have the `strlcpy' function. */ +/* #undef HAVE_STRLCPY */ + +/* Define to 1 if you have the `strncasecmp' function. */ +#define HAVE_STRNCASECMP 1 + +/* Define to 1 if you have the `strndup' function. */ +#define HAVE_STRNDUP 1 + +/* Define to 1 if you have the `strnlen' function. */ +#define HAVE_STRNLEN 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STROPTS_H 1 + +/* Define to 1 if you have the `strrchr' function. */ +#define HAVE_STRRCHR 1 + +/* Define to 1 if you have the `strspn' function. */ +#define HAVE_STRSPN 1 + +/* Define to 1 if you have the `strstr' function. */ +#define HAVE_STRSTR 1 + +/* Define to 1 if you have the `strtol' function. */ +#define HAVE_STRTOL 1 + +/* Define to 1 if you have the `strtoul' function. */ +#define HAVE_STRTOUL 1 + +/* Define to 1 if the system has the type `struct icmphdr'. */ +#define HAVE_STRUCT_ICMPHDR 1 + +/* Define to 1 if the system has the type `struct if6_aliasreq'. */ +/* #undef HAVE_STRUCT_IF6_ALIASREQ */ + +/* Define to 1 if `ifra_lifetime' is a member of `struct if6_aliasreq'. */ +/* #undef HAVE_STRUCT_IF6_ALIASREQ_IFRA_LIFETIME */ + +/* Define to 1 if the system has the type `struct ifaliasreq'. */ +/* #undef HAVE_STRUCT_IFALIASREQ */ + +/* Define to 1 if `ifm_status' is a member of `struct ifmediareq'. */ +/* #undef HAVE_STRUCT_IFMEDIAREQ_IFM_STATUS */ + +/* Define to 1 if the system has the type `struct in6_aliasreq'. */ +/* #undef HAVE_STRUCT_IN6_ALIASREQ */ + +/* Define to 1 if the system has the type `struct in_pktinfo'. */ +#define HAVE_STRUCT_IN_PKTINFO 1 + +/* Define to 1 if `imr_ifindex' is a member of `struct ip_mreqn'. */ +#define HAVE_STRUCT_IP_MREQN_IMR_IFINDEX 1 + +/* Define to 1 if the system has the type `struct nd_opt_adv_interval'. */ +#define HAVE_STRUCT_ND_OPT_ADV_INTERVAL 1 + +/* Define to 1 if `nd_opt_ai_type' is a member of `struct + nd_opt_adv_interval'. */ +/* #undef HAVE_STRUCT_ND_OPT_ADV_INTERVAL_ND_OPT_AI_TYPE */ + +/* Define to 1 if the system has the type `struct nd_opt_homeagent_info'. */ +/* #undef HAVE_STRUCT_ND_OPT_HOMEAGENT_INFO */ + +/* Define to 1 if the system has the type `struct rt_addrinfo'. */ +/* #undef HAVE_STRUCT_RT_ADDRINFO */ + +/* Define to 1 if the system has the type `struct sockaddr'. */ +#define HAVE_STRUCT_SOCKADDR 1 + +/* Define to 1 if the system has the type `struct sockaddr_dl'. */ +/* #undef HAVE_STRUCT_SOCKADDR_DL */ + +/* Define to 1 if the system has the type `struct sockaddr_in'. */ +#define HAVE_STRUCT_SOCKADDR_IN 1 + +/* Define to 1 if the system has the type `struct sockaddr_in6'. */ +#define HAVE_STRUCT_SOCKADDR_IN6 1 + +/* Define to 1 if `sin6_scope_id' is a member of `struct sockaddr_in6'. */ +#define HAVE_STRUCT_SOCKADDR_IN6_SIN6_SCOPE_ID 1 + +/* Define to 1 if `sin_len' is a member of `struct sockaddr_in'. */ +/* #undef HAVE_STRUCT_SOCKADDR_IN_SIN_LEN */ + +/* Define to 1 if `sa_len' is a member of `struct sockaddr'. */ +/* #undef HAVE_STRUCT_SOCKADDR_SA_LEN */ + +/* Define to 1 if the system has the type `struct sockaddr_un'. */ +#define HAVE_STRUCT_SOCKADDR_UN 1 + +/* Define to 1 if `sun_len' is a member of `struct sockaddr_un'. */ +/* #undef HAVE_STRUCT_SOCKADDR_UN_SUN_LEN */ + +/* Define to 1 if you have the header file. */ +#define HAVE_SYSLOG_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_CAPABILITY_H 