Security Information / 2018 / Security Information -- DSA-4115-1 quagga

Debian Security Advisory

DSA-4115-1 quagga -- security update

Date Reported:

15 Feb 2018

Affected Packages:

quagga

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2018-5378, CVE-2018-5379, CVE-2018-5380, CVE-2018-5381.

More information:

Several vulnerabilities have been discovered in Quagga, a routing daemon. The Common Vulnerabilities and Exposures project identifies the following issues:

• CVE-2018-5378

  It was discovered that the Quagga BGP daemon, bgpd, does not properly bounds check data sent with a NOTIFY to a peer, if an attribute length is invalid. A configured BGP peer can take advantage of this bug to read memory from the bgpd process or cause a denial of service (daemon crash).

  https://www.quagga.net/security/Quagga-2018-0543.txt

• CVE-2018-5379

  It was discovered that the Quagga BGP daemon, bgpd, can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes, resulting in a denial of service (bgpd daemon crash).

  https://www.quagga.net/security/Quagga-2018-1114.txt

• CVE-2018-5380

  It was discovered that the Quagga BGP daemon, bgpd, does not properly handle internal BGP code-to-string conversion tables.

  https://www.quagga.net/security/Quagga-2018-1550.txt

• CVE-2018-5381

  It was discovered that the Quagga BGP daemon, bgpd, can enter an infinite loop if sent an invalid OPEN message by a configured peer. A configured peer can take advantage of this flaw to cause a denial of service (bgpd daemon not responding to any other events; BGP sessions will drop and not be reestablished; unresponsive CLI interface).

  https://www.quagga.net/security/Quagga-2018-1975.txt

For the oldstable distribution (jessie), these problems have been fixed in version 0.99.23.1-1+deb8u5.

For the stable distribution (stretch), these problems have been fixed in version 1.1.1-3+deb9u2.

We recommend that you upgrade your quagga packages.

For the detailed security status of quagga please refer to its security tracker page at: https://security-tracker.debian.org/tracker/quagga