Page MenuHomeVyOS Platform
Create Task
Maniphest T5557

bgp: Use treat-as-withdraw for tunnel encapsulation attribute CVE-2023-38802
Closed, ResolvedPublicBUG
Actions

Description

Backport fix from https://github.com/FRRouting/frr/issues/14289

https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling

Details

Difficulty level
Unknown (require assessment)
Version
1.3.0
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects

Mentioned In
1.3.4

Event Timeline

c-po claimed this task.Sep 7 2023, 2:13 PM
c-po triaged this task as High priority.
c-po created this task.

1.4 running FRR9 is already mitigated

pasik added a subscriber: pasik.Sep 7 2023, 2:57 PM
c-po added a comment.EditedSep 10 2023, 2:02 PM

Added backport for FRR 7.5 https://github.com/FRRouting/frr/pull/14381

Added PR for 1.3 to already include this patch before it's merged upstream https://github.com/vyos/vyos-build/pull/398

c-po changed the task status from Open to Backport pending.Sep 10 2023, 2:14 PM
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.4) board.
c-po closed this task as Resolved.Sep 11 2023, 5:14 AM
c-po merged a task: T5523: CVE-2023-38802.Sep 13 2023, 6:15 AM
c-po added subscribers: danhusan, v.huti, Apachez and 2 others.
dmbaturin mentioned this in 1.3.4.Sep 14 2023, 1:07 PM