commit frr for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package frr for openSUSE:Factory checked in
at 2024-06-11 18:30:51
Comparing /work/SRC/openSUSE:Factory/frr (Old)
and /work/SRC/openSUSE:Factory/.frr.new.19518 (New)
Package is "frr"
Tue Jun 11 18:30:51 2024 rev:32 rq:1179914 version:8.4
Changes:
--- /work/SRC/openSUSE:Factory/frr/frr.changes 2024-04-29 09:08:48.911373704
+0200
+++ /work/SRC/openSUSE:Factory/.frr.new.19518/frr.changes 2024-06-11
18:32:23.083648432 +0200
@@ -1,0 +2,17 @@
+Tue Jun 4 21:27:48 UTC 2024 - Marius Tomaschewski
+
+- Apply upstream fix solving ospfd denial of service via get_edge()
+ function returning a NULL pointer (CVE-2024-34088,bsc#1223786,
+ gh#FRRouting/frr#16088).
+ [+ 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch]
+- Apply upstream fix solving ospfd buffer overflow and daemon crash
+ in ospf_te_parse_ext_link for OSPF LSA packets during an attempt
+ to read Segment Routing Adjacency SID subTLVs (CVE-2024-31951,
+ bsc#1222528,gh#FRRouting/frr#16088).
+ [+ 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch]
+- Apply upstream fix solving ospfd buffer overflow and daemon crash
+ in RI parsing with OSPF TE (CVE-2024-31950,bsc#1222526,
+ gh#FRRouting/frr#16088).
+ [+ 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch]
+
+---
New:
0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch
0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch
0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch
BETA DEBUG BEGIN:
New: gh#FRRouting/frr#16088).
[+ 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch]
New: bsc#1222528,gh#FRRouting/frr#16088).
[+ 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch]
- Apply upstream fix solving ospfd buffer overflow and daemon crash
New: gh#FRRouting/frr#16088).
[+ 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch]
- Apply upstream fix solving ospfd buffer overflow and daemon crash
BETA DEBUG END:
Other differences:
--
++ frr.spec ++
--- /var/tmp/diff_new_pack.aOmhBM/_old 2024-06-11 18:32:24.571702845 +0200
+++ /var/tmp/diff_new_pack.aOmhBM/_new 2024-06-11 18:32:24.571702845 +0200
@@ -59,6 +59,9 @@
Patch18:0018-bgpd-Flowspec-overflow-issue.patch
Patch19:
0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch
Patch20:0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch
+Patch21:0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch
+Patch22:0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch
+Patch23:0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bison >= 2.7
++ 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch ++
>From 298704f1e73221172432e2a4afd79086ffcd4cca Mon Sep 17 00:00:00 2001
From: Olivier Dugeon
Date: Wed, 3 Apr 2024 16:28:23 +0200
Upstream: yes
References: CVE-2024-31950,bsc#1222526,gh#FRRouting/frr#16088
Subject: [PATCH 1/3] ospfd: Solved crash in RI parsing with OSPF TE
Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
LSA packets. The crash occurs in ospf_te_parse_ri() function when attemping to
read Segment Routing subTLVs. The original code doesn't check if the size of
the SR subTLVs have the correct length. In presence of erronous LSA, this will
cause a buffer overflow and ospfd crash.
This patch introduces new verification of the subTLVs size for Router
Information TLV.
Co-authored-by: Iggy Frankovic
Signed-off-by: Olivier Dugeon
(cherry picked from commit f69d1313b19047d3d83fc2b36a518355b861dfc4)
---
ospfd/ospf_te.c | 9 +
1 file changed, 9 insertions(+)
diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
index 45eb205759..885b915585 100644
--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
@@ -2483,6 +2483,9 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct
ospf_lsa *lsa)
switch (ntohs(tlvh->type)) {
case RI_SR_TLV_SR_ALGORITHM:
+ if (TLV_BODY_SIZE(tlvh) < 1 ||
+ TLV_BODY_SIZE(tlvh) > ALGORITHM_COUNT)
+ break;
algo = (struct ri_sr_tlv_sr_algorithm *)tlvh;
for (int i = 0; i < ntohs(algo->header.length); i++) {
@@ -2507,6 +2510,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct
ospf_lsa *lsa)
break;
case RI_SR_TLV_SRGB_LABEL_RANGE:
+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
+ break;
range = (struct
commit frr for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package frr for openSUSE:Factory checked in at 2024-04-14 11:55:04 Comparing /work/SRC/openSUSE:Factory/frr (Old) and /work/SRC/openSUSE:Factory/.frr.new.26366 (New) Package is "frr" Sun Apr 14 11:55:04 2024 rev:30 rq:1167542 version:8.4 Changes: --- /work/SRC/openSUSE:Factory/frr/frr.changes 2024-02-08 19:03:28.949955164 +0100 +++ /work/SRC/openSUSE:Factory/.frr.new.26366/frr.changes 2024-04-14 12:24:50.934062837 +0200 @@ -1,0 +2,8 @@ +Wed Apr 10 18:59:00 UTC 2024 - Clemens Famulla-Conrad + +- add + 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch: + * Apply upstream fix on error handling when receiving BGP Prefix +SID attribute (bsc#1222518,CVE-2024-31948,gh#FRRouting/frr#15628) + +--- New: 