-
quagga (0.99.20.1-0ubuntu0.10.04.3) lucid-security; urgency=low
* SECURITY UPDATE: denial of service via malformed ORF capability TLV
(LP: #1018052)
- debian/patches/CVE-2012-1820.patch: correctly follow spec in
bgpd/bgp_open.c.
- CVE-2012-1820
-- Marc Deslauriers <email address hidden> Thu, 11 Oct 2012 10:02:33 -0400
-
quagga (0.99.20.1-0ubuntu0.10.04.2) lucid-security; urgency=low
* SECURITY UPDATE: Update to 0.99.20.1 to fix multiple security issues.
(LP: #994169)
- Denial of service via short Link State Update packet
- Denial of service via short network-LSA link-state advertisement
- Denial of service via malformed Four-octet AS Number Capability
- CVE-2012-0249
- CVE-2012-0250
- CVE-2012-0255
* debian/control, debian/rules: Remove quagga-dbg package for Lucid.
* debian/rules: don't use autotools_dev for Lucid.
* debian/patches/99_bgpd-fix-memory-leak-for-extra-attributes.diff:
added fix for a bgpd memory leak related to extra attributes. Thanks to
Debian for the regression fix.
-- Marc Deslauriers <email address hidden> Sat, 05 May 2012 19:21:02 -0400
-
quagga (0.99.15-1ubuntu0.3) lucid-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via malformed Inter Area
Prefix LSA
- debian/patches/99_CVE-2011-3323.dpatch: check lengths in
ospf6d/{ospf6_abr.h,ospf6_asbr.h,ospf6_intra.h,ospf6_lsa.h,
ospf6_message.c,ospf6_message.h,ospf6_proto.h}
- CVE-2011-3323
* SECURITY UPDATE: denial of sevice via crafted Link-State-Advertisement
- debian/patches/99_CVE-2011-3324.dpatch: change assert to warning in
ospf6d/ospf6_lsa.c.
- CVE-2011-3324
* SECURITY UPDATE: denial of service via crafted Hello packet
- debian/patches/99_CVE-2011-3325.dpatch: add extra checks to
ospfd/ospf_packet.c.
- CVE-2011-3325
* SECURITY UPDATE: denial of service via unknown Link-State-Advertisements
types
- debian/patches/99_CVE-2011-3326.dpatch: exit if LSA type is unknown
in ospfd/ospf_flood.c.
- CVE-2011-3326
* SECURITY UPDATE: arbitrary code execution via Extended Communities path
attribute
- debian/patches/99_CVE-2011-3327.dpatch: properly check size in
bgpd/bgp_ecommunity.c.
- CVE-2011-3327
-- Marc Deslauriers <email address hidden> Fri, 07 Oct 2011 12:38:37 -0400
-
quagga (0.99.15-1ubuntu0.2) lucid-security; urgency=low
* SECURITY UPDATE: denial of service via malformed extended communities
- debian/patches/99_quagga-extcom.dpatch: ignore malformed extended
communities in bgpd/bgp_attr.c.
- CVE-2010-1674
* SECURITY UPDATE: denial of service via AS_PATHLIMIT
- debian/patches/99_no-aspathlimit.dpatch: remove AS_PATHLIMIT support
in bgpd/bgp_attr.c.
- CVE-2010-1675
-- Marc Deslauriers <email address hidden> Wed, 23 Mar 2011 14:07:57 -0400
-
quagga (0.99.15-1ubuntu0.1) lucid-security; urgency=low
* SECURITY UPDATE: denial of service and possible arbitrary code
execution via malformed Outbound Route Filtering (ORF) record
- debian/patches/91_CVE-2010-2948.dpatch: improve bounds checking in
bgpd/bgp_packet.c.
- CVE-2010-2948
* SECURITY UPDATE: denial of service via unknown AS type
- debian/patches/91_CVE-2010-2949.dpatch: check segment types and
lengths in bgpd/bgp_aspath.*, bgpd/bgp_attr.c, tests/aspath_test.c.
- CVE-2010-2949
-- Marc Deslauriers <email address hidden> Thu, 11 Nov 2010 14:06:35 -0500
-
quagga (0.99.15-1) unstable; urgency=low
* New upstream release
"This fixes some annoying little ospfd and ospf6d regressions, which made
0.99.14 a bit of a problem release (...) This release still contains a
regression in the "no ip address ..." command, at least on Linux.
See bug #486, which contains a workaround patch. This release should be
considered a 1.0.0 release candidate. Please test this release as widely
as possible."
* Fixed wrong port number in zebra.8 (thanks to Thijs Kinkhorst).
Closes: #517860
* Added Russian Debconf tanslation (thanks to Yuri Kozlov).
Closes: #539464
* Removed so-version in build-dep to libreadline-dev on request of
Matthias Klose.
* Added README.source with reference to dpatch as suggested by lintian.
* Bumped standards versionto 3.8.3.
quagga (0.99.14-1) unstable; urgency=low
* New upstream release
"This release contains a regression fix for ospf6d, various small fixes
and some hopefully very significant bgpd stability fixes.
This release should be considered a 1.0.0 release candidate. Please test
this release as widely as possible."
* Fixes bug with premature LSA aging in ospf6d. Closes: #535030
* Fixes section number in zebra.8 manpage. Closes: #517860
quagga (0.99.13-2) unstable; urgency=low
* Added Japanese Debconf translation (thanks to Hideki Yamane).
Closes: #510714
* When checking for obsoleted config options in preinst, print filename
where it occures (thanks to Michael Bussmann). Closes: #339489
-- Ubuntu Archive Auto-Sync <email address hidden> Fri, 06 Nov 2009 10:32:48 +0000
-
quagga (0.99.13-1) unstable; urgency=low
* New upstream release
"This release is contains a number of small fixes, for potentially
irritating issues, as well as small enhancements to vtysh and support
for linking to PCRE (a much faster regex library)."
* Added build-dep to gawk as configure required it for memtypes.awk
* Replaced build-dep to gs-gpl with ghostscript as requested by lintian
* Minor changes to copyright and control files to make lintian happy.
-- Ubuntu Archive Auto-Sync <email address hidden> Thu, 25 Jun 2009 07:44:18 +0100
