Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.2163
SUSE Security Update: Security update for quagga
30 August 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Quagga
Publisher: SUSE
Operating System: SUSE
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-5495 CVE-2016-1245
Reference: ESB-2017.0756
ESB-2016.2478
ESB-2016.2452
ESB-2016.2440
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for quagga
______________________________________________________________________________
Announcement ID: SUSE-SU-2017:2294-1
Rating: important
References: #1005258 #1021669 #1034273
Cross-References: CVE-2016-1245 CVE-2017-5495
Affected Products:
SUSE Linux Enterprise Software Development Kit 12-SP3
SUSE Linux Enterprise Software Development Kit 12-SP2
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2
SUSE Linux Enterprise Server 12-SP3
SUSE Linux Enterprise Server 12-SP2
______________________________________________________________________________
An update that solves two vulnerabilities and has one
errata is now available.
Description:
This update provides Quagga 1.1.1, which brings several fixes and
enhancements.
Security issues fixed:
- CVE-2017-5495: Telnet 'vty' interface DoS due to unbounded memory
allocation. (bsc#1021669)
- CVE-2016-1245: Stack overrun in IPv6 RA receive code. (bsc#1005258)
Bug fixes:
- Do not enable zebra's TCP interface (port 2600) to use default UNIX
socket for communication between the daemons. (fate#323170)
Between 0.99.22.1 and 1.1.1 the following improvements have been
implemented:
- Changed the default of 'link-detect' state, controlling whether zebra
will respond to link-state events and consider an interface to be down
when link is down. To retain the current behavior save your config
before updating, otherwise remove the 'link-detect' flag from your
config prior to updating. There is also a new global 'default
link-detect (on|off)' flag to configure the global default.
- Greatly improved nexthop resolution for recursive routes.
- Event driven nexthop resolution for BGP.
- Route tags support.
- Transport of TE related metrics over OSPF, IS-IS.
- IPv6 Multipath for zebra and BGP.
- Multicast RIB support has been extended. It still is IPv4 only.
- RIP for IPv4 now supports equal-cost multipath (ECMP).
- route-maps have a new action "set ipv6 next-hop peer-address".
- route-maps have a new action "set as-path prepend last-as".
- "next-hop-self all" to override nexthop on iBGP route reflector setups.
- New pimd daemon provides IPv4 PIM-SSM multicast routing.
- IPv6 address management has been improved regarding tentative addresses.
This is visible in that a freshly configured address will not
immediately be marked as usable.
- Recursive route support has been overhauled. Scripts parsing "show ip
route" output may need adaptation.
- A large amount of changes has been merged for ospf6d. Careful evaluation
prior to deployment is recommended.
- Multiprotocol peerings over IPv6 now try to find a more appropriate IPv4
nexthop by looking at the interface.
- Relaxed bestpath criteria for multipath and improved display of
multipath routes in "show ip bgp". Scripts parsing this output may need
to be updated.
- Support for iBGP TTL security.
