Your message dated Wed, 25 Aug 2010 23:02:25 +0000
with message-id <e1ooozb-0004lm...@franck.debian.org>
and subject line Bug#594262: fixed in quagga 0.99.17-1
has caused the Debian Bug report #594262,
regarding quagga: Two BGP security problems fixed in 0.99.17
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
594262: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594262
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: quagga
Version: 0.99.16
Severity: grave
Tags: security
Justification: user security hole
The release notes of quagga 0.99.17 on
http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100 mention that:
"This release provides two important bugfixes, which address remote crash
possibility in bgpd discovered by CROSS team. "
CVE IDs have already been requested by someone from RedHat on oss-security:
http://marc.info/?l=oss-security&m=128265627617285&w=2 but not yet been
granted.
Meanwhile I upload 0.99.17 to sid and ask if 0.99.10 (lenny) is affected and if
there's a 0.99.16 backport for the frozen squeeze.
bye,
-christian-
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages quagga depends on:
ii adduser 3.112 add and remove users and groups
ii debconf [debconf-2.0] 1.5.35 Debian configuration management sy
ii iproute 20100519-3 networking and traffic control too
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
ii libcap2 1:2.19-3 support for getting/setting POSIX.
ii libpam0g 1.1.1-4 Pluggable Authentication Modules l
ii libpcre3 8.02-1.1 Perl 5 Compatible Regular Expressi
ii libreadline6 6.1-3 GNU readline and history libraries
ii logrotate 3.7.8-6 Log rotation utility
quagga recommends no packages.
Versions of packages quagga suggests:
ii snmpd 5.4.3~dfsg-1 SNMP (Simple Network Management Pr
--- End Message ---
--- Begin Message ---
Source: quagga
Source-Version: 0.99.17-1
We believe that the bug you reported is fixed in the latest version of
quagga, which is due to be installed in the Debian FTP archive:
quagga-doc_0.99.17-1_all.deb
to main/q/quagga/quagga-doc_0.99.17-1_all.deb
quagga_0.99.17-1.diff.gz
to main/q/quagga/quagga_0.99.17-1.diff.gz
quagga_0.99.17-1.dsc
to main/q/quagga/quagga_0.99.17-1.dsc
quagga_0.99.17-1_amd64.deb
to main/q/quagga/quagga_0.99.17-1_amd64.deb
quagga_0.99.17.orig.tar.gz
to main/q/quagga/quagga_0.99.17.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 594...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Hammers <c...@debian.org> (supplier of updated quagga package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 25 Aug 2010 00:52:48 +0200
Source: quagga
Binary: quagga quagga-doc
Architecture: source all amd64
Version: 0.99.17-1
Distribution: unstable
Urgency: high
Maintainer: Christian Hammers <c...@debian.org>
Changed-By: Christian Hammers <c...@debian.org>
Description:
quagga - BGP/OSPF/RIP routing daemon
quagga-doc - documentation files for quagga
Closes: 594262
Changes:
quagga (0.99.17-1) unstable; urgency=high
.
* SECURITY:
"This release provides two important bugfixes, which address remote crash
possibility in bgpd discovered by CROSS team.":
1. Stack buffer overflow by processing certain Route-Refresh messages
CVE-2010-2948
2. DoS (crash) while processing certain BGP update AS path messages
CVE-2010-2949
Closes: #594262
Checksums-Sha1:
9e2578eabc22c9d477f94b6d78e83fa4d0a33085 1297 quagga_0.99.17-1.dsc
31f42fa9f4d96aadf1bf97c3d9bf3308eb0d56c1 2202151 quagga_0.99.17.orig.tar.gz
c648f7f37aaab9c14d288ba93cc8f14b6e52b21f 34072 quagga_0.99.17-1.diff.gz
71fc6062b36ef708c221d6f2219ac2e00fa0b01d 608588 quagga-doc_0.99.17-1_all.deb
f6478cdf1094f80ad1260d35c005ccd500b7bca0 1721314 quagga_0.99.17-1_amd64.deb
Checksums-Sha256:
7bad9aa0c93e3c9077f06fd016f4bbeb19bd1fb993248435ab2001e9ac7cda72 1297
quagga_0.99.17-1.dsc
1d77df121a334e9504b45e489ee7ce35bf478e27d33cd2793a23280b59d9efd4 2202151
quagga_0.99.17.orig.tar.gz
2be52026b53907462a10615c5c45820742129012d3df80df22bc3fa2a3ab5a31 34072
quagga_0.99.17-1.diff.gz
99c877ef1d183c06674632cf483e08f35e985a475f1630720a37ab13eb26143f 608588
quagga-doc_0.99.17-1_all.deb
d95b564c4989ca7ad0a7ce8cf52bacca1752d5f0dde98688fc7ebcc1f9b022f0 1721314
quagga_0.99.17-1_amd64.deb
Files:
c58450ec036b06457ac0be4f2ced26d2 1297 net optional quagga_0.99.17-1.dsc
37b9022adca04b03863d2d79787e643f 2202151 net optional
quagga_0.99.17.orig.tar.gz
48d8ef0ed35c810a6fc1ffcde99f4537 34072 net optional quagga_0.99.17-1.diff.gz
5bcb7988d5fe45dc081b766151f12351 608588 doc optional
quagga-doc_0.99.17-1_all.deb
fc8717143bb79d4cc8638003ae1582e2 1721314 net optional
quagga_0.99.17-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkx1nu4ACgkQkR9K5oahGOa99wCg5LHN/G9px5+EHjwVidLZoxSC
a+gAn0geBQO2s4xYzpkTu+YPVgDXHD0N
=XGSI
-----END PGP SIGNATURE-----
--- End Message ---
