Debian Bug report logs - #442133
CVE-2007-4826 remote denial of service

version graph

Package: quagga; Maintainer for quagga is Christian Hammers <ch@debian.org>; Source for quagga is src:quagga.

Reported by: Nico Golde <nion@debian.org>

Date: Thu, 13 Sep 2007 12:51:03 UTC

Severity: normal

Tags: security

Found in version quagga/0.99.8-1

Fixed in versions quagga/0.99.9-1, quagga/0.99.9-2, quagga/0.98.3-7.5, quagga/0.99.5-5etch3

Done: Christian Hammers <ch@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#442133; Package quagga. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: CVE-2007-4826 remote denial of service
Date: Thu, 13 Sep 2007 14:41:22 +0200
[Message part 1 (text/plain, inline)]
Package: quagga
Version: 0.99.8-1
Severity: serious
Tags: security

Hi,
a CVE has been issued against quagga.
CVE-2007-4826[0]:
bgpd in Quagga before 0.99.9 allows remote BGP peers to 
cause a denial of service (crash) via a malformed (1) OPEN 
message or (2) COMMUNITY attribute

Please include the CVE id in the changelog if you fix the 
bug.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4826

Kind regards
Nico
-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Bug marked as fixed in version 0.99.9-1. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 13 Sep 2007 12:54:03 GMT) Full text and rfc822 format available.

Severity set to `normal' from `serious' Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 13 Sep 2007 12:54:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#442133; Package quagga. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #14 received at 442133@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Nico Golde <nion@debian.org>, 442133@bugs.debian.org, dc <control@bugs.debian.org>
Subject: Re: Bug#442133: CVE-2007-4826 remote denial of service
Date: Thu, 13 Sep 2007 17:22:10 +0200
close 442133 0.99.9-1
stop


On 2007-09-13 Nico Golde wrote:
> a CVE has been issued against quagga.
> CVE-2007-4826[0]:
> bgpd in Quagga before 0.99.9 allows remote BGP peers to 
> cause a denial of service (crash) via a malformed (1) OPEN 
> message or (2) COMMUNITY attribute

Ah, thanks for Id, I will reupload the unstable version from yesterday and
prepare a security upload in the next days.

bye,

-christian-




Bug marked as fixed in version 0.99.9-1, send any further explanations to Nico Golde <nion@debian.org> Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. (Thu, 13 Sep 2007 15:24:04 GMT) Full text and rfc822 format available.

Reply sent to Christian Hammers <ch@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #21 received at 442133-close@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: 442133-close@bugs.debian.org
Subject: Bug#442133: fixed in quagga 0.99.9-2
Date: Tue, 25 Sep 2007 21:17:03 +0000
Source: quagga
Source-Version: 0.99.9-2

We believe that the bug you reported is fixed in the latest version of
quagga, which is due to be installed in the Debian FTP archive:

quagga-doc_0.99.9-2_all.deb
  to pool/main/q/quagga/quagga-doc_0.99.9-2_all.deb
quagga_0.99.9-2.diff.gz
  to pool/main/q/quagga/quagga_0.99.9-2.diff.gz
quagga_0.99.9-2.dsc
  to pool/main/q/quagga/quagga_0.99.9-2.dsc
quagga_0.99.9-2_amd64.deb
  to pool/main/q/quagga/quagga_0.99.9-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 442133@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Hammers <ch@debian.org> (supplier of updated quagga package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 25 Sep 2007 22:01:31 +0200
Source: quagga
Binary: quagga quagga-doc
Architecture: source amd64 all
Version: 0.99.9-2
Distribution: unstable
Urgency: low
Maintainer: Christian Hammers <ch@debian.org>
Changed-By: Christian Hammers <ch@debian.org>
Description: 
 quagga     - BGP/OSPF/RIP routing daemon
 quagga-doc - documentation files for quagga
Closes: 442133
Changes: 
 quagga (0.99.9-2) unstable; urgency=low
 .
   * Added CVE id for the security bug to the last changelog entry.
     Closes: 442133
Files: 
 13df09baff14c0be83c5047a2f0da840 882 net optional quagga_0.99.9-2.dsc
 e69dccd677fedd9b75708e22f8c6b2d7 33285 net optional quagga_0.99.9-2.diff.gz
 3bb81a36ded5cb08ca86b90ac39607e7 659718 net optional quagga-doc_0.99.9-2_all.deb
 f2f4958c84df8c577bd485869d38a30d 1492776 net optional quagga_0.99.9-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iEYEARECAAYFAkb5d2oACgkQkR9K5oahGOZu4gCgw0HJJpFsk1SThUUrI2DFz94y
HiwAoNcXCGGSdWxT5ur3bwUlabUWjA85
=kkiP
-----END PGP SIGNATURE-----





Reply sent to Christian Hammers <ch@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #26 received at 442133-close@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: 442133-close@bugs.debian.org
Subject: Bug#442133: fixed in quagga 0.98.3-7.5
Date: Tue, 16 Oct 2007 19:56:51 +0000
Source: quagga
Source-Version: 0.98.3-7.5

