Debian
quagga package

lp:debian/lenny/quagga

  1. Lenny (5.0)
  2. lenny
Created by James Westby and last modified
Get this branch:
bzr branch lp:debian/lenny/quagga
Members of Ubuntu branches can upload to this branch. Log in for directions.

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Status:
Development

Recent revisions

12. By Florian Weimer

* SECURITY:
  This is a backport of the security patches of Quagga 0.99.19 and 0.99.20:
  - The vulnerabilities CVE-2011-3324 and CVE-2011-3323 are related to the
    IPv6 routing protocol (OSPFv3) implemented in ospf6d daemon. Receiving
    modified Database Description and Link State Update messages,
    respectively, can result in denial of service in IPv6 routing.
  - The vulnerability CVE-2011-3325 is a denial of service vulnerability
    related to Hello message handling by the OSPF service. As Hello messages
    are used to initiate adjacencies, exploiting the vulnerability may be
    feasible from the same broadcast domain without an established adjacency.
    A malformed packet may result in denial of service in IPv4 routing.
  - The vulnerability CVE-2011-3326 results from the handling of LSA (Link
    State Advertisement) states in the OSPF service. Receiving a modified
    Link State Update message with malicious state information can result in
    denial of service in IPv4 routing.
  - The vulnerability CVE-2011-3327 is related to the extended communities
    handling in BGP messages. Receiving a malformed BGP update can result in
    a buffer overflow and disruption of IPv4 routing.

11. By Florian Weimer

* Fix crash in Extended Communities handling (CVE-2010-1674)
* Remove support for AS_PATHLIMIT (CVE-2010-1675)
* Fix format string issue in vty_hello

10. By Florian Weimer

* 99_segment_type_check: fix bgpd crash on invalid segment type
  (CVE-2010-2949)
* 99_fix_confederation-1, 99_fix_confederation-2: fix confederations
  handling in bgpd, addressing a session reset issue
* 99_route_refresh: tighten bounds checking in RR ORF msg reader
  (CVE-2010-2948)

9. By Florian Weimer

Apply patch from Chris Caputo to fix crash on certain AS4 BGP updates.

8. By Christian Hammers

Fixed bug that caused routes which were added externally, e.g. by
"ip route add", to be ignored by Quagga (thanks to Hannes Schulz).
Closes: #495232

7. By Christian Hammers

* Recreate /var/run if not present because /var is e.g. on a tmpfs
  filesystem (thanks to Martin Pitt). Closes: #376142
* Removed nonexistant option from ospfd.8 manpage (thanks to
  David Medberry). Closes: 378274

6. By Martin Pitt

* Merge from debian unstable; remaining Ubuntu change:
  - debian/quagga.init.d: Create /var/run/quagga/

5. By Martin Pitt

* SECURITY UPDATE: Remote route injection, authentication bypass, remote
  DoS.
* Add debian/patches/81_ripv1_injection.dpatch:
  - When RIPv2 authentication is required, disable RIPv1 or require
    authentication as well (remote attackers could get routing information
    by sending RIPv1 requests). [CVE-2006-2223]
  - Enforce RIPv2 authentication requirements (remote attackers could
    modify routing state via RIPv1 RESPONSE packets). [CVE-2006-2224]
  - Patch taken from CVS head, see
    http://bugzilla.quagga.net/show_bug.cgi?id=262
* Add debian/patches/82_sh_ip_bgp_loop.dpatch:
  - Fix infinite loop with special invalid 'sh ip bgp' command.
    [CVE-2006-2276]
  - Patch ported from 0.99.4.

4. By Scott James Remnant (Canonical)

Create /var/run/quagga with the correct permissions, missed as it's
hidden in a very messy preinst

3. By Scott James Remnant (Canonical)

Create /var/run/quagga in the init script if it doesn't exist.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:debian/squeeze/quagga
This branch contains Public information 
Everyone can see this information.

Subscribers