1 + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_SYS_CONF_H */ + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_IOCTL_H 1 + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_SYS_KSYM_H */ + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_PARAM_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_SELECT_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_SOCKET_H 1 + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_SYS_SOCKIO_H */ + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_STAT_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_SYSCTL_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_TIMES_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_TIME_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_TYPES_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_UN_H 1 + +/* Define to 1 if you have that is POSIX.1 compatible. */ +#define HAVE_SYS_WAIT_H 1 + +/* Old Linux 2.4 TCP MD5 Signature Patch */ +/* #undef HAVE_TCP_MD5_LINUX24 */ + +/* Use TCP for zebra communication */ +/* #undef HAVE_TCP_ZEBRA */ + +/* Define to 1 if you have the header file. */ +#define HAVE_TIME_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_UCONTEXT_H 1 + +/* Define to 1 if you have the `uname' function. */ +#define HAVE_UNAME 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_UNISTD_H 1 + +/* Define to 1 if you have the `vfork' function. */ +#define HAVE_VFORK 1 + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_VFORK_H */ + +/* Define to 1 if you have the `vprintf' function. */ +#define HAVE_VPRINTF 1 + +/* Define to 1 if you have the `vsnprintf' function. */ +#define HAVE_VSNPRINTF 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_WCHAR_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_WCTYPE_H 1 + +/* Define to 1 if `fork' works. */ +#define HAVE_WORKING_FORK 1 + +/* Define to 1 if `vfork' works. */ +#define HAVE_WORKING_VFORK 1 + +/* INRIA IPv6 */ +/* #undef INRIA_IPV6 */ + +/* IRIX 6.5 */ +/* #undef IRIX_65 */ + +/* selected method for isis, == one of the constants */ +#define ISIS_METHOD ISIS_METHOD_PFPACKET + +/* constant value for isis method bpf */ +#define ISIS_METHOD_BPF 3 + +/* constant value for isis method dlpi */ +#define ISIS_METHOD_DLPI 2 + +/* constant value for isis method pfpacket */ +#define ISIS_METHOD_PFPACKET 1 + +/* isisd vty socket */ +#define ISIS_VTYSH_PATH "/var/run/quagga/isisd.vty" + +/* KAME IPv6 stack */ +/* #undef KAME */ + +/* Linux IPv6 stack */ +#define LINUX_IPV6 1 + +/* Mask for log files */ +#define LOGFILE_MASK 0640 + +/* Define to 1 if `lstat' dereferences a symlink specified with a trailing + slash. */ +#define LSTAT_FOLLOWS_SLASHED_SYMLINK 1 + +/* Define to the sub-directory in which libtool stores uninstalled libraries. + */ +#define LT_OBJDIR ".libs/" + +/* Musica IPv6 stack */ +/* #undef MUSICA */ + +/* Define to 1 if your C compiler doesn't accept -c and -o together. */ +/* #undef NO_MINUS_C_MINUS_O */ + +/* NRL */ +/* #undef NRL */ + +/* OpenBSD */ +/* #undef OPEN_BSD */ + +/* ospf6d vty socket */ +#define OSPF6_VTYSH_PATH "/var/run/quagga/ospf6d.vty" + +/* ospfd vty socket */ +#define OSPF_VTYSH_PATH "/var/run/quagga/ospfd.vty" + +/* Name of package */ +#define PACKAGE "quagga" + +/* Define