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch BETA DEBUG BEGIN: New:- add 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch: * Apply upstream fix on error handling when receiving BGP Prefix BETA DEBUG END: Other differences: -- ++ frr.spec ++ --- /var/tmp/diff_new_pack.oIMuL5/_old 2024-04-14 12:24:51.626088038 +0200 +++ /var/tmp/diff_new_pack.oIMuL5/_new 2024-04-14 12:24:51.630088183 +0200 @@ -57,6 +57,7 @@ Patch16:0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch Patch17:0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch Patch18:0018-bgpd-Flowspec-overflow-issue.patch +Patch19: 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bison >= 2.7 ++ 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch ++ >From 51679e4504546584d98673b76ed8e12a8bc74fe0 Mon Sep 17 00:00:00 2001 From: Donatas Abraitis Date: Wed, 27 Mar 2024 18:42:56 +0200 Subject: [PATCH 1/2] bgpd: Fix error handling when receiving BGP Prefix SID attribute References: bsc#1222518 CVE-2024-31948 gh#FRRouting/frr#15628 Without this patch, we always set the BGP Prefix SID attribute flag without checking if it's malformed or not. RFC8669 says that this attribute MUST be discarded. Also, this fixes the bgpd crash when a malformed Prefix SID attribute is received, with malformed transitive flags and/or TLVs. Reported-by: Iggy Frankovic Signed-off-by: Donatas Abraitis (cherry picked from commit ba6a8f1a31e1a88df2de69ea46068e8bd9b97138) --- bgpd/bgp_attr.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c index 7144c4bfa73d..2e2845b8fa7e 100644 --- a/bgpd/bgp_attr.c +++ b/bgpd/bgp_attr.c @@ -1400,6 +1400,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, case BGP_ATTR_AS4_AGGREGATOR: case BGP_ATTR_AGGREGATOR: case BGP_ATTR_ATOMIC_AGGREGATE: + case BGP_ATTR_PREFIX_SID: return BGP_ATTR_PARSE_PROCEED; /* Core attributes, particularly ones which may influence route @@ -3146,8 +3147,6 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args) struct attr *const attr = args->attr; enum bgp_attr_parse_ret ret; - attr->flag |= ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID); - uint8_t type; uint16_t length; size_t headersz = sizeof(type) + sizeof(length); @@ -3197,6 +3196,8 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args) } } + SET_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID)); + return BGP_ATTR_PARSE_PROCEED; } >From 9240abccb564043c85180916b77cad5b194a49c9 Mon Sep 17 00:00:00 2001 From: Donatas Abraitis Date: Wed, 27 Mar 2024 19:08:38 +0200 Subject: [PATCH 2/2] bgpd: Prevent from one more CVE triggering this place References: bsc#1222518 CVE-2024-31948 gh#FRRouting/frr#15628 Upstream: submitted If we receive an attribute that is handled by bgp_attr_malformed(), use treat-as-withdraw behavior for unknown (or missing to add - if new) attributes. Signed-off-by: Donatas Abraitis (cherry picked from commit babb23b74855e23c987a63f8256d24e28c044d07) --- bgpd/bgp_attr.c | 33 ++--- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c index 2e2845b8fa7e..7570598a3d7f 100644 --- a/bgpd/bgp_attr.c +++ b/bgpd/bgp_attr.c @@ -1391,6 +1391,15 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, (args->startp - STREAM_DATA(BGP_INPUT(peer)))
commit frr for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package frr for openSUSE:Factory checked in
at 2024-02-08 19:03:09
Comparing /work/SRC/openSUSE:Factory/frr (Old)
and /work/SRC/openSUSE:Factory/.frr.new.1815 (New)
Package is "frr"
Thu Feb 8 19:03:09 2024 rev:29 rq:1145085 version:8.4
Changes:
--- /work/SRC/openSUSE:Factory/frr/frr.changes 2023-12-05 17:04:43.368479613
+0100
+++ /work/SRC/openSUSE:Factory/.frr.new.1815/frr.changes2024-02-08
19:03:28.949955164 +0100
@@ -1,0 +2,11 @@
+Thu Feb 8 06:55:28 UTC 2024 - Dominique Leuenberger
+
+- Provide user/group symbol for user created during pre.
+
+---
+Fri Feb 2 08:25:36 UTC 2024 - Dominique Leuenberger
+
+- Fix build with RPM 4.19: a stray %-escape sequence was found in
+ the files section.
+
+---
Other differences:
--
++ frr.spec ++
--- /var/tmp/diff_new_pack.5Fpb5I/_old 2024-02-08 19:03:29.665981047 +0100
+++ /var/tmp/diff_new_pack.5Fpb5I/_new 2024-02-08 19:03:29.665981047 +0100
@@ -1,7 +1,7 @@
#
# spec file for package frr
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2019-2021, Martin Hauke
#
# All modifications and additions to the file contributed by third parties
@@ -92,11 +92,14 @@
Requires(post): %{install_info_prereq}
Requires(pre): %{install_info_prereq}
Requires(pre): shadow
-Requires(preun):%{install_info_prereq}
+Requires(preun): %{install_info_prereq}
Recommends: logrotate
Conflicts: quagga
Provides: zebra = %{version}
Obsoletes: zebra < %{version}
+Provides: group(%{frr_group})
+Provides: group(%{frrvty_group})
+Provides: user(%{frr_user})
%description
FRR is free software which manages TCP/IP based routing protocols.
@@ -193,25 +196,7 @@
developing OSPF-API and frr applications.
