Debian Bug report logs - #594262
quagga: Two BGP security problems fixed in 0.99.17

version graph

Package: quagga; Maintainer for quagga is Christian Hammers <ch@debian.org>; Source for quagga is src:quagga.

Reported by: Christian Hammers <ch@debian.org>

Date: Tue, 24 Aug 2010 23:21:02 UTC

Severity: grave

Tags: security

Found in version 0.99.16

Fixed in version quagga/0.99.17-1

Done: Christian Hammers <ch@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org:
Bug#594262; Package quagga. (Tue, 24 Aug 2010 23:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org. (Tue, 24 Aug 2010 23:21:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: quagga: Two BGP security problems fixed in 0.99.17
Date: Wed, 25 Aug 2010 01:08:23 +0200
Package: quagga
Version: 0.99.16
Severity: grave
Tags: security
Justification: user security hole

The release notes of quagga 0.99.17 on
http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100 mention that:
"This release provides two important bugfixes, which address remote crash
possibility in bgpd discovered by CROSS team. "

CVE IDs have already been requested by someone from RedHat on oss-security:
http://marc.info/?l=oss-security&m=128265627617285&w=2 but not yet been
granted.

Meanwhile I upload 0.99.17 to sid and ask if 0.99.10 (lenny) is affected and if
there's a 0.99.16 backport for the frozen squeeze.

bye,

-christian-



-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages quagga depends on:
ii  adduser                       3.112      add and remove users and groups
ii  debconf [debconf-2.0]         1.5.35     Debian configuration management sy
ii  iproute                       20100519-3 networking and traffic control too
ii  libc6                         2.11.2-2   Embedded GNU C Library: Shared lib
ii  libcap2                       1:2.19-3   support for getting/setting POSIX.
ii  libpam0g                      1.1.1-4    Pluggable Authentication Modules l
ii  libpcre3                      8.02-1.1   Perl 5 Compatible Regular Expressi
ii  libreadline6                  6.1-3      GNU readline and history libraries
ii  logrotate                     3.7.8-6    Log rotation utility

quagga recommends no packages.

Versions of packages quagga suggests:
ii  snmpd                       5.4.3~dfsg-1 SNMP (Simple Network Management Pr




Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#594262; Package quagga. (Wed, 25 Aug 2010 07:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. (Wed, 25 Aug 2010 07:18:04 GMT) Full text and rfc822 format available.

Message #10 received at 594262@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Christian Hammers <ch@debian.org>, 594262@bugs.debian.org
Subject: Re: Bug#594262: quagga: Two BGP security problems fixed in 0.99.17
Date: Wed, 25 Aug 2010 09:14:56 +0200
[Message part 1 (text/plain, inline)]
Hi Christian,

On woansdei 25 Augustus 2010, Christian Hammers wrote:
> Meanwhile I upload 0.99.17 to sid and ask if 0.99.10 (lenny) is affected
> and if there's a 0.99.16 backport for the frozen squeeze.

Good to hear that you're on to of it.

As for squeeze, from reading the changelog it looks like the nature of the 
changes is all bugfixes - perhaps a freeze exception for 0.99.17 is possible 
instead of backporting the patches?


Cheers,
Thijs
[signature.asc (application/pgp-signature, inline)]

Reply sent to Christian Hammers <ch@debian.org>:
You have taken responsibility. (Wed, 25 Aug 2010 23:03:09 GMT) Full text and rfc822 format available.

Notification sent to Christian Hammers <ch@debian.org>:
Bug acknowledged by developer. (Wed, 25 Aug 2010 23:03:09 GMT) Full text and rfc822 format available.

Message #15 received at 594262-close@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: 594262-close@bugs.debian.org
Subject: Bug#594262: fixed in quagga 0.99.17-1
Date: Wed, 25 Aug 2010 23:02:25 +0000
Source: quagga
Source-Version: 0.99.17-1

