Debian: DSA-2104-1: New quagga packages fix denial of service

    Date06 Sep 2010
    CategoryDebian
    31
    Posted ByLinuxSecurity Advisories
    Several remote vulnerabilities have been discovered in the BGP implementation of Quagga, a routing daemon. The Common Vulnerabilities and Exposures project identifies the
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-2104-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                           Florian Weimer
    September 06, 2010                    http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : quagga
    Vulnerability  : several
    Problem type   : remote
    Debian-specific: no
    CVE Id(s)      : CVE-2010-2948 CVE-2010-2949
    Debian Bug     : 594262
    
    Several remote vulnerabilities have been discovered in the BGP
    implementation of Quagga, a routing daemon.
    
    The Common Vulnerabilities and Exposures project identifies the
    following problems:
    
    CVE-2010-2948
    	When processing a crafted Route Refresh message received
    	from a configured, authenticated BGP neighbor, Quagga
    	may crash, leading to a denial of service.
    
    CVE-2010-2949
            When processing certain crafted AS paths, Quagga would crash
    	with a NULL pointer dereference, leading to a denial of
    	service.  In some configurations, such crafted AS paths could
    	be relayed by intermediate BGP routers.
    
    In addition, this update contains a reliability fix:  Quagga will no
    longer advertise confederation-related AS paths to non-confederation
    peers, and reject unexpected confederation-related AS paths by
    resetting the session with the BGP peer which is advertising them.
    (Previously, such AS paths would trigger resets of unrelated BGP
    sessions.)
    
    For the stable distribution (lenny), these problems have been fixed in
    version 0.99.10-1lenny3.
    
    For the unstable distribution (sid) and the testing distribution
    (squeeze), these problems have been fixed in version 0.99.17-1.
    
    We recommend that you upgrade your quagga package.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 5.0 alias lenny
    - --------------------------------
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10.orig.tar.gz
        Size/MD5 checksum:  2424191 c7a2d92e1c42214afef9b2e1cd4b5d06
      http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3.diff.gz
        Size/MD5 checksum:    42826 100dbb936b3b0f0d4fb4947bf384d369
      http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3.dsc
        Size/MD5 checksum:     1651 f5b9c26538e9d32008ad0256fe4ad0ed
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/q/quagga/quagga-doc_0.99.10-1lenny3_all.deb
        Size/MD5 checksum:   661354 f843c6f765a48f7e071a52d3c7834d2f
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_alpha.deb
        Size/MD5 checksum:  1902990 0f85c30d5f719f9c104f5a8977a5d1a0
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_amd64.deb
        Size/MD5 checksum:  1749952 89a53689c4daf3f0695ea2c21aa93254
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_arm.deb
        Size/MD5 checksum:  1449792 3c53e06e4d27ef8cf391533824668b19
    
    armel architecture (ARM EABI)
    
      http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_armel.deb
        Size/MD5 checksum:  1457202 e52ae364e20ff137c5e0e5f75bfc1ec1
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_hppa.deb
        Size/MD5 checksum:  1683924 c8172ed22b010569949977f407c282b6
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_i386.deb
        Size/MD5 checksum:  1608678 e7b5fbd36e4466cdecaca46f1f96642b
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_ia64.deb
        Size/MD5 checksum:  2256144 75ebe4e12a3e22ef79e5e3dab2d457bf
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_mips.deb
        Size/MD5 checksum:  1605990 f33ef3d9b31f0da900aba6a20bdd188d
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_mipsel.deb
        Size/MD5 checksum:  1601240 68ff751ff9c022cc06db8d0d66895a6e
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_powerpc.deb
        Size/MD5 checksum:  1717802 931505a31bdcc1a7732a9a2e9f295a01
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_s390.deb
        Size/MD5 checksum:  1794990 7d52667f3f37553256e87b77450dc309
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_sparc.deb
        Size/MD5 checksum:  1671232 3706818c39b51bb45c58a0cf8fdba202
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"4","type":"x","order":"1","pct":57.14,"resources":[]},{"id":"88","title":"Should be more technical","votes":"2","type":"x","order":"2","pct":28.57,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"1","type":"x","order":"3","pct":14.29,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.