Your message dated Sun, 12 Nov 2017 15:34:36 +0000
with message-id <e1eduhm-000frd...@fasolo.debian.org>
and subject line Bug#879474: fixed in quagga 1.1.1-3+deb9u1
has caused the Debian Bug report #879474,
regarding quagga-bgpd: CVE-2017-16227: BGP session termination due to rather
long AS paths in update messages
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
879474: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879474
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: quagga-bgpd
Version: 1.1.1-3
Severity: important
Tags: security upstream
Dear Maintainer,
there is a longstanding bug in quagga where certain BGP update messages
cause a quagga bgpd to drop a session, possibly resulting in loss of
network connectivity.
Details:
Long paths in update messages are segmented in BGP, and the bug is in
the recalculation of the framing information if there are more than two
segments. The resulting data is invalid but will will be used for
redistribution. At least if the receiver is another quagga bgpd, that
message is rejected, eventually resulting in a BGP session termination.
The receiver's log (if written) contains an error message like
| BGP: 172.23.97.181: BGP type 2 length 3074 is too large, attribute total
length is 2069. attr_endp is 0x562feb368121. endp is 0x562feb367d2c
then.
So if a site's BGP peers all run quagga, that site will lose network
connectivity due to frequent session termination. Additionally, the
repeated initial full table transfer will result in a significantly
bigger network load, I've seen around 1 MByte/sec/link, compared to
usually less than one 1 kbyte/sec/link.
Such extremely long AS paths have occured in the global BGP table at
least four times since June. Last time started on Oct 13th around 20:43
UTC and lasted until the following week.
All versions of quagga in Debian are affected.
How to fix:
Kudos to Andreas Jaggi who identified the bug and provided a fix[1].
After some hours of work I was able to reproduce the issue and can
confirm this patch resolves the issues for all versions of quagga in
Debian (wheezy, jessie, stretch = buster = sid). Details about the
setup available upon request, it's just some stuff to write down.
In my opinion this is serious enough to justify a security upload. If
stable security disagrees, please fix this in the next stable point
release.
Regards,
Christoph
[1] https://lists.quagga.net/pipermail/quagga-dev/2017-September/033284.html
http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=7a42b78be9a4108d98833069a88e6fddb9285008
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: quagga
Source-Version: 1.1.1-3+deb9u1
We believe that the bug you reported is fixed in the latest version of
quagga, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 879...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated quagga package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 30 Oct 2017 06:25:29 +0100
Source: quagga
Binary: quagga quagga-core quagga-doc quagga-bgpd quagga-isisd quagga-ospf6d
quagga-ospfd quagga-pimd quagga-ripd quagga-ripngd
Architecture: source
Version: 1.1.1-3+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Scott Leggett <sc...@sl.id.au>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 879474
Description:
quagga - network routing daemons (metapackage)
quagga-bgpd - BGP4/BGP4+ routing daemon
quagga-core - network routing daemons (core abstraction layer)
quagga-doc - network routing daemons (documentation)
quagga-isisd - IS-IS routing daemon
quagga-ospf6d - OSPF6 routing daemon
quagga-ospfd - OSPF routing daemon
quagga-pimd - PIM routing daemon
quagga-ripd - RIPv1 routing daemon
quagga-ripngd - RIPng routing daemon
Changes:
quagga (1.1.1-3+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* bgpd: Fix AS_PATH size calculation for long paths (CVE-2017-16227)
(Closes: #879474)
Checksums-Sha1:
c4ca2ee080fd3c4d75bd34d2e38b15e1149423d4 2766 quagga_1.1.1-3+deb9u1.dsc
b18648e49719d88351d91bf6782dd534de735f88 2173432 quagga_1.1.1.orig.tar.gz
7e8095d18ec0fee6bece66be8ff42a1712ac5c31 32744
quagga_1.1.1-3+deb9u1.debian.tar.xz
Checksums-Sha256:
7a213d555282b74df9de424fe34ba919b92e77edc282af9fab8abec30bba40b9 2766
quagga_1.1.1-3+deb9u1.dsc
cd464dd5575dfcedc6ad590eced904290d9c5fded89984bfa5610657dfb412bc 2173432
quagga_1.1.1.orig.tar.gz
671061449798fe3d70c5ef6e7c509093687d6c514da1cc958c1adf0d4afe7e25 32744
quagga_1.1.1-3+deb9u1.debian.tar.xz
Files:
7cc8d00c4e9ddfef29be77651d841b46 2766 net optional quagga_1.1.1-3+deb9u1.dsc
1b63d3f9f1a0ba19ada60536c05eaaab 2173432 net optional quagga_1.1.1.orig.tar.gz
bcd849d70adfec3280f8bf13c9264b01 32744 net optional
quagga_1.1.1-3+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAln2uOBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EDeIP/jVN5yseysYmWb9WGC9kfGv5BXvzPEYQ
tgUJHF8NhfbG3w66lFGy6+TOnMq5MRt/I3K9yZ2gxW+HfFdGhPP7H3gVSE9YR3va
rnJrymGI7Vy9IB1TtLcnaRCWNfIhaVtgdi8nt1Y8EVnw+lpNTT2BmIumfp55wAJJ
HM4zWGAYy6gOiSGElZzbZm2NHBdYvBnPJaZMw27qf/axXhVkBcuQXuS9lv6xMg4X
/YPJerGDU7di0SPIp4QvUXBYm6m+YVF5tPNpBEp9NNOc4PMk37f5w8+hhbFZPTox
juvxjMq+xrcdtk+bPTnKY8cXGCWKwuWvaoHL6lKriahL25bg2RR1fpOxxGDqFoFu
1cT9HAt8jaTMUX3dOyCXhGO8sJhroKuO/gtHetb+KP1yY0pRh6Htb3E3ZchwoMdx
8DEejpKsuz+dexLC4eL5u6TpU/d/PdiMskTZMRoIHmyekpn20OLo94c12DPTHMQY
1fjDQs9/SY8LdT1IS32itPMVN04M7NwsFwdDAHL6DwOpOt+0PTbvOR1Ypa2+Xgoh
8xkCzpmyx6oAbqG+1g8j4Pbf4UhrZc5uXQ+bG0bcIHHmYotW93ZIeYSqLUqebEHQ
ei2KLjybsJ1T3786f4YfRSikzjyhWGVK5Dnr6Wj0sJSqiElMBlFBH0fDjd4bnnmY
6wXFZdWK5kCZ
=v6LG
-----END PGP SIGNATURE-----
--- End Message ---