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 12-SP3:
zypper in -t patch SUSE-SLE-SDK-12-SP3-2017-1407=1
- SUSE Linux Enterprise Software Development Kit 12-SP2:
zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-1407=1
- SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:
zypper in -t patch SUSE-SLE-RPI-12-SP2-2017-1407=1
- SUSE Linux Enterprise Server 12-SP3:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-2017-1407=1
- SUSE Linux Enterprise Server 12-SP2:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-1407=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64):
quagga-debuginfo-1.1.1-17.3.3
quagga-debugsource-1.1.1-17.3.3
quagga-devel-1.1.1-17.3.3
- SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64):
quagga-debuginfo-1.1.1-17.3.3
quagga-debugsource-1.1.1-17.3.3
quagga-devel-1.1.1-17.3.3
- SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64):
libfpm_pb0-1.1.1-17.3.3
libfpm_pb0-debuginfo-1.1.1-17.3.3
libospf0-1.1.1-17.3.3
libospf0-debuginfo-1.1.1-17.3.3
libospfapiclient0-1.1.1-17.3.3
libospfapiclient0-debuginfo-1.1.1-17.3.3
libquagga_pb0-1.1.1-17.3.3
libquagga_pb0-debuginfo-1.1.1-17.3.3
libzebra1-1.1.1-17.3.3
libzebra1-debuginfo-1.1.1-17.3.3
quagga-1.1.1-17.3.3
quagga-debuginfo-1.1.1-17.3.3
quagga-debugsource-1.1.1-17.3.3
- SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64):
libfpm_pb0-1.1.1-17.3.3
libfpm_pb0-debuginfo-1.1.1-17.3.3
libospf0-1.1.1-17.3.3
libospf0-debuginfo-1.1.1-17.3.3
libospfapiclient0-1.1.1-17.3.3
libospfapiclient0-debuginfo-1.1.1-17.3.3
libquagga_pb0-1.1.1-17.3.3
libquagga_pb0-debuginfo-1.1.1-17.3.3
libzebra1-1.1.1-17.3.3
libzebra1-debuginfo-1.1.1-17.3.3
quagga-1.1.1-17.3.3
quagga-debuginfo-1.1.1-17.3.3
quagga-debugsource-1.1.1-17.3.3
- SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64):
libfpm_pb0-1.1.1-17.3.3
libfpm_pb0-debuginfo-1.1.1-17.3.3
libospf0-1.1.1-17.3.3
libospf0-debuginfo-1.1.1-17.3.3
libospfapiclient0-1.1.1-17.3.3
libospfapiclient0-debuginfo-1.1.1-17.3.3
libquagga_pb0-1.1.1-17.3.3
libquagga_pb0-debuginfo-1.1.1-17.3.3
libzebra1-1.1.1-17.3.3
libzebra1-debuginfo-1.1.1-17.3.3
quagga-1.1.1-17.3.3
quagga-debuginfo-1.1.1-17.3.3
quagga-debugsource-1.1.1-17.3.3
References:
https://www.suse.com/security/cve/CVE-2016-1245.html
https://www.suse.com/security/cve/CVE-2017-5495.html
https://bugzilla.suse.com/1005258
https://bugzilla.suse.com/1021669
https://bugzilla.suse.com/1034273
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWaYkZ4x+lLeg9Ub1AQhqSw//Y5Dn+l1N4xMpxHbxHiv8pPy+5hHuJyPK
pdbDAyUbs0lMr/V1kfxEb3EIPacXKsYr9sjoBWkEJ9rthYeQddRHjf/VlyNH0dX/
oBzvXv9V89WPmZTIclm6B0sAJaj9OkBVUpDStqIfH+hFk3+gP75ecQdqUGe/QLPA
tVzp2j8Qwf/KdjhnPvCojGFbSkz6JFIr0FwGM6FtD4KHuAambGIR/DBqhJ0jxNAA
vq92HXjNECz1Hiw0gzuk0aoWX/M1Q40kzPbX7Hn32IjpwXQgfIBtaxt5Z+LtB90/
Y87BXknU/XLg8qVE3jqOW2JSeyRCeR5YoQCnqixKM2loWGU/W3YQsdNWRqp5dyLL
BqOYUVD3HhkiqdSrIr203LqQkWEnsKz5kcBqewU2YWCsp3+XgP1NuzIeuqsMxK2o
9Go2DnvP81AG1qqJS1gZ15HjVsYE7TQVvHFSueH62KJQ+SJVaA0cOKmfNupK3pFH
jiir9SI8MKx1YC/0+H4R+LczyRMWoca2P8NL1Sw5UT/hydHn4+A6spB4seyARYwB
zoyvz1fPZ7mg/cbLsHJ6Ln7U4uqnw02BeZVdyko3UdNpNBbLnjtS9q8pk8GVppCr
ObRgLFiJAtg+qeXaxIRqaV5Iu2+cVcY4SKTrRGRlAW52mHmRHxW/zEseNYFrHivZ
PD53LYeIW78=
=nOIe
-----END PGP SIGNATURE-----