It is claimed that this was fixed in the 3.20.0 release[0,1,2] (or maybe 3.21.0[3]), which would have been fixed in Debian with the 3.21.0-1 upload.
However, the upstream bug report[4] is still open, and I don't see anything in the commit or release notes indicating a fix for this issue. Since the original report depends on a fuzzing setup, I haven't been able to try reproducing the issue locally. Mathias [0] -- https://github.com/golang/vulndb/issues/3124 [1] -- https://github.com/osrg/gobgp/commit/419c50dfac578daa4d11256904d0dc182f1a9b22 [2] -- https://github.com/osrg/gobgp/releases/tag/v3.20.0 [3] -- https://github.com/advisories/GHSA-6rqv-5cg7-m4x3 [4] -- https://github.com/osrg/gobgp/issues/2725
signature.asc
Description: This is a digitally signed message part
