Your message dated Sun, 27 Oct 2013 22:49:09 +0000 with message-id <e1vaz8v-0005to...@franck.debian.org> and subject line Bug#726724: fixed in quagga 0.99.22.4-1 has caused the Debian Bug report #726724, regarding quagga: CVE-2013-2236 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 726724: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726724 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: quagga Severity: grave Tags: security patch Justification: user security hole Hi Christian, this was assigned CVE-2013-2236 some time ago, but apparently there was never a bug filed for it: http://lists.quagga.net/pipermail/quagga-dev/2013-July/010621.html Fixed in 0.99.22.3: http://nongnu.mirrors.hostinginnederland.nl//quagga/quagga-0.99.22.3.changelog.txt Cheers, Moritz
--- End Message ---
--- Begin Message ---Source: quagga Source-Version: 0.99.22.4-1 We believe that the bug you reported is fixed in the latest version of quagga, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 726...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christian Hammers <c...@debian.org> (supplier of updated quagga package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 24 Oct 2013 22:58:37 +0200 Source: quagga Binary: quagga quagga-dbg quagga-doc Architecture: source amd64 all Version: 0.99.22.4-1 Distribution: unstable Urgency: high Maintainer: Christian Hammers <c...@debian.org> Changed-By: Christian Hammers <c...@debian.org> Description: quagga - BGP/OSPF/RIP routing daemon quagga-dbg - BGP/OSPF/RIP routing daemon (debug symbols) quagga-doc - documentation files for quagga Closes: 726724 Changes: quagga (0.99.22.4-1) unstable; urgency=high . * SECURITY: "ospfd: CVE-2013-2236, stack overrun in apiserver . the OSPF API-server (exporting the LSDB and allowing announcement of Opaque-LSAs) writes past the end of fixed on-stack buffers. This leads to an exploitable stack overflow. . For this condition to occur, the following two conditions must be true: - Quagga is configured with --enable-opaque-lsa - ospfd is started with the "-a" command line option . If either of these does not hold, the relevant code is not executed and the issue does not get triggered." Closes: #726724 . * New upstream release - ospfd: protect vs. VU#229804 (malformed Router-LSA) (Quagga is said to be non-vulnerable but still adds some protection) Checksums-Sha1: 061471c02b6d21bc26cba7f91aeb06277e6ab65c 1484 quagga_0.99.22.4-1.dsc 73019bf915ff4fe7cd497f11579c05f35fe09df5 2352406 quagga_0.99.22.4.orig.tar.gz 3dee9fe815ff1413af3633e403b21583dba870d4 39688 quagga_0.99.22.4-1.debian.tar.gz 9caccc4b5fa65a93d28ded5f68e50679ec0c115c 1104292 quagga_0.99.22.4-1_amd64.deb a9f0fbf62ab9a7f78a7fba50b0010e899340cd44 1674196 quagga-dbg_0.99.22.4-1_amd64.deb ee3f50e27998a295f9c73f687ed0b05fbcf8a08d 656596 quagga-doc_0.99.22.4-1_all.deb Checksums-Sha256: 55119296a031d02927069f08ee04a0818c482c276fdfcbcdcaecb35f4fb040d5 1484 quagga_0.99.22.4-1.dsc cbe48d5cc57bbaa07cfd8362ba598447dc94aa866ddc5794e57172709d36ba79 2352406 quagga_0.99.22.4.orig.tar.gz 64e2ca7fc664f606f6ffba38400639a8be05f4d623f43c260a6ba27f6e6f89dc 39688 quagga_0.99.22.4-1.debian.tar.gz d686471950ecb3edf135df58e3351af7a7e98fc2cbfe94d4cadc2de96e05c608 1104292 quagga_0.99.22.4-1_amd64.deb c49689d253eac5f76240485a87d73c5131c566af99ceb6db3fd7f6136c8a1f81 1674196 quagga-dbg_0.99.22.4-1_amd64.deb db1acae350cf7cf35067750c6ddc72244a721753a01e63e77ed3ca78289277a6 656596 quagga-doc_0.99.22.4-1_all.deb Files: fc433383b84a5a02b039bde1e4746f41 1484 net optional quagga_0.99.22.4-1.dsc 27ef98abb1820bae19eb71f631a10853 2352406 net optional quagga_0.99.22.4.orig.tar.gz 789744be712f78c2ab9468e9b5eb60cd 39688 net optional quagga_0.99.22.4-1.debian.tar.gz 13a6ef49eacba2e8c32d35fb3f6e97a6 1104292 net optional quagga_0.99.22.4-1_amd64.deb 9eb699ce33657d706a9ffcc3e6eb5f08 1674196 debug extra quagga-dbg_0.99.22.4-1_amd64.deb 234393ba29852f1458fa01ab39bea3fe 656596 net optional quagga-doc_0.99.22.4-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlJtk/EACgkQkR9K5oahGObTYwCfVQYzR2TBhXVwGYLINHjO72IK Q/AAn0Tx+wG4tOZNl/Jv5o5U7A2rGDoM =hqGQ -----END PGP SIGNATURE-----
--- End Message ---