%prep
-%setup -q -n %{name}-%{name}-%{version}
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
-%patch17 -p1
-%patch18 -p1
+%autosetup -n %{name}-%{name}-%{version} -p1
%build
# GCC LTO objects must be "fat" to avoid assembly errors
@@ -419,7 +404,7 @@
%{_infodir}/frr.info%{?ext_info}
%{_mandir}/man?/*
%{_docdir}/%{name}/html
-%{_unitdir}/%%{name}.service
+%{_unitdir}/%{name}.service
%dir %{_tmpfilesdir}
%{_tmpfilesdir}/%{name}.conf
%dir %attr(-,%{frr_user},%{frr_group}) %{_localstatedir}/log/frr
commit frr for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package frr for openSUSE:Factory checked in at 2023-12-05 17:04:21 Comparing /work/SRC/openSUSE:Factory/frr (Old) and /work/SRC/openSUSE:Factory/.frr.new.25432 (New) Package is "frr" Tue Dec 5 17:04:21 2023 rev:28 rq:1130955 version:8.4 Changes: --- /work/SRC/openSUSE:Factory/frr/frr.changes 2023-10-31 20:26:45.176261043 +0100 +++ /work/SRC/openSUSE:Factory/.frr.new.25432/frr.changes 2023-12-05 17:04:43.368479613 +0100 @@ -1,0 +2,18 @@ +Mon Dec 4 09:11:46 UTC 2023 - Marius Tomaschewski + +- Apply upstream fix for a crash on malformed BGP UPDATE message + with an EOR, because the presence of EOR does not lead to a + treat-as-withdraw outcome (CVE-2023-47235,1216896,https://github.com/FRRouting/frr/pull/14716/commits/6814f2e0138a6ea5e1f83bdd9085d9a7700b) + [+ 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch] +- Apply upstream fix for a crash on crafted BGP UPDATE message with + a MP_UNREACH_NLRI attribute and additional NLRI data (CVE-2023-47234, + bsc#1216897,ttps://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf) + [+ 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch] +- Apply upstream fix for attempts to read beyond the end of the + stream during labeled unicast parsing (CVE-2023-38407,bsc#1216899,https://github.com/FRRouting/frr/pull/12956/commits/ab362eae68edec12c175d9bc488bcc3f8b73d36f) + [+ 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch] +- Apply upstream fix for an nlri length of zero mishandling, aka + "flowspec overflow" (CVE-2023-38406,bsc#1216900,https://github.com/FRRouting/frr/pull/12884/commits/0b999c886e241c52bd1f7ef0066700e4b618ebb3) + [+ 0018-bgpd-Flowspec-overflow-issue.patch] + +--- New: 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch 0018-bgpd-Flowspec-overflow-issue.patch BETA DEBUG BEGIN: New: treat-as-withdraw outcome (CVE-2023-47235,1216896,https://github.com/FRRouting/frr/pull/14716/commits/6814f2e0138a6ea5e1f83bdd9085d9a7700b) [+ 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch] - Apply upstream fix for a crash on crafted BGP UPDATE message with New: bsc#1216897,ttps://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf) [+ 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch] - Apply upstream fix for attempts to read beyond the end of the New: stream during labeled unicast parsing (CVE-2023-38407,bsc#1216899,https://github.com/FRRouting/frr/pull/12956/commits/ab362eae68edec12c175d9bc488bcc3f8b73d36f) [+ 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch] - Apply upstream fix for an nlri length of zero mishandling, aka New: "flowspec overflow" (CVE-2023-38406,bsc#1216900,https://github.com/FRRouting/frr/pull/12884/commits/0b999c886e241c52bd1f7ef0066700e4b618ebb3) [+ 0018-bgpd-Flowspec-overflow-issue.patch] BETA DEBUG END: Other differences: -- ++ frr.spec ++ --- /var/tmp/diff_new_pack.nGs4G5/_old 2023-12-05 17:04:44.388517212 +0100 +++ /var/tmp/diff_new_pack.nGs4G5/_new 2023-12-05 17:04:44.388517212 +0100 @@ -53,6 +53,10 @@ Patch12:0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch Patch13:0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch Patch14:0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch +Patch15:0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch +Patch16:0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch +Patch17:0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch +Patch18:0018-bgpd-Flowspec-overflow-issue.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bison >= 2.7 @@ -204,6 +208,10 @@ %patch12 -p1 %patch13 -p1 %patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 %build # GCC LTO objects must be "fat" to avoid assembly errors ++ 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch ++ >From fcd12ca92baf2be4b191ddc3d3021c276c635930 Mon Sep 17 00:00:00 2001 From: Donatas Abraitis Date: Fri, 27 Oct 2023 11:56:45 +0300 Subject: [PATCH] bgpd: Treat EOR as withdrawn to avoid unwanted handling of malformed attrs Upstream: yes CVE-2023-47235,bsc#1216896,https://github.com/FRRouting/frr/pull/14716/commits/6814f2e0138a6ea5e1f83bdd9085d9a7700b Treat-as-withdraw, otherwise if we just ignore it,
