[Buildroot] [PATCH] quagga: add upstream security fixes
Peter Korsgaard
peter at korsgaard.com
Tue Apr 10 20:47:22 UTC 2018
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security issues:
> CVE-2018-5378
> It was discovered that the Quagga BGP daemon, bgpd, does not
> properly bounds check data sent with a NOTIFY to a peer, if an
> attribute length is invalid. A configured BGP peer can take
> advantage of this bug to read memory from the bgpd process or cause
> a denial of service (daemon crash).
> https://www.quagga.net/security/Quagga-2018-0543.txt
> CVE-2018-5379
> It was discovered that the Quagga BGP daemon, bgpd, can double-free
> memory when processing certain forms of UPDATE message, containing
> cluster-list and/or unknown attributes, resulting in a denial of
> service (bgpd daemon crash).
> https://www.quagga.net/security/Quagga-2018-1114.txt
> CVE-2018-5380
> It was discovered that the Quagga BGP daemon, bgpd, does not
> properly handle internal BGP code-to-string conversion tables.
> https://www.quagga.net/security/Quagga-2018-1550.txt
> CVE-2018-5381
> It was discovered that the Quagga BGP daemon, bgpd, can enter an
> infinite loop if sent an invalid OPEN message by a configured peer.
> A configured peer can take advantage of this flaw to cause a denial
> of service (bgpd daemon not responding to any other events; BGP
> sessions will drop and not be reestablished; unresponsive CLI
> interface).
> https://www.quagga.net/security/Quagga-2018-1975.txt
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2017.02.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list