[ASA-201712-7] quagga: denial of service

Christian Rebischke Chris.Rebischke at archlinux.org
Thu Dec 14 00:42:56 UTC 2017


Arch Linux Security Advisory ASA-201712-7
=========================================

Severity: Medium
Date    : 2017-12-13
CVE-ID  : CVE-2017-16227
Package : quagga
Type    : denial of service
Remote  : Yes
Link    : https://security.archlinux.org/AVG-481

Summary
=======

The package quagga before version 1.2.2-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 1.2.2-1.

# pacman -Syu "quagga>=1.2.2-1"

The problem has been fixed upstream in version 1.2.2.

Workaround
==========

None.

Description
===========

A denial of service flaw was found in the way the bgpd daemon in quagga
before 1.2.2 handled the processing of large BGP update messages. A
remote, previously trusted attacker could potentially use this flaw to
cause bgpd to terminate existing BGP sessions, thereby leading to
denial of service.

Impact
======

A remote previously trusted attacker is able to crash quagga with a
maliciously crafted message.

References
==========

https://bugs.archlinux.org/task/56250
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879474
https://lists.quagga.net/pipermail/quagga-dev/2017-September/033284.html
https://git.savannah.gnu.org/cgit/quagga.git/commit/?id=7a42b78be9a4108d98833069a88e6fddb9285008
https://security.archlinux.org/CVE-2017-16227
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20171214/3812ee0d/attachment.asc>


More information about the arch-security mailing list