commit frr for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package frr for openSUSE:Factory checked in at 2023-10-31 20:26:24 Comparing /work/SRC/openSUSE:Factory/frr (Old) and /work/SRC/openSUSE:Factory/.frr.new.17445 (New) Package is "frr" Tue Oct 31 20:26:24 2023 rev:27 rq:1121416 version:8.4 Changes: --- /work/SRC/openSUSE:Factory/frr/frr.changes 2023-09-15 22:11:21.353751020 +0200 +++ /work/SRC/openSUSE:Factory/.frr.new.17445/frr.changes 2023-10-31 20:26:45.176261043 +0100 @@ -1,0 +2,10 @@ +Mon Oct 30 12:38:21 UTC 2023 - Marius Tomaschewski + +- Apply upstream fix for a crash due to a crafted BGP UPDATE message + (CVE-2023-46753,bsc#1216626,https://github.com/FRRouting/frr/pull/14655/commits/21418d64af11553c402f932b0311c812d98ac3e4). + [+ 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch] +- Apply upstream fix for a crash due to mishandled malformed + MP_REACH_NLRI data (CVE-2023-46752,bsc#1216627,https://github.com/FRRouting/frr/pull/14645/commits/b08afc81c60607a4f736f418f2e3eb06087f1a35). + [+ 0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch] + +--- New: 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch 0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch Other differences: -- ++ frr.spec ++ --- /var/tmp/diff_new_pack.o9FId1/_old 2023-10-31 20:26:46.004291456 +0100 +++ /var/tmp/diff_new_pack.o9FId1/_new 2023-10-31 20:26:46.008291603 +0100 @@ -51,6 +51,8 @@ Patch10:0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch Patch11:0011-babeld-fix-11808-to-avoid-infinite-loops.patch Patch12:0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch +Patch13:0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch +Patch14:0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bison >= 2.7 @@ -200,6 +202,8 @@ %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 %build # GCC LTO objects must be "fat" to avoid assembly errors ++ 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch ++ >From 1fdbfffbe343ad63c32ff37998300b0b4f67d8fb Mon Sep 17 00:00:00 2001 From: Donatas Abraitis Date: Mon, 23 Oct 2023 23:34:10 +0300 Subject: [PATCH] bgpd: Check mandatory attributes more carefully for UPDATE message Upstream: yes References: CVE-2023-46753,bsc#1216626,https://github.com/FRRouting/frr/pull/14655/commits/21418d64af11553c402f932b0311c812d98ac3e4 If we send a crafted BGP UPDATE message without mandatory attributes, we do not check if the length of the path attributes is zero or not. We only check if attr->flag is at least set or not. Imagine we send only unknown transit attribute, then attr->flag is always 0. Also, this is true only if graceful-restart capability is received. A crash: ``` bgpd[7834]: [TJ23Y-GY0RH] 127.0.0.1 Unknown attribute is received (type 31, length 16) bgpd[7834]: [PCFFM-WMARW] 127.0.0.1(donatas-pc) rcvd UPDATE wlen 0 attrlen 20 alen 17 BGP[7834]: Received signal 11 at 1698089639 (si_addr 0x0, PC 0x55eefd375b4a); aborting... BGP[7834]: /usr/local/lib/libfrr.so.0(zlog_backtrace_sigsafe+0x6d) [0x7f3205ca939d] BGP[7834]: /usr/local/lib/libfrr.so.0(zlog_signal+0xf3) [0x7f3205ca9593] BGP[7834]: /usr/local/lib/libfrr.so.0(+0xf5181) [0x7f3205cdd181] BGP[7834]: /lib/x86_64-linux-gnu/libpthread.so.0(+0x12980) [0x7f3204ff3980] BGP[7834]: /usr/lib/frr/bgpd(+0x18ab4a) [0x55eefd375b4a] BGP[7834]: /usr/local/lib/libfrr.so.0(route_map_apply_ext+0x310) [0x7f3205cd1290] BGP[7834]: /usr/lib/frr/bgpd(+0x163610) [0x55eefd34e610] BGP[7834]: /usr/lib/frr/bgpd(bgp_update+0x9a5) [0x55eefd35c1d5] BGP[7834]: /usr/lib/frr/bgpd(bgp_nlri_parse_ip+0xb7) [0x55eefd35e867] BGP[7834]: /usr/lib/frr/bgpd(+0x1555e6) [0x55eefd3405e6] BGP[7834]: /usr/lib/frr/bgpd(bgp_process_packet+0x747) [0x55eefd345597] BGP[7834]: /usr/local/lib/libfrr.so.0(event_call+0x83) [0x7f3205cef4a3] BGP[7834]: /usr/local/lib/libfrr.so.0(frr_run+0xc0) [0x7f3205ca10a0] BGP[7834]: /usr/lib/frr/bgpd(main+0x409) [0x55eefd2dc979] ``` Sending: ``` import socket import time OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02" b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02" b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00" b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d" b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01" b"\x80\x00\x00\x00") KEEPALIVE =
commit frr for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package frr for openSUSE:Factory checked in
at 2023-09-15 22:05:48
Comparing /work/SRC/openSUSE:Factory/frr (Old)
and /work/SRC/openSUSE:Factory/.frr.new.1766 (New)
Package is "frr"
Fri Sep 15 22:05:48 2023 rev:26 rq:557 version:8.4
Changes:
--- /work/SRC/openSUSE:Factory/frr/frr.changes 2023-09-04 22:53:00.298543244
+0200
+++ /work/SRC/openSUSE:Factory/.frr.new.1766/frr.changes2023-09-15
22:11:21.353751020 +0200
@@ -1,0 +2,8 @@
+Tue Sep 12 13:40:19 UTC 2023 - Marius Tomaschewski
+
+- Apply upstream fix for NULL pointer dereference due to processing
+ of malformed requests with no attributes in bgp_nlri_parse_flowspec
+
(CVE-2023-41909,bsc#1215065,https://github.com/FRRouting/frr/pull/13222/commits/cfd04dcb3e689754a72507d086ba3b9709fc5ed8).
