Your message dated Sat, 09 Mar 2024 00:04:55 +0000
with message-id <e1rikct-0033ip...@fasolo.debian.org>
and subject line Bug#1055852: fixed in frr 9.1-0.1
has caused the Debian Bug report #1055852,
regarding frr: CVE-2023-38407 CVE-2023-41361 CVE-2023-46752 CVE-2023-46753
CVE-2023-47234 CVE-2023-47235
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1055852: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055852
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: frr
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for frr.
CVE-2023-38407[0]:
| bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read
| beyond the end of the stream during labeled unicast parsing.
https://github.com/FRRouting/frr/pull/12951
https://github.com/FRRouting/frr/commit/7404a914b0cafe046703c8381903a80d3def8f8b
(base_9.0)
https://github.com/FRRouting/frr/pull/12956
https://github.com/FRRouting/frr/commit/ab362eae68edec12c175d9bc488bcc3f8b73d36f
(frr-8.5)
CVE-2023-41361[1]:
| An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open.c does
| not check for an overly large length of the rcv software version.
https://github.com/FRRouting/frr/pull/14241
Fixed by:
https://github.com/FRRouting/frr/commit/b4d09af9194d20a7f9f16995a062f5d8e3d32840
Backport for 9.0 branch: https://github.com/FRRouting/frr/pull/14250
Fixed by:
https://github.com/FRRouting/frr/commit/73ad93a83f18564bb7bff4659872f7ec1a64b05e
CVE-2023-46752[2]:
| An issue was discovered in FRRouting FRR through 9.0.1. It
| mishandles malformed MP_REACH_NLRI data, leading to a crash.
Fixed by:
https://github.com/FRRouting/frr/commit/b08afc81c60607a4f736f418f2e3eb06087f1a35
(master)
Fixed by:
https://github.com/FRRouting/frr/commit/30b5c2a434d25981e16792f6f50162beb517ae4d
(stable/8.5 branch)
CVE-2023-46753[3]:
| An issue was discovered in FRRouting FRR through 9.0.1. A crash can
| occur for a crafted BGP UPDATE message without mandatory attributes,
| e.g., one with only an unknown transit attribute.
Fixed by:
https://github.com/FRRouting/frr/commit/d8482bf011cb2b173e85b65b4bf3d5061250cdb9
(master)
Fixed by:
https://github.com/FRRouting/frr/commit/21418d64af11553c402f932b0311c812d98ac3e4
(stable/8.5 branch)
CVE-2023-47234[4]:
| An issue was discovered in FRRouting FRR through 9.0.1. A crash can
| occur when processing a crafted BGP UPDATE message with a
| MP_UNREACH_NLRI attribute and additional NLRI data (that lacks
| mandatory path attributes).
https://github.com/FRRouting/frr/commit/c37119df45bbf4ef713bc10475af2ee06e12f3bf
CVE-2023-47235[5]:
| An issue was discovered in FRRouting FRR through 9.0.1. A crash can
| occur when a malformed BGP UPDATE message with an EOR is processed,
| because the presence of EOR does not lead to a treat-as-withdraw
| outcome.
https://github.com/FRRouting/frr/commit/6814f2e0138a6ea5e1f83bdd9085d9a77999900b
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-38407
https://www.cve.org/CVERecord?id=CVE-2023-38407
[1] https://security-tracker.debian.org/tracker/CVE-2023-41361
https://www.cve.org/CVERecord?id=CVE-2023-41361
[2] https://security-tracker.debian.org/tracker/CVE-2023-46752
https://www.cve.org/CVERecord?id=CVE-2023-46752
[3] https://security-tracker.debian.org/tracker/CVE-2023-46753
https://www.cve.org/CVERecord?id=CVE-2023-46753
[4] https://security-tracker.debian.org/tracker/CVE-2023-47234
https://www.cve.org/CVERecord?id=CVE-2023-47234
[5] https://security-tracker.debian.org/tracker/CVE-2023-47235
https://www.cve.org/CVERecord?id=CVE-2023-47235
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: frr
Source-Version: 9.1-0.1
Done: Daniel Baumann <daniel.baum...@progress-linux.org>
We believe that the bug you reported is fixed in the latest version of
frr, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1055...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Baumann <daniel.baum...@progress-linux.org> (supplier of updated frr
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 08 Mar 2024 23:21:21 +0100
Source: frr
Architecture: source
Version: 9.1-0.1
Distribution: unstable
Urgency: high
Maintainer: David Lamparter <equinox-deb...@diac24.net>
Changed-By: Daniel Baumann <daniel.baum...@progress-linux.org>
Closes: 1042473 1044470 1055852 1065144
Changes:
frr (9.1-0.1) unstable; urgency=high
.
* Non-maintainer upload.
* New upstream release (Closes: #1042473, #1055852):
- CVE-2023-3748: parsing certain babeld unicast hello messages that are
intended to be ignored. This issue may allow an attacker to send
specially
crafted hello messages with the unicast flag set, the interval field set
to 0, or any TLV that contains a sub-TLV with the Mandatory flag set to
enter an infinite loop and cause a denial of service.
- CVE-2023-38407: bgpd/bgp_label.c attempts to read beyond the end of the
stream during labeled unicast parsing.
