Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2163 SUSE Security Update: Security update for quagga 30 August 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Quagga Publisher: SUSE Operating System: SUSE Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-5495 CVE-2016-1245 Reference: ESB-2017.0756 ESB-2016.2478 ESB-2016.2452 ESB-2016.2440 - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for quagga ______________________________________________________________________________ Announcement ID: SUSE-SU-2017:2294-1 Rating: important References: #1005258 #1021669 #1034273 Cross-References: CVE-2016-1245 CVE-2017-5495 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update provides Quagga 1.1.1, which brings several fixes and enhancements. Security issues fixed: - CVE-2017-5495: Telnet 'vty' interface DoS due to unbounded memory allocation. (bsc#1021669) - CVE-2016-1245: Stack overrun in IPv6 RA receive code. (bsc#1005258) Bug fixes: - Do not enable zebra's TCP interface (port 2600) to use default UNIX socket for communication between the daemons. (fate#323170) Between 0.99.22.1 and 1.1.1 the following improvements have been implemented: - Changed the default of 'link-detect' state, controlling whether zebra will respond to link-state events and consider an interface to be down when link is down. To retain the current behavior save your config before updating, otherwise remove the 'link-detect' flag from your config prior to updating. There is also a new global 'default link-detect (on|off)' flag to configure the global default. - Greatly improved nexthop resolution for recursive routes. - Event driven nexthop resolution for BGP. - Route tags support. - Transport of TE related metrics over OSPF, IS-IS. - IPv6 Multipath for zebra and BGP. - Multicast RIB support has been extended. It still is IPv4 only. - RIP for IPv4 now supports equal-cost multipath (ECMP). - route-maps have a new action "set ipv6 next-hop peer-address". - route-maps have a new action "set as-path prepend last-as". - "next-hop-self all" to override nexthop on iBGP route reflector setups. - New pimd daemon provides IPv4 PIM-SSM multicast routing. - IPv6 address management has been improved regarding tentative addresses. This is visible in that a freshly configured address will not immediately be marked as usable. - Recursive route support has been overhauled. Scripts parsing "show ip route" output may need adaptation. - A large amount of changes has been merged for ospf6d. Careful evaluation prior to deployment is recommended. - Multiprotocol peerings over IPv6 now try to find a more appropriate IPv4 nexthop by looking at the interface. - Relaxed bestpath criteria for multipath and improved display of multipath routes in "show ip bgp". Scripts parsing this output may need to be updated. - Support for iBGP TTL security. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2017-1407=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-1407=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2017-1407=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2017-1407=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-1407=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): quagga-debuginfo-1.1.1-17.3.3 quagga-debugsource-1.1.1-17.3.3 quagga-devel-1.1.1-17.3.3 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): quagga-debuginfo-1.1.1-17.3.3 quagga-debugsource-1.1.1-17.3.3 quagga-devel-1.1.1-17.3.3 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libfpm_pb0-1.1.1-17.3.3 libfpm_pb0-debuginfo-1.1.1-17.3.3 libospf0-1.1.1-17.3.3 libospf0-debuginfo-1.1.1-17.3.3 libospfapiclient0-1.1.1-17.3.3 libospfapiclient0-debuginfo-1.1.1-17.3.3 libquagga_pb0-1.1.1-17.3.3 libquagga_pb0-debuginfo-1.1.1-17.3.3 libzebra1-1.1.1-17.3.3 libzebra1-debuginfo-1.1.1-17.3.3 quagga-1.1.1-17.3.3 quagga-debuginfo-1.1.1-17.3.3 quagga-debugsource-1.1.1-17.3.3 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libfpm_pb0-1.1.1-17.3.3 libfpm_pb0-debuginfo-1.1.1-17.3.3 libospf0-1.1.1-17.3.3 libospf0-debuginfo-1.1.1-17.3.3 libospfapiclient0-1.1.1-17.3.3 libospfapiclient0-debuginfo-1.1.1-17.3.3 libquagga_pb0-1.1.1-17.3.3 libquagga_pb0-debuginfo-1.1.1-17.3.3 libzebra1-1.1.1-17.3.3 libzebra1-debuginfo-1.1.1-17.3.3 quagga-1.1.1-17.3.3 quagga-debuginfo-1.1.1-17.3.3 quagga-debugsource-1.1.1-17.3.3 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): libfpm_pb0-1.1.1-17.3.3 libfpm_pb0-debuginfo-1.1.1-17.3.3 libospf0-1.1.1-17.3.3 libospf0-debuginfo-1.1.1-17.3.3 libospfapiclient0-1.1.1-17.3.3 libospfapiclient0-debuginfo-1.1.1-17.3.3 libquagga_pb0-1.1.1-17.3.3 libquagga_pb0-debuginfo-1.1.1-17.3.3 libzebra1-1.1.1-17.3.3 libzebra1-debuginfo-1.1.1-17.3.3 quagga-1.1.1-17.3.3 quagga-debuginfo-1.1.1-17.3.3 quagga-debugsource-1.1.1-17.3.3 References: https://www.suse.com/security/cve/CVE-2016-1245.html https://www.suse.com/security/cve/CVE-2017-5495.html https://bugzilla.suse.com/1005258 https://bugzilla.suse.com/1021669 https://bugzilla.suse.com/1034273 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWaYkZ4x+lLeg9Ub1AQhqSw//Y5Dn+l1N4xMpxHbxHiv8pPy+5hHuJyPK pdbDAyUbs0lMr/V1kfxEb3EIPacXKsYr9sjoBWkEJ9rthYeQddRHjf/VlyNH0dX/ oBzvXv9V89WPmZTIclm6B0sAJaj9OkBVUpDStqIfH+hFk3+gP75ecQdqUGe/QLPA tVzp2j8Qwf/KdjhnPvCojGFbSkz6JFIr0FwGM6FtD4KHuAambGIR/DBqhJ0jxNAA vq92HXjNECz1Hiw0gzuk0aoWX/M1Q40kzPbX7Hn32IjpwXQgfIBtaxt5Z+LtB90/ Y87BXknU/XLg8qVE3jqOW2JSeyRCeR5YoQCnqixKM2loWGU/W3YQsdNWRqp5dyLL BqOYUVD3HhkiqdSrIr203LqQkWEnsKz5kcBqewU2YWCsp3+XgP1NuzIeuqsMxK2o 9Go2DnvP81AG1qqJS1gZ15HjVsYE7TQVvHFSueH62KJQ+SJVaA0cOKmfNupK3pFH jiir9SI8MKx1YC/0+H4R+LczyRMWoca2P8NL1Sw5UT/hydHn4+A6spB4seyARYwB zoyvz1fPZ7mg/cbLsHJ6Ln7U4uqnw02BeZVdyko3UdNpNBbLnjtS9q8pk8GVppCr ObRgLFiJAtg+qeXaxIRqaV5Iu2+cVcY4SKTrRGRlAW52mHmRHxW/zEseNYFrHivZ PD53LYeIW78= =nOIe -----END PGP SIGNATURE-----