+ [+ 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch]
+
+---
New:
0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch
Other differences:
--
++ frr.spec ++
--- /var/tmp/diff_new_pack.CLtMQj/_old 2023-09-15 22:11:23.177816238 +0200
+++ /var/tmp/diff_new_pack.CLtMQj/_new 2023-09-15 22:11:23.177816238 +0200
@@ -50,6 +50,7 @@
Patch9: 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch
Patch10:0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch
Patch11:0011-babeld-fix-11808-to-avoid-infinite-loops.patch
+Patch12:0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bison >= 2.7
@@ -198,6 +199,7 @@
%patch9 -p1
%patch10 -p1
%patch11 -p1
+%patch12 -p1
%build
# GCC LTO objects must be "fat" to avoid assembly errors
++ 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch ++
>From 168204de6371f594c4f1ebac30ca3e181a851e39 Mon Sep 17 00:00:00 2001
From: Donald Sharp
Date: Wed, 5 Apr 2023 14:57:05 -0400
Subject: [PATCH] bgpd: Limit flowspec to no attribute means a implicit
withdrawal
Upsteam: yes
References:
CVE-2023-41909,bsc#1215065,https://github.com/FRRouting/frr/pull/13222/commits/cfd04dcb3e689754a72507d086ba3b9709fc5ed8
All other parsing functions done from bgp_nlri_parse() assume
no attributes == an implicit withdrawal. Let's move
bgp_nlri_parse_flowspec() into the same alignment.
Reported-by: Matteo Memelli
Signed-off-by: Donald Sharp
Signed-off-by: Marius Tomaschewski
diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c
index 39c0cfe514..fe1f0d50f8 100644
--- a/bgpd/bgp_flowspec.c
+++ b/bgpd/bgp_flowspec.c
@@ -112,6 +112,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr
*attr,
afi = packet->afi;
safi = packet->safi;
+ /*
+* All other AFI/SAFI's treat no attribute as a implicit
+* withdraw. Flowspec should as well.
+*/
+ if (!attr)
+ withdraw = 1;
+
if (packet->length >= FLOWSPEC_NLRI_SIZELIMIT_EXTENDED) {
flog_err(EC_BGP_FLOWSPEC_PACKET,
"BGP flowspec nlri length maximum reached (%u)",
--
2.35.3
commit frr for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package frr for openSUSE:Factory checked in
at 2023-09-04 22:52:42
Comparing /work/SRC/openSUSE:Factory/frr (Old)
and /work/SRC/openSUSE:Factory/.frr.new.1766 (New)
Package is "frr"
Mon Sep 4 22:52:42 2023 rev:25 rq:1108711 version:8.4
Changes:
--- /work/SRC/openSUSE:Factory/frr/frr.changes 2023-06-01 17:20:51.582636735
+0200
+++ /work/SRC/openSUSE:Factory/.frr.new.1766/frr.changes2023-09-04
22:53:00.298543244 +0200
@@ -1,0 +2,21 @@
+Wed Aug 30 17:15:35 UTC 2023 - Marius Tomaschewski
+
+- Removed protobuf-c BuildRequires (source package name) breaking
+ build-system setup with libprotobuf-c-devel 1.3.2 updates.
+- Apply upstream fix for bgpd: Don't read initial byte of the ORF
+ header in an ahead-of-stream situation (CVE-2023-41360,
+ bsc#1214739,https://github.com/FRRouting/frr/pull/14245)
+ [+ 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch]
+- Apply upstream fix for bgpd: Do not process NLRIs if the attribute
+ length is zero (CVE-2023-41358,bsc#1214735,
+ https://github.com/FRRouting/frr/pull/14260)
+ [+ 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch]
+- Apply upstream fix bgpd: Use treat-as-withdraw for tunnel encapsulation
+ attribute instead of session reset (CVE-2023-38802,bsc#1213284,
+ https://github.com/FRRouting/frr/pull/14290)
+ [+ 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch]
+- Apply upstream fix babeld: avoid infinite loops (CVE-2023-3748,bsc#1213434,
+ gh#FRRouting/frr#11808,https://github.com/FRRouting/frr/pull/12952)
+ [+ 0011-babeld-fix-11808-to-avoid-infinite-loops.patch]
+
+---
New:
0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch
0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch
0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch
0011-babeld-fix-11808-to-avoid-infinite-loops.patch
Other differences:
--
++ frr.spec ++
--- /var/tmp/diff_new_pack.ovxwuj/_old 2023-09-04 22:53:01.934601076 +0200
+++ /var/tmp/diff_new_pack.ovxwuj/_new 2023-09-04 22:53:01.942601359 +0200
@@ -46,6 +46,10 @@
Patch5: 0005-root-ok-in-account-frr.pam.patch
Patch6: 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch
Patch7: 0007-bgpd-Ensure-stream-received-has-enough-data.patch
+Patch8: 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch
+Patch9: 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch
+Patch10:0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch
+Patch11:0011-babeld-fix-11808-to-avoid-infinite-loops.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bison >= 2.7
@@ -61,7 +65,6 @@
BuildRequires: net-snmp-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
-BuildRequires: protobuf-c
BuildRequires: python-rpm-macros
BuildRequires: readline-devel
BuildRequires: systemd-rpm-macros
@@ -191,6 +194,10 @@
%patch5 -p1
%patch6 -p1
%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
%build
# GCC LTO objects must be "fat" to avoid assembly errors
++ 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch ++
>From a6c5ef48cb086b94a5b911af4ee9f675213fb14b Mon Sep 17 00:00:00 2001
From: Donatas Abraitis
Date: Sun, 20 Aug 2023 22:15:27 +0300
Upstream: yes
References:
CVE-2023-41360,bsc#1214739,https://github.com/FRRouting/frr/pull/14245
Subject: [PATCH] bgpd: Don't read the first byte of ORF header if we are ahead
of stream
Reported-by: Iggy Frankovic iggyf...@amazon.com
Signed-off-by: Donatas Abraitis
Signed-off-by: Marius Tomaschewski
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 72d6a92317..4947dbc21d 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2375,7 +2375,8 @@ static int bgp_route_refresh_receive(struct peer *peer,
bgp_size_t size)
* and 7 bytes of ORF Address-filter entry from
* the stream
*/
- if (*p_pnt & ORF_COMMON_PART_REMOVE_ALL) {
+ if (p_pnt < p_end &&
+ *p_pnt & ORF_COMMON_PART_REMOVE_ALL) {
if (bgp_debug_neighbor_events(peer))
zlog_debug(
"%pBP rcvd Remove-All
pfxlist ORF request",
--
2.35.3
++ 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch ++
>From
commit frr for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package frr for openSUSE:Factory checked in
at 2023-06-01 17:20:50
Comparing /work/SRC/openSUSE:Factory/frr (Old)
and /work/SRC/openSUSE:Factory/.frr.new.2531 (New)
Package is "frr"
Thu Jun 1 17:20:50 2023 rev:24 rq:1090241 version:8.4
Changes:
--- /work/SRC/openSUSE:Factory/frr/frr.changes 2023-04-04 21:27:58.859768154
+0200
+++ /work/SRC/openSUSE:Factory/.frr.new.2531/frr.changes2023-06-01
17:20:51.582636735 +0200
@@ -1,0 +2,10 @@
+Mon May 15 08:01:39 UTC 2023 - Marius Tomaschewski
+
+- Apply upstream fix for denial of service via the bgp_capability_llgr()
+ function (bsc#1211248,CVE-2023-31489,gh#FRRouting/frr#13098).