- CVE-2023-41361: bgpd/bgp_open.c does not check for an overly large
length of the rcv software version.
- CVE-2023-46752: It mishandles malformed MP_REACH_NLRI data, leading to a
crash.
- CVE-2023-46753: A crash can occur for a crafted BGP UPDATE message
without mandatory attributes, e.g., one with only an unknown transit
attribute.
- CVE-2023-47234: A crash can occur when processing a crafted BGP UPDATE
message with a MP_UNREACH_NLRI attribute and additional NLRI data (that
lacks mandatory path attributes).
- CVE-2023-47235: A crash can occur when a malformed BGP UPDATE message
with an EOR is processed, because the presence of EOR does not lead to a
treat-as-withdraw outcome.
* Updating patches:
- removing CVE-2023-38802.patch, included upstream.
- removing CVE-2023-41358.patch, included upstream.
- removing CVE-2023-41360.patch, included upstream.
- removing unapplied CVE-2023-41361.patch, included upstream.
- adding CVE-2024-27913.patch from upstream:
ospf_te_parse_te in ospfd/ospf_te.c allows remote attackers to cause a
denial of service (ospfd daemon crash) via a malformed OSPF LSA packet,
because of an attempted access to a missing attribute field (Closes:
#1065144).
* Updating build-depends:
- adding now required protobuf-c-compiler to build-depends.
- adding now required libprotobuf-c-dev to build-depends.
- adding new libmgmt_be_nb.so to frr.install.
- removing obsolete lsb-base.
- prefering new pkgconf over old pkg-config.
* Updating override_dh_auto_clean to fix FTBFS when built twice in a row
(Closes: #1044470):
- call dh_auto_clean which is safe to run now.
- remove tests/.pytest_cache.
* Removing obsolete doc-base.
Checksums-Sha1:
fa8ccd2fbde1dd12bd2b9b75a6b1e73c429a5755 2734 frr_9.1-0.1.dsc
b96093130eb27fd472e03a7fda3613f080dc6e99 8231024 frr_9.1.orig.tar.xz
c0d3f1806539be400ea783f3d35f3967a530216d 32564 frr_9.1-0.1.debian.tar.xz
f84ba762264d886a4458615178dc7c5a16794242 11698 frr_9.1-0.1_amd64.buildinfo
Checksums-Sha256:
fe61b7fc08e26ed1ed0555e5a41986a8c23a2d0014f048bd62659cfe683a6f86 2734
frr_9.1-0.1.dsc
da24cc625121f7f215cc2c57dfb491266f7634b0b50422f8911bb0c44e812e60 8231024
frr_9.1.orig.tar.xz
0f6e95c12ddb133d420eabab1bf5bff2f001edec7473ea3a635887a02b113e24 32564
frr_9.1-0.1.debian.tar.xz
012b55f3fad830c07c6ddf3a05b96948b31a7e76fc6df42a97812059b28449be 11698
frr_9.1-0.1_amd64.buildinfo
Files:
5b55fe3b9eb1abc04d1ce0155fc0cbc3 2734 net optional frr_9.1-0.1.dsc
f87041fcdbcaa3663df69a9425f97876 8231024 net optional frr_9.1.orig.tar.xz
348a84a902d34edb280f6c83a4ba61db 32564 net optional frr_9.1-0.1.debian.tar.xz
8e99cdb7bc0b4d41ebe78090d829b0ce 11698 net optional frr_9.1-0.1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEgTbtJcfWfpLHSkKSVc8b+YaruccFAmXrou4ACgkQVc8b+Yar
ucfNPA/+LcXs6oES7ubU+eVvuDL1E5DFQLmYIdrtIyuqu0V7wo0OfzDk7vmzHaTf
aCDvwFuGwVuDTVd/HfQU5lmrdB8Oty+OCZKjXRKgOtQsvkxD4Vit+EYGYa7cic82
O27zq27U7jm0Je9zyjMsk6etG27bQQVH+Synfuv4ju+1j+G+fsJ5ymxb1K20dEwV
hnSZ7TVQOvmgtCRzuWeZuMvc1tbB6YGPhNDQLl2y6Vug15hKUfYqjOQrtLJHigvQ
FsgQiDDDaFFWcKlmO3XizW38FKUS3N8a3v+KaF6Lmw19Sh0LGM8YLqkzoxf04E2o
u6TtaZNXW82WiIboz1OUYAKP8olFYy+hBPspqjx8aVlUJlwdfNBsgTttphUB7AEE
YsdG7VXncdpBONif5gWGPIQGKvJgjPSh7kzgpna4Yx4u9JaCd+b58ZoAPsgbM2Hs
z7cY8DzNkboxBK0z2OC6+qsYt2UxTSwZS7FvlUWcNdP4+grensR9JurisOqDwNnQ
bif1hvWPa26VPoBlfFFbOX9tthr5xxm3ojLi9oEI6+UBETdsJLZnye7k00s66lh/
MxknI0X+4RTwplId844psJFsh3Aql67t3ORmQ41orFlWCkz/esIYr1UvAlf1bFtA
Hm2k55H59zn4O04eUC8GQUoWqI3p4Go1qlHvnjy2p6MOdW4uXl0=
=7fB/
-----END PGP SIGNATURE-----
pgpfduEsoXwXC.pgp
Description: PGP signature
--- End Message ---
