-
quagga (0.99.20.1-0ubuntu0.11.10.3) oneiric-security; urgency=low
* SECURITY UPDATE: denial of service via malformed ORF capability TLV
(LP: #1018052)
- debian/patches/CVE-2012-1820.patch: correctly follow spec in
bgpd/bgp_open.c.
- CVE-2012-1820
-- Marc Deslauriers <email address hidden> Thu, 11 Oct 2012 10:00:32 -0400
-
quagga (0.99.20.1-0ubuntu0.11.10.2) oneiric-security; urgency=low
* SECURITY UPDATE: Update to 0.99.20.1 to fix multiple security issues.
(LP: #994169)
- Denial of service via short Link State Update packet
- Denial of service via short network-LSA link-state advertisement
- Denial of service via malformed Four-octet AS Number Capability
- CVE-2012-0249
- CVE-2012-0250
- CVE-2012-0255
* debian/control, debian/rules: Remove quagga-dbg package for Oneiric.
* debian/patches/99_bgpd-fix-memory-leak-for-extra-attributes.diff:
added fix for a bgpd memory leak related to extra attributes. Thanks to
Debian for the regression fix.
-- Marc Deslauriers <email address hidden> Sat, 05 May 2012 17:03:18 -0400
-
quagga (0.99.18-2ubuntu0.1) oneiric-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via malformed Inter Area
Prefix LSA
- debian/patches/95_CVE-2011-3323.dpatch: check lengths in
ospf6d/{ospf6_abr.h,ospf6_asbr.h,ospf6_intra.h,ospf6_lsa.h,
ospf6_message.c,ospf6_message.h,ospf6_proto.h}
- CVE-2011-3323
* SECURITY UPDATE: denial of sevice via crafted Link-State-Advertisement
- debian/patches/95_CVE-2011-3324.dpatch: change assert to warning in
ospf6d/ospf6_lsa.c.
- CVE-2011-3324
* SECURITY UPDATE: denial of service via crafted Hello packet
- debian/patches/95_CVE-2011-3325.dpatch: add extra checks to
ospfd/ospf_packet.c.
- CVE-2011-3325
* SECURITY UPDATE: denial of service via unknown Link-State-Advertisements
types
- debian/patches/95_CVE-2011-3326.dpatch: exit if LSA type is unknown
in ospfd/ospf_flood.c.
- CVE-2011-3326
* SECURITY UPDATE: arbitrary code execution via Extended Communities path
attribute
- debian/patches/95_CVE-2011-3327.dpatch: properly check size in
bgpd/bgp_ecommunity.c.
- CVE-2011-3327
-- Marc Deslauriers <email address hidden> Fri, 07 Oct 2011 12:41:49 -0400
-
quagga (0.99.18-2) unstable; urgency=low
* Removed 90_configure_ncurses.dpatch which does not have any visible
effect to the control files dependencies nor to the ldd usr/bin/vtysh
output anymore. The web site with the "checklib" tool that reported
warnings for superfluous dependencies in 2006 cannot be found anymore.
* Removed 10_doc__Makefiles__makeinfo-force.dpatch which was only for the
'woody' release.
* Added 94_gcc45_format.dpatch which contains the patches from #614459
* Added sed snipped to debian/rules to remove dependencies from all .la
files as requested in http://wiki.debian.org/ReleaseGoals/LAFileRemoval
* Removed --enable-tcp-md5 from ./configure call as this option has been
renamed to --enable-linux24-tcp-md5 and is thus no longer needed.
* Bumped standards version to 3.9.2.
-- Chuck Short <email address hidden> Tue, 09 Aug 2011 00:20:36 +0000
-
quagga (0.99.18-1) unstable; urgency=low
* SECURITY:
"This release fixes 2 denial of services in bgpd, which can be remotely
triggered by malformed AS-Pathlimit or Extended-Community attributes.
These issues have been assigned CVE-2010-1674 and CVE-2010-1675.
Support for AS-Pathlimit has been removed with this release."
* Added Brazilian Portuguese debconf translation. Closes: #617735
* Changed section for quagga-doc from "doc" to "net".
* Added patch to fix FTBFS with latest GCC. Closes: #614459
-- Chuck Short <email address hidden> Tue, 03 May 2011 10:28:44 +0000
-
quagga (0.99.17-4ubuntu1) natty; urgency=low
* SECURITY UPDATE: denial of service via malformed extended communities
- debian/patches/99_quagga-extcom.dpatch: ignore malformed extended
communities in bgpd/bgp_attr.c.
- CVE-2010-1674
* SECURITY UPDATE: denial of service via AS_PATHLIMIT
- debian/patches/99_no-aspathlimit.dpatch: remove AS_PATHLIMIT support
in bgpd/bgp_attr.c.
- CVE-2010-1675
-- Marc Deslauriers <email address hidden> Wed, 23 Mar 2011 13:47:08 -0400