+ [+ 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch]
+- Apply upstream fix for denial of service via the bgp_attr_psid_sub()
+ function (bsc#1211249,CVE-2023-31490,gh#FRRouting/frr#13099).
+ [+ 0007-bgpd-Ensure-stream-received-has-enough-data.patch]
+
+---
New:
0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch
0007-bgpd-Ensure-stream-received-has-enough-data.patch
Other differences:
--
++ frr.spec ++
--- /var/tmp/diff_new_pack.0XnYGq/_old 2023-06-01 17:20:52.150640102 +0200
+++ /var/tmp/diff_new_pack.0XnYGq/_new 2023-06-01 17:20:52.154640126 +0200
@@ -44,6 +44,8 @@
Patch3: 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch
Patch4: 0004-tools-remove-backslash-from-declare-check-regex.patch
Patch5: 0005-root-ok-in-account-frr.pam.patch
+Patch6: 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch
+Patch7: 0007-bgpd-Ensure-stream-received-has-enough-data.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bison >= 2.7
@@ -187,6 +189,8 @@
%patch3 -p1
%patch4 -p1
%patch5 -p1
+%patch6 -p1
+%patch7 -p1
%build
# GCC LTO objects must be "fat" to avoid assembly errors
++ 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch ++
>From d95229c9ba4c8ff99dfc644dd2d1e9e172fe3faf Mon Sep 17 00:00:00 2001
From: Donatas Abraitis
Date: Fri, 24 Mar 2023 09:55:23 +0200
Upstream: yes
References:
bsc#1211248,CVE-2023-31489,https://github.com/FRRouting/frr/pull/13100/commits/b1d33ec293e8e36fbb8766252f3b016d268e31ce
Subject: [PATCH] bgpd: Check 7 bytes for Long-lived Graceful-Restart
capability
It's not 4 bytes, it was assuming the same as Graceful-Restart tuples.
LLGR has more 3 bytes (Long-lived Stale Time).
Signed-off-by: Donatas Abraitis
Signed-off-by: Marius Tomaschewski
diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
index d1667fac26..907e75e76b 100644
--- a/bgpd/bgp_open.c
+++ b/bgpd/bgp_open.c
@@ -599,12 +599,24 @@ static int bgp_capability_restart(struct peer *peer,
static int bgp_capability_llgr(struct peer *peer,
struct capability_header *caphdr)
{
+/*
+ * +--+
+ * | Address Family Identifier (16 bits) |
+ * +--+
+ * | Subsequent Address Family Identifier (8 bits)|
+ * +--+
+ * | Flags for Address Family (8 bits)|
+ * +--+
+ * | Long-lived Stale Time (24 bits) |
+ * +--+
+ */
+#define BGP_CAP_LLGR_MIN_PACKET_LEN 7
struct stream *s = BGP_INPUT(peer);
size_t end = stream_get_getp(s) + caphdr->length;
SET_FLAG(peer->cap, PEER_CAP_LLGR_RCV);
- while (stream_get_getp(s) + 4 <= end) {
+ while (stream_get_getp(s) + BGP_CAP_LLGR_MIN_PACKET_LEN <= end) {
afi_t afi;
safi_t safi;
iana_afi_t pkt_afi = stream_getw(s);
--
2.35.3
++ 0007-bgpd-Ensure-stream-received-has-enough-data.patch ++
>From 6d307ec2f5f5f9827f340a08941e6f78d09d1876 Mon Sep 17 00:00:00 2001
From: Donald Sharp
Date: Tue, 6 Dec 2022 10:23:11 -0500
Upstream: yes
References:
bsc#1211249,CVE-2023-31490,https://github.com/FRRouting/frr/pull/12454/commits/06431bfa7570f169637ebb5898f0b0cc3b010802
Subject: [PATCH] bgpd: Ensure stream received has enough data
BGP_PREFIX_SID_SRV6_L3_SERVICE attributes must not
fully trust the length value specified in the nlri.
Always ensure that the amount of data we need to read
can be fullfilled.