We believe that the bug you reported is fixed in the latest version of
quagga, which is due to be installed in the Debian FTP archive:

quagga-doc_0.98.3-7.5_all.deb
  to pool/main/q/quagga/quagga-doc_0.98.3-7.5_all.deb
quagga_0.98.3-7.5.diff.gz
  to pool/main/q/quagga/quagga_0.98.3-7.5.diff.gz
quagga_0.98.3-7.5.dsc
  to pool/main/q/quagga/quagga_0.98.3-7.5.dsc
quagga_0.98.3-7.5_i386.deb
  to pool/main/q/quagga/quagga_0.98.3-7.5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 442133@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Hammers <ch@debian.org> (supplier of updated quagga package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 25 Sep 2007 23:54:28 +0200
Source: quagga
Binary: quagga quagga-doc
Architecture: source i386 all
Version: 0.98.3-7.5
Distribution: oldstable-security
Urgency: high
Maintainer: Christian Hammers <ch@debian.org>
Changed-By: Christian Hammers <ch@debian.org>
Description: 
 quagga     - unoff. successor of the Zebra BGP/OSPF/RIP routing daemon
 quagga-doc - documentation files for quagga
Closes: 442133
Changes: 
 quagga (0.98.3-7.5) oldstable-security; urgency=high
 .
   * SECURITY:
     A bgpd could be crashed if a peer sent a malformed OPEN message or a
     malformed COMMUNITY attribute. Only configured peers can do this.
     The bug is fixed by 96_SECURITY_ubuntu_fix_dos_malformed_community.dpatch.
     CVE-2007-4826. Closes: 442133
Files: 
 69dc4e5de4de00ec723ecaad6f285af8 1017 net optional quagga_0.98.3-7.5.dsc
 8bfd06c851172358137d7b67d5f90490 43910 net optional quagga_0.98.3-7.5.diff.gz
 4f150df3d0d7c1b26d648590ac02541a 488996 net optional quagga-doc_0.98.3-7.5_all.deb
 e3057ed965a580381e7c15dc430df295 1192432 net optional quagga_0.98.3-7.5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBRv6giL97/wQC1SS+AQJ1jQf9EktKzy0lOWfuHn6Hy990qlHUV+tQsXVO
kp3jJTVnKEZPiazMMJJniBweCVT5T3TDn7d7kP2ta49IOJ//r1QD/tWQ5/Eme93X
q1gUardl+n92TUwwkM19zyZo19KX0M776JsQzzTW5XzNYBO8NJJvg6ZehjwBXuoa
AOUG6pA/Op/1Zk7Q/dmpqa8R3DMRnZnxJNIxRaRIQ3qckqvGcCYqQftwlbJ2s9F9
xwOenv7nkqcfogmjZnP/L9PpEZTMbN2/TcGBXeeOchEQGGqXuwxNF12i49FRYSSg
5x0N4CYvfGtObAATtEn4yujCOMSL3MFKvvGogljOTHsUvTpAlfWCyA==
=kCtS
-----END PGP SIGNATURE-----





Reply sent to Christian Hammers <ch@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #31 received at 442133-close@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: 442133-close@bugs.debian.org
Subject: Bug#442133: fixed in quagga 0.99.5-5etch3
Date: Tue, 16 Oct 2007 19:56:38 +0000
Source: quagga
Source-Version: 0.99.5-5etch3

We believe that the bug you reported is fixed in the latest version of
quagga, which is due to be installed in the Debian FTP archive:

quagga-doc_0.99.5-5etch3_all.deb
  to pool/main/q/quagga/quagga-doc_0.99.5-5etch3_all.deb
quagga_0.99.5-5etch3.diff.gz
  to pool/main/q/quagga/quagga_0.99.5-5etch3.diff.gz
quagga_0.99.5-5etch3.dsc
  to pool/main/q/quagga/quagga_0.99.5-5etch3.dsc
quagga_0.99.5-5etch3_amd64.deb
  to pool/main/q/quagga/quagga_0.99.5-5etch3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 442133@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Hammers <ch@debian.org> (supplier of updated quagga package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 25 Sep 2007 22:10:42 +0200
Source: quagga
Binary: quagga quagga-doc
Architecture: source amd64 all
Version: 0.99.5-5etch3
Distribution: stable-security
Urgency: high
Maintainer: Christian Hammers <ch@debian.org>
Changed-By: Christian Hammers <ch@debian.org>
Description: 
 quagga     - unoff. successor of the Zebra BGP/OSPF/RIP routing daemon
 quagga-doc - documentation files for quagga
Closes: 442133
Changes: 
 quagga (0.99.5-5etch3) stable-security; urgency=high
 .
   * SECURITY:
     A bgpd could be crashed if a peer sent a malformed OPEN message or a
     malformed COMMUNITY attribute. Only configured peers can do this.
     The bug is fixed by 96_SECURITY_ubuntu_fix_dos_malformed_community.dpatch.
     CVE-2007-4826. Closes: 442133
Files: 
 3a36e812322157de715626cbe04c519f 1046 net optional quagga_0.99.5-5etch3.dsc
 0de3c5021dbed0e4739f88b6f00a9c59 33551 net optional quagga_0.99.5-5etch3.diff.gz
 2bafee611f8a75fedc07be2224f90922 720288 net optional quagga-doc_0.99.5-5etch3_all.deb
 00846f88e7df3db61001d54fd5647d23 1414716 net optional quagga_0.99.5-5etch3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBRvn0tr97/wQC1SS+AQKLCwf+IMIUju1U9dp7Wrzdzz5Q9QjRH5NYZUIj
WU6K+CluBKhhcvnpTWs+5Qu7pEJfLIgvRHRFq6zlhw24gbExvo49Tv8LwXppzmPM
9ZzVfN55SGtq4LVRXMab/rI3oiTmBmjMaIyLMLr2Ov+l8wS+huaxche0jW8xITY2
Kg4uY8wwZTScbuDtpQT2BV9Kbhd1d1aKamaoziFyGd8o8wEPgfUacgC/684S9Wv4
p9fjIZY3crjXuYhjGrX/ba9SgutVll4KojxjnBoEbXn5N5PJCUaabj1r1zIQ+zB5
juNr8ZCUQRmKICuZ/kQFL3rC5D+3bzCAWOyciFg44w4kowHERdLq9g==
=yj9B
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 14 Nov 2007 07:26:51 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 06:21:21 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.