Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0482 quagga security update 16 February 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: quagga Publisher: Debian Operating System: Debian GNU/Linux 9 Debian GNU/Linux 8 UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-5381 CVE-2018-5380 CVE-2018-5379 CVE-2018-5378 Original Bulletin: http://www.debian.org/security/2018/dsa-4115 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running quagga check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4115-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 15, 2018 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : quagga CVE ID : CVE-2018-5378 CVE-2018-5379 CVE-2018-5380 CVE-2018-5381 Several vulnerabilities have been discovered in Quagga, a routing daemon. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2018-5378 It was discovered that the Quagga BGP daemon, bgpd, does not properly bounds check data sent with a NOTIFY to a peer, if an attribute length is invalid. A configured BGP peer can take advantage of this bug to read memory from the bgpd process or cause a denial of service (daemon crash). https://www.quagga.net/security/Quagga-2018-0543.txt CVE-2018-5379 It was discovered that the Quagga BGP daemon, bgpd, can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes, resulting in a denial of service (bgpd daemon crash). https://www.quagga.net/security/Quagga-2018-1114.txt CVE-2018-5380 It was discovered that the Quagga BGP daemon, bgpd, does not properly handle internal BGP code-to-string conversion tables. https://www.quagga.net/security/Quagga-2018-1550.txt CVE-2018-5381 It was discovered that the Quagga BGP daemon, bgpd, can enter an infinite loop if sent an invalid OPEN message by a configured peer. A configured peer can take advantage of this flaw to cause a denial of service (bgpd daemon not responding to any other events; BGP sessions will drop and not be reestablished; unresponsive CLI interface). https://www.quagga.net/security/Quagga-2018-1975.txt For the oldstable distribution (jessie), these problems have been fixed in version 0.99.23.1-1+deb8u5. For the stable distribution (stretch), these problems have been fixed in version 1.1.1-3+deb9u2. We recommend that you upgrade your quagga packages. For the detailed security status of quagga please refer to its security tracker page at: https://security-tracker.debian.org/tracker/quagga Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqGBaVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RpyRAAhVpntFw+LSUUzL2/cx7m+s4fHijhOkU/AjKKmW4a9rAi0iJYW4HNv5BU cKfz6yhngFUzCa+Glhmiwzt77eAoeksJSvxkKio5CTqjV3OxCWbDPPz/iRRHcKvK MGhnqyShMCF8boQU0plmqNbfhnSWNAObbaI2fPmjLOU4A4jPY1T/fbzu4Sd3k5qY ETeHq9+HlVdGnyNEoYnoO0XQH56ueNHy3VlChJ0S2OPtFtoKXkjM/er+yG6413+G 3e90tcbm2xlitmrTyZm9K/Q08UWLJx510n1rxehaO1DTEz+bqSNezySOhyNb8sTA fuadDpgs2ozwgSmxyuWFj0RL3fKvgycw1ZeNiS5nUmRJTobrPlnjyX+A8FEJhPuI 9xyVa8j6wUeBVZdgd9b/EWLQ1Z9oDRiXmHRJeVOtz4JRNPP1KLtBcsPxFW9eCp83 9gFMqk/vMYQSpRqtQdnl5OawEpeurMtusBsnlEV5y9afiHU9jKB8N7RPwxCJgtjP /jmhS4lOvn3F5lNILahaL3lrk/b0EsECajBltbN9YVU0yabWWRWSMrJ3ujamhaXE aUQKmVj1alwDyg90vToiUftdr3R0hPPFuzA0BAK55SJVzjwJ2XInzItr+2y1tMPn dSpd32tzrxpDm86rvmRIiAJbj28n7QnX9I9BlKZqWq2fUUhTkNg= =Gy8j - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWoZdzox+lLeg9Ub1AQgxpQ//Q6XXMmhxRiBqTV+8yoO9JswEmos64te/ upaiBo/wQ+hGkhZ0fxjxHnpT59j271d+rC0vIhME8gdSq9EzZSSOz/sUuEHGA+ag uGK6VPtyF0hwNngNYWFK1Se0z0pFeEsmnxDXh7xYyd0NTlvqSt3HUXNo4FLLCxMI QIN8TaDC060+lBKLfKAdLbrQd/A38JpnWaR9doDwcyk9RNmZtCj1DAmr0E5v48cl PJ8tEI0+1ZxtqI5CfvspontvqGmqNFpsiioviYuNRzWy0/z2UOqR09DYXu+NEMbI BgG/rmkioMjRUDN+GxlZ22ZwvjCq8qkxSxPm5Mu+2C4YXzQ0AE1OwlM3Wpaf34DI 0mvU8OHLOflerPTn5Qu35OprpWipqUoVI7FwazOiUzwCnvueKExr7qYbzLR/m++A fw8DRmWFnjweUDqIR1Mc0zsjh+n/fYoUOENaubycLhpHXzOYBLSpHY+i8I/C3e6n nz/awWhCCQNkbg3hpFpEA+9yYb7IY7Sc5jMiAXALUzDh4fX0Njwn6W1fbU8BpPlO Q8NI7okXI5z3dS4645mDIY1xFhKTfh/Jiu2yjgS6yFk6yhSY17oKVRFdqNyyS+CS 3cWIEY0+h0PpQe4t+0vo4tEi9jSaA+685tJNl6iF5il8Nf9J0S3CWqsvh3u5ItQk 7bvMniUKKpA= =1Jv/ -----END PGP SIGNATURE-----