Reported-by: Iggy Frankovic
Signed-off-by: Donald Sharp
Signed-off-by: Marius Tomaschewski
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index b7d0958bac..c6177a1b93 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
commit frr for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package frr for openSUSE:Factory checked in
at 2023-04-04 21:27:35
Comparing /work/SRC/openSUSE:Factory/frr (Old)
and /work/SRC/openSUSE:Factory/.frr.new.19717 (New)
Package is "frr"
Tue Apr 4 21:27:35 2023 rev:23 rq:1077239 version:8.4
Changes:
--- /work/SRC/openSUSE:Factory/frr/frr.changes 2023-01-14 00:04:28.782151940
+0100
+++ /work/SRC/openSUSE:Factory/.frr.new.19717/frr.changes 2023-04-04
21:27:58.859768154 +0200
@@ -1,0 +2,5 @@
+Mon Apr 3 14:00:27 UTC 2023 - Marius Tomaschewski
+
+- Enable pim6d providing PIMv6 support (bsc#1206234)
+
+---
Other differences:
--
++ frr.spec ++
--- /var/tmp/diff_new_pack.XbiKFe/_old 2023-04-04 21:27:59.479771673 +0200
+++ /var/tmp/diff_new_pack.XbiKFe/_new 2023-04-04 21:27:59.483771697 +0200
@@ -234,6 +234,7 @@
--with-libpam \
--enable-pbrd \
--enable-pimd \
+--enable-pim6d \
--enable-protobuf \
--enable-ripd \
--enable-ripngd \
@@ -424,6 +425,7 @@
%{frr_daemondir}/pathd
%{frr_daemondir}/pbrd
%{frr_daemondir}/pimd
+%{frr_daemondir}/pim6d
%{frr_daemondir}/ripd
%{frr_daemondir}/ripngd
%{frr_daemondir}/sharpd
commit frr for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package frr for openSUSE:Factory checked in
at 2023-01-14 00:03:42
Comparing /work/SRC/openSUSE:Factory/frr (Old)
and /work/SRC/openSUSE:Factory/.frr.new.32243 (New)
Package is "frr"
Sat Jan 14 00:03:42 2023 rev:22 rq:1058297 version:8.4
Changes:
--- /work/SRC/openSUSE:Factory/frr/frr.changes 2022-11-16 15:43:15.951810530
+0100
+++ /work/SRC/openSUSE:Factory/.frr.new.32243/frr.changes 2023-01-14
00:04:28.782151940 +0100
@@ -1,0 +2,5 @@
+Fri Jan 13 12:27:58 UTC 2023 - Stefan Schubert
+
+- Migration of PAM settings to /usr/lib/pam.d.
+
+---
Other differences:
--
++ frr.spec ++
--- /var/tmp/diff_new_pack.IVUTMV/_old 2023-01-14 00:04:29.546156390 +0100
+++ /var/tmp/diff_new_pack.IVUTMV/_new 2023-01-14 00:04:29.554156436 +0100
@@ -1,7 +1,7 @@
#
# spec file for package frr
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
# Copyright (c) 2019-2021, Martin Hauke
#
# All modifications and additions to the file contributed by third parties
@@ -275,7 +275,12 @@
# add rpki module to daemon
sed -i -e 's/^\(bgpd_options=\)\(.*\)\(".*\)/\1\2 -M rpki\3/'
%{buildroot}%{_sysconfdir}/frr/daemons
+%if 0%{?suse_version} > 1500
+mkdir -p %{buildroot}%{_pam_vendordir}
+install -D -m 0644 redhat/frr.pam %{buildroot}%{_pam_vendordir}/frr
+%else
install -D -m 0644 redhat/frr.pam %{buildroot}%{_sysconfdir}/pam.d/frr
+%endif
%if 0%{?suse_version} > 1500
install -D -m 0644 redhat/frr.logrotate
%{buildroot}%{_distconfdir}/logrotate.d/frr
%else
@@ -315,7 +320,7 @@
%service_add_pre %{name}.service
%if 0%{?suse_version} > 1500
# Prepare for migration to /usr/etc; save any old .rpmsave
-for i in logrotate.d/frr ; do
+for i in logrotate.d/frr pam.d/frr ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave
%{_sysconfdir}/${i}.rpmsave.old ||:
done
%endif
@@ -323,7 +328,7 @@
%posttrans
%if 0%{?suse_version} > 1500
# Migration to /usr/etc, restore just created .rpmsave
-for i in logrotate.d/frr ; do
+for i in logrotate.d/frr pam.d/frr ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave
%{_sysconfdir}/${i} ||:
done
%endif
@@ -375,7 +380,11 @@
%config(noreplace) %attr(640,%{frr_user},%{frr_group})
%{_sysconfdir}/%{name}/[!v]*.conf*
%config(noreplace) %attr(640,%{frr_user},%{frrvty_group})
%{_sysconfdir}/%{name}/vtysh.conf
%config(noreplace) %%attr(640,%{frr_user},%{frr_group})
%{_sysconfdir}/%{name}/daemons
+%if 0%{?suse_version} > 1500
+%{_pam_vendordir}/frr
+%else
%config(noreplace) %{_sysconfdir}/pam.d/frr
+%endif
%if 0%{?suse_version} > 1500
%{_distconfdir}/logrotate.d/frr
%else
commit frr for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package frr for openSUSE:Factory checked in
at 2022-11-16 15:43:09
Comparing /work/SRC/openSUSE:Factory/frr (Old)
and /work/SRC/openSUSE:Factory/.frr.new.1597 (New)
Package is "frr"
Wed Nov 16 15:43:09 2022 rev:21 rq:1035865 version:8.4
Changes:
--- /work/SRC/openSUSE:Factory/frr/frr.changes 2022-09-07 11:06:04.976413589
+0200
+++ /work/SRC/openSUSE:Factory/.frr.new.1597/frr.changes2022-11-16
15:43:15.951810530 +0100
@@ -1,0 +2,59 @@
+Fri Nov 11 13:04:52 UTC 2022 - Marius Tomaschewski
+
+- Migration to /usr/etc: Conditionally moved /etc/logrotate.d/frr
+ file to vendor specific directory /usr/etc/logrotate.d and added
+ saving of user changed configuration files in /etc and restoring
+ them while an RPM update.