to the address where bug reports for this package should be sent. */ +#define PACKAGE_BUGREPORT "https://bugzilla.quagga.net" + +/* Define to the full name of this package. */ +#define PACKAGE_NAME "Quagga" + +/* Define to the full name and version of this package. */ +#define PACKAGE_STRING "Quagga 0.99.17" + +/* Define to the one symbol short name of this package. */ +#define PACKAGE_TARNAME "quagga" + +/* Define to the home page for this package. */ +#define PACKAGE_URL "" + +/* Define to the version of this package. */ +#define PACKAGE_VERSION "0.99.17" + +/* Have openpam_ttyconv */ +#define PAM_CONV_FUNC misc_conv + +/* bgpd PID */ +#define PATH_BGPD_PID "/var/run/quagga/bgpd.pid" + +/* isisd PID */ +#define PATH_ISISD_PID "/var/run/quagga/isisd.pid" + +/* ospf6d PID */ +#define PATH_OSPF6D_PID "/var/run/quagga/ospf6d.pid" + +/* ospfd PID */ +#define PATH_OSPFD_PID "/var/run/quagga/ospfd.pid" + +/* ripd PID */ +#define PATH_RIPD_PID "/var/run/quagga/ripd.pid" + +/* ripngd PID */ +#define PATH_RIPNGD_PID "/var/run/quagga/ripngd.pid" + +/* watchquagga PID */ +#define PATH_WATCHQUAGGA_PID "/var/run/quagga/watchquagga.pid" + +/* zebra PID */ +#define PATH_ZEBRA_PID "/var/run/quagga/zebra.pid" + +/* Quagga Group */ +#define QUAGGA_GROUP "quagga" + +/* Hide deprecated interfaces */ +#define QUAGGA_NO_DEPRECATED_INTERFACES 1 + +/* Quagga User */ +#define QUAGGA_USER "quagga" + +/* Define as the return type of signal handlers (`int' or `void'). */ +#define RETSIGTYPE void + +/* ripng vty socket */ +#define RIPNG_VTYSH_PATH "/var/run/quagga/ripngd.vty" + +/* rip vty socket */ +#define RIP_VTYSH_PATH "/var/run/quagga/ripd.vty" + +/* Define to the type of arg 1 for `select'. */ +#define SELECT_TYPE_ARG1 int + +/* Define to the type of args 2, 3 and 4 for `select'. */ +#define SELECT_TYPE_ARG234 (fd_set *) + +/* Define to the type of arg 5 for `select'. */ +#define SELECT_TYPE_ARG5 (struct timeval *) + +/* Solaris IPv6 */ +/* #undef SOLARIS_IPV6 */ + +/* Define to 1 if you have the ANSI C header files. */ +#define STDC_HEADERS 1 + +/* SunOS 5 */ +/* #undef SUNOS_5 */ + +/* SunOS 5.6 to 5.7 */ +/* #undef SUNOS_56 */ + +/* SunOS 5.8 up */ +/* #undef SUNOS_59 */ + +/* OSPFAPI */ +#define SUPPORT_OSPF_API /**/ + +/* Define to 1 if you can safely include both and . */ +#define TIME_WITH_SYS_TIME 1 + +/* Define to 1 if your declares `struct tm'. */ +/* #undef TM_IN_SYS_TIME */ + +/* Enable IS-IS topology generator code */ +/* #undef TOPOLOGY_GENERATE */ + +/* Use PAM for authentication */ +#define USE_PAM /**/ + +/* Enable extensions on AIX 3, Interix. */ +#ifndef _ALL_SOURCE +# define _ALL_SOURCE 1 +#endif +/* Enable GNU extensions on systems that have them. */ +#ifndef _GNU_SOURCE +# define _GNU_SOURCE 1 +#endif +/* Enable threading extensions on Solaris. */ +#ifndef _POSIX_PTHREAD_SEMANTICS +# define _POSIX_PTHREAD_SEMANTICS 1 +#endif +/* Enable extensions on HP NonStop. */ +#ifndef _TANDEM_SOURCE +# define _TANDEM_SOURCE 1 +#endif +/* Enable general extensions on Solaris. */ +#ifndef __EXTENSIONS__ +# define __EXTENSIONS__ 1 +#endif + + +/* Version number of package */ +#define VERSION "0.99.17" + +/* VTY shell */ +#define VTYSH /**/ + +/* VTY Sockets Group */ +#define VTY_GROUP "quaggavty" + +/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most + significant byte first (like Motorola and SPARC, unlike Intel). */ +#if defined AC_APPLE_UNIVERSAL_BUILD +# if defined __BIG_ENDIAN__ +# define WORDS_BIGENDIAN 1 +# endif +#else +# ifndef WORDS_BIGENDIAN +/* # undef WORDS_BIGENDIAN */ +# endif +#endif + +/* zebra api socket */ +#define ZEBRA_SERV_PATH "/var/run/quagga/zserv.api" + +/* zebra vty socket */ +#define ZEBRA_VTYSH_PATH "/var/run/quagga/zebra.vty" + +/* Number of bits in a file offset, on hosts where this is settable. */ +/* #undef _FILE_OFFSET_BITS */ + +/* Define for large files, on AIX-style hosts. */ +/* #undef _LARGE_FILES */ + +/* Define to 1 if on MINIX. */ +/* #undef _MINIX */ + +/* Define to 2 if the system does not provide POSIX.1 features except with + this defined. */ +/* #undef _POSIX_1_SOURCE */ + +/* Define to 1 if you need to in order for `stat' and other things to work. */ +/* #undef _POSIX_SOURCE */ + +/* Define to empty if `const' does not conform to ANSI C. */ +/* #undef const */ + +/* Define to `int' if doesn't define. */ +/* #undef gid_t */ + +/* Define to `__inline__' or `__inline' if that's what the C compiler + calls it, or to nothing if 'inline' is not supported under any name. */ +#ifndef __cplusplus +/* #undef inline */ +#endif + +/* Define to rpl_malloc if the replacement function should be used. */ +/* #undef malloc */ + +/* Define to `int' if does not define. */ +/* #undef mode_t */ + +/* Define to `int' if does not define. */ +/* #undef pid_t */ + +/* Define to rpl_realloc if the replacement function should be used. */ +/* #undef realloc */ + +/* Define to the equivalent of the C99 'restrict' keyword, or to + nothing if this is not supported. Do not define if restrict is + supported directly. */ +#define restrict __restrict +/* Work around a bug in Sun C++: it does not support _Restrict or + __restrict__, even though the corresponding Sun C compiler ends up with + "#define restrict _Restrict" or "#define restrict __restrict__" in the + previous line. Perhaps some future version of Sun C++ will work with + restrict; if so, hopefully it defines __RESTRICT like Sun C does. */ +#if defined __SUNPRO_CC && !defined __RESTRICT +# define _Restrict +# define __restrict__ +#endif + +/* Old readline */ +/* #undef rl_completion_matches */ + +/* Define to `unsigned int' if does not define. */ +/* #undef size_t */ + +/* Define to `int' if doesn't define. */ +/* #undef uid_t */ + +/* Define as `fork' if `vfork' does not work. */ +/* #undef vfork */ + +/* Define to empty if the keyword `volatile' does not work. Warning: valid + code using `volatile' can become incorrect without. Disable with care. */ +/* #undef volatile */ --- quagga-0.99.17.orig/debian/my/debian.conf +++ quagga-0.99.17/debian/my/debian.conf @@ -0,0 +1,13 @@ +# +# If this option is set the /etc/init.d/quagga script automatically loads +# the config via "vtysh -b" when the servers are started. +# Check /etc/pam.d/quagga if you intend to use "vtysh"! +# +vtysh_enable=yes +zebra_options=" --daemon -A 127.0.0.1" +bgpd_options=" --daemon -A 127.0.0.1" +ospfd_options=" --daemon -A 127.0.0.1" +ospf6d_options="--daemon -A ::1" +ripd_options=" --daemon -A 127.0.0.1" +ripngd_options="--daemon -A ::1" +isisd_options=" --daemon -A 127.0.0.1"