We believe that the bug you reported is fixed in the latest version of
quagga, which is due to be installed in the Debian FTP archive:

quagga-doc_0.99.17-1_all.deb
  to main/q/quagga/quagga-doc_0.99.17-1_all.deb
quagga_0.99.17-1.diff.gz
  to main/q/quagga/quagga_0.99.17-1.diff.gz
quagga_0.99.17-1.dsc
  to main/q/quagga/quagga_0.99.17-1.dsc
quagga_0.99.17-1_amd64.deb
  to main/q/quagga/quagga_0.99.17-1_amd64.deb
quagga_0.99.17.orig.tar.gz
  to main/q/quagga/quagga_0.99.17.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 594262@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Hammers <ch@debian.org> (supplier of updated quagga package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 25 Aug 2010 00:52:48 +0200
Source: quagga
Binary: quagga quagga-doc
Architecture: source all amd64
Version: 0.99.17-1
Distribution: unstable
Urgency: high
Maintainer: Christian Hammers <ch@debian.org>
Changed-By: Christian Hammers <ch@debian.org>
Description: 
 quagga     - BGP/OSPF/RIP routing daemon
 quagga-doc - documentation files for quagga
Closes: 594262
Changes: 
 quagga (0.99.17-1) unstable; urgency=high
 .
   * SECURITY:
     "This release provides two important bugfixes, which address remote crash
     possibility in bgpd discovered by CROSS team.":
     1. Stack buffer overflow by processing certain Route-Refresh messages
        CVE-2010-2948
     2. DoS (crash) while processing certain BGP update AS path messages
        CVE-2010-2949
     Closes: #594262
Checksums-Sha1: 
 9e2578eabc22c9d477f94b6d78e83fa4d0a33085 1297 quagga_0.99.17-1.dsc
 31f42fa9f4d96aadf1bf97c3d9bf3308eb0d56c1 2202151 quagga_0.99.17.orig.tar.gz
 c648f7f37aaab9c14d288ba93cc8f14b6e52b21f 34072 quagga_0.99.17-1.diff.gz
 71fc6062b36ef708c221d6f2219ac2e00fa0b01d 608588 quagga-doc_0.99.17-1_all.deb
 f6478cdf1094f80ad1260d35c005ccd500b7bca0 1721314 quagga_0.99.17-1_amd64.deb
Checksums-Sha256: 
 7bad9aa0c93e3c9077f06fd016f4bbeb19bd1fb993248435ab2001e9ac7cda72 1297 quagga_0.99.17-1.dsc
 1d77df121a334e9504b45e489ee7ce35bf478e27d33cd2793a23280b59d9efd4 2202151 quagga_0.99.17.orig.tar.gz
 2be52026b53907462a10615c5c45820742129012d3df80df22bc3fa2a3ab5a31 34072 quagga_0.99.17-1.diff.gz
 99c877ef1d183c06674632cf483e08f35e985a475f1630720a37ab13eb26143f 608588 quagga-doc_0.99.17-1_all.deb
 d95b564c4989ca7ad0a7ce8cf52bacca1752d5f0dde98688fc7ebcc1f9b022f0 1721314 quagga_0.99.17-1_amd64.deb
Files: 
 c58450ec036b06457ac0be4f2ced26d2 1297 net optional quagga_0.99.17-1.dsc
 37b9022adca04b03863d2d79787e643f 2202151 net optional quagga_0.99.17.orig.tar.gz
 48d8ef0ed35c810a6fc1ffcde99f4537 34072 net optional quagga_0.99.17-1.diff.gz
 5bcb7988d5fe45dc081b766151f12351 608588 doc optional quagga-doc_0.99.17-1_all.deb
 fc8717143bb79d4cc8638003ae1582e2 1721314 net optional quagga_0.99.17-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkx1nu4ACgkQkR9K5oahGOa99wCg5LHN/G9px5+EHjwVidLZoxSC
a+gAn0geBQO2s4xYzpkTu+YPVgDXHD0N
=XGSI
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#594262; Package quagga. (Wed, 25 Aug 2010 23:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. (Wed, 25 Aug 2010 23:15:03 GMT) Full text and rfc822 format available.

Message #20 received at 594262@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: "Jan Lieskovsky" <jlieskov@redhat.com>, 594262@bugs.debian.org
Subject: Recent Quagga BGP security bugs
Date: Thu, 26 Aug 2010 01:03:57 +0200
Hello Jan

I read on oss-security-l and the RedHat bugzilla that you've done some
investigations on the recent Quagga BGP security bugs and even
checked if older releases are vulnerable, too.

As they are, I wonder if you will try to backport patches for the older
versions of Quagga that were shipped e.g. with RHEL4 or if you just
upload 0.99.17. At Debian we usually try to be very conservative and
backport patches whenever possible but the GIT changesets you mentioned
look a bit too invasive to me :-(

bye,

-christian-






Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 23 Sep 2010 07:36:27 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 07:36:58 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.