Page MenuHomeVyOS Platform
Create Task
Maniphest T615

DSA-4115-1 quagga -- security update
Closed, WontfixPublic
Actions

Description

Several vulnerabilities have been discovered in Quagga, a routing daemon. The Common Vulnerabilities and Exposures project identifies the following issues:

CVE-2018-5378
It was discovered that the Quagga BGP daemon, bgpd, does not properly bounds check data sent with a NOTIFY to a peer, if an attribute length is invalid. A configured BGP peer can take advantage of this bug to read memory from the bgpd process or cause a denial of service (daemon crash).

https://www.quagga.net/security/Quagga-2018-0543.txt

CVE-2018-5379
It was discovered that the Quagga BGP daemon, bgpd, can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes, resulting in a denial of service (bgpd daemon crash).

https://www.quagga.net/security/Quagga-2018-1114.txt

CVE-2018-5380
It was discovered that the Quagga BGP daemon, bgpd, does not properly handle internal BGP code-to-string conversion tables.

https://www.quagga.net/security/Quagga-2018-1550.txt

CVE-2018-5381
It was discovered that the Quagga BGP daemon, bgpd, can enter an infinite loop if sent an invalid OPEN message by a configured peer. A configured peer can take advantage of this flaw to cause a denial of service (bgpd daemon not responding to any other events; BGP sessions will drop and not be reestablished; unresponsive CLI interface).

https://www.quagga.net/security/Quagga-2018-1975.txt

For the oldstable distribution (jessie), these problems have been fixed in version 0.99.23.1-1+deb8u5.

For the stable distribution (stretch), these problems have been fixed in version 1.1.1-3+deb9u2.

We recommend that you upgrade your quagga packages.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Event Timeline

duprec created this task.May 3 2018, 2:17 AM
duprec created this object in space S1 VyOS Public.
duprec added projects: vyatta-quagga, VyOS 1.1.x, VyOS 1.2 Crux.May 3 2018, 2:19 AM
duprec changed the visibility from "Subscribers" to "Public (No Login Required)".
c-po added a subscriber: c-po.May 3 2018, 5:19 AM

Thanks for sharing. Debian security updates get automatically pulled in every night diring creation of the rolling release ISO.

duprec added a comment.May 3 2018, 11:34 AM

c-po, does it mean that the fix will be included in an upcoming 1.1 release and in 1.2.0 when released ?

syncer added a subscriber: syncer.May 3 2018, 11:59 AM

@c-po vyatta-quagga is our package

c-po added a comment.May 3 2018, 2:07 PM

@syncer my bad ... then we have to integrate the fixes manually or better, identify why we have to use a special version and decide if this is still necessary. A lot of patches from the past have been removed in the latest Kernel update, too which were no longer necessary.

higebu added a subscriber: higebu.May 7 2018, 1:35 AM
higebu added a comment.May 7 2018, 1:44 AM

I think we can use Debian jessie package for 1.2.0-rolling. But for 1.1, we have to build special version, because there is no upstream package.

pasik added a subscriber: pasik.May 15 2018, 9:55 PM
syncer added a subscriber: dmbaturin.May 27 2018, 9:54 AM

@dmbaturin stock quagga also missing pbr?

syncer triaged this task as Normal priority.May 27 2018, 9:54 AM
dmbaturin added a comment.Jun 4 2018, 5:02 PM

@syncer @higebu Yes, stock quagga is missing many things that ours has. We have no choice other than to integrate the patches by hand.

syncer closed this task as Wontfix.Oct 13 2018, 9:13 AM
syncer claimed this task.

moved to frr in 1.2

syncer removed a project: VyOS 1.2 Crux.Oct 13 2018, 9:13 AM
syncer edited projects, added Rejected; removed VyOS 1.1.x, vyatta-quagga.Oct 15 2018, 6:30 AM