-
frr (8.4.4-1.1ubuntu6.1) noble-security; urgency=medium
* SECURITY UPDATE: DoS via malformed Prefix SID attribute
- debian/patches/CVE-2024-31948-1.patch: fix error handling when
receiving BGP Prefix SID attribute in bgpd/bgp_attr.c.
- debian/patches/CVE-2024-31948-2.patch: prevent from one more CVE
triggering this place in bgpd/bgp_attr.c.
- CVE-2024-31948
* SECURITY UPDATE: DoS via malformed OSPF LSA packets
- debian/patches/CVE-2024-31950.patch: solved crash in RI parsing with
OSPF TE in ospfd/ospf_te.c.
- CVE-2024-31950
* SECURITY UPDATE: DoS via malformed OSPF LSA packets
- debian/patches/CVE-2024-31951.patch: correct Opaque LSA Extended
parser in ospfd/ospf_te.c.
- CVE-2024-31951
* SECURITY UPDATE: DoS via invalid edge data
- debian/patches/CVE-2024-34088.patch: protect call to get_edge() in
ospf_te.c.
- CVE-2024-34088
-- Marc Deslauriers <email address hidden> Mon, 27 May 2024 13:09:15 -0400
-
frr (8.4.4-1.1ubuntu6) noble; urgency=medium
* No-change rebuild for c-ares t64.
-- Matthias Klose <email address hidden> Tue, 16 Apr 2024 11:56:13 +0200
-
frr (8.4.4-1.1ubuntu5) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
-- Steve Langasek <email address hidden> Sun, 31 Mar 2024 05:25:32 +0000
-
frr (8.4.4-1.1ubuntu4) noble; urgency=medium
* SECURITY UPDATE: DoS via malformed OSPF LSA packet
- debian/patches/CVE-2024-27913.patch: solved crash in OSPF TE parsing
in ospfd/ospf_te.c.
- CVE-2024-27913
-- Marc Deslauriers <email address hidden> Tue, 05 Mar 2024 08:25:28 -0500
-
frr (8.4.4-1.1ubuntu3) noble; urgency=medium
* SECURITY UPDATE: read beyond stream during labeled unicast parsing
- debian/patches/CVE-2023-38407.patch: fix use beyond end of stream of
labeled unicast parsing in bgpd/bgp_label.c.
- CVE-2023-38407
* SECURITY UPDATE: crash via MP_UNREACH_NLRI attribute
- debian/patches/CVE-2023-47234.patch: ignore handling NLRIs if we
received MP_UNREACH_NLRI in bgpd/bgp_attr.c, bgpd/bgp_attr.h,
bgpd/bgp_packet.c.
- CVE-2023-47234
* SECURITY UPDATE: crash via malformed BGP UPDATE message
- debian/patches/CVE-2023-47235.patch: treat EOR as withdrawn to avoid
unwanted handling of malformed attrs in bgpd/bgp_attr.c.
- CVE-2023-47235
-- Marc Deslauriers <email address hidden> Thu, 16 Nov 2023 09:19:43 -0500
-
frr (8.4.4-1.1ubuntu2) noble; urgency=medium
* SECURITY UPDATE: DoS via MP_REACH_NLRI data
- debian/patches/CVE-2023-46752.patch: handle MP_REACH_NLRI malformed
packets with session reset in bgpd/bgp_attr.c, bgpd/bgp_attr.h,
bgpd/bgp_packet.c.
- CVE-2023-46752
* SECURITY UPDATE: DoS via BGP UPDATE without mandatory attributes
- debian/patches/CVE-2023-46753.patch: check mandatory attributes more
carefully for UPDATE message in bgpd/bgp_attr.c.
- CVE-2023-46753
-- Marc Deslauriers <email address hidden> Wed, 01 Nov 2023 14:12:59 -0400
-
frr (8.4.4-1.1ubuntu1) mantic; urgency=medium
* Merge with Debian unstable (LP: #2033921). Remaining changes:
- Fix logging with Ubuntu's unprivileged rsyslog (LP #1958162):
+ d/frr.postinst: change log files ownership
+ d/frr.logrotate: change rotated log file ownership
-- Andreas Hasenack <email address hidden> Fri, 01 Sep 2023 15:15:39 -0300