+- Declare root as sufficient also in the pam account verification;
+ without vtysh use causes to log a pam frr:account warnings
+ (https://github.com/FRRouting/frr/pull/12308)
+ [+ 0005-root-ok-in-account-frr.pam.patch]
+- Applied fix removing a not needed backslash causing to log a warning
+ (https://github.com/FRRouting/frr/pull/12307)
+ [+ 0004-tools-remove-backslash-from-declare-check-regex.patch]
+- Applied upstream fixes for frrinit.sh to avoid a privilege escalation
+ from frr to root in frr config creation (bsc#1204124,CVE-2022-42917,
+ https://github.com/FRRouting/frr/pull/12157).
+ [+ 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch]
+- Removed obsolete patches provided in the 8.4 source archive:
+ [- 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch,
+ - 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch,
+ - 0005-isisd-fix-router-capability-TLV-parsing-issues.patch,
+ - 0006-isisd-fix-10505-using-base64-encoding.patch,
+ - 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch,
+ - 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch]
+- Update to version 8.4, see https://frrouting.org/release/8.4/
+ * New BGP command (neighbor PEER soo) to configure SoO to prevent
+routing loops and suboptimal routing on dual-homed sites.
+ * Command debug bgp allow-martian replaced to bgp allow-martian-nexthop
+because previously we allowed using martian next-hops when debug is
+turned on.
+ * Implement BGP Prefix Origin Validation State Extended Community rfc8097
+ * Implement Route Leak Prevention and Detection Using Roles in UPDATE
+ and OPEN Messages rfc9234
+ * BMP L3VPN support
+ * PIMv6 support
+ * MLD support
+ * New command to enable using reserved IPv4 ranges as normal addresses
+for BGP next-hops, interface addresses, etc.
+ * As usual, lots of bugs and memory leaks were fixed \m/
+such as a fix for a possible use-after-free due to a race
+condition related to bgp_notify_send_with_data() and
+bgp_process_packet() in bgp_packet.c. This could lead to
+Remote Code Execution or Information Disclosure by sending
+crafted BGP packets (CVE-2022-37035,bsc#1202085).
+- Update to version 8.3, see https://frrouting.org/release/8.3/
+ * Notification Message support for BGP Graceful Restart
+ * BGP Cease Notification Subcode For BFD
+ * Send Hold Timer for BGP
+ * RFC5424 syslog support
+ * PIM passive command
+- Update to version 8.2.2, see https://frrouting.org/release/8.2.2/
+ * BGP Long-lived graceful restart capability
+ * BGP Extended Optional Parameters Length for BGP OPEN Message
+ * BGP Extended BGP Administrative Shutdown Communication
+ * IS-IS Link State Traffic Engineering support
+ * OSPFv3 Support for NSSA Type-7 address ranges
+ * PBR VLAN actions support
+
+---
Old:
0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch
0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch
0005-isisd-fix-router-capability-TLV-parsing-issues.patch
0006-isisd-fix-10505-using-base64-encoding.patch
0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch
0008-isisd-Ensure-rcap-is-freed-in-error-case.patch
frr-8.1.tar.gz
New:
0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch
0004-tools-remove-backslash-from-declare-check-regex.patch
0005-root-ok-in-account-frr.pam.patch
frr-8.4.tar.gz
Other differences:
--
++ frr.spec ++
--- /var/tmp/diff_new_pack.kbq9ap/_old 2022-11-16 15:43:17.403815794 +0100
+++ /var/tmp/diff_new_pack.kbq9ap/_new 2022-11-16 15:43:17.407815808 +0100
@@ -30,23 +30,20 @@
%define frr_daemondir %{_prefix}/lib/frr
Name: frr
-Version:8.1
+Version:8.4
Release:0
Summary:FRRouting Routing daemon
License:
commit frr for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package frr for openSUSE:Factory checked in
at 2022-09-07 11:05:55
Comparing /work/SRC/openSUSE:Factory/frr (Old)
and /work/SRC/openSUSE:Factory/.frr.new.2083 (New)
Package is "frr"
Wed Sep 7 11:05:55 2022 rev:20 rq:1001516 version:8.1
Changes:
--- /work/SRC/openSUSE:Factory/frr/frr.changes 2022-03-21 20:11:54.296433027
+0100
+++ /work/SRC/openSUSE:Factory/.frr.new.2083/frr.changes2022-09-07
11:06:04.976413589 +0200
@@ -1,0 +2,11 @@
+Mon Sep 5 11:48:25 UTC 2022 - Marius Tomaschewski
+
+- Apply upstream fix for out-of-bounds read in the BGP daemon
+ that may lead to information disclosure or denial of service
+ (bsc#1202023,CVE-2022-37032)
+ [+ 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch]
+- Apply upstream fix for a memory leak in the IS-IS daemon that
+ may lead to server memory exhaustion (bsc#1202022,CVE-2019-25074)
+ [+ 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch]
+
+---
New:
0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch
0008-isisd-Ensure-rcap-is-freed-in-error-case.patch
Other differences:
--
++ frr.spec ++
--- /var/tmp/diff_new_pack.EAxiuY/_old 2022-09-07 11:06:05.552415053 +0200
+++ /var/tmp/diff_new_pack.EAxiuY/_new 2022-09-07 11:06:05.556415062 +0200
@@ -45,6 +45,8 @@
Patch4: 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch
Patch5: 0005-isisd-fix-router-capability-TLV-parsing-issues.patch
Patch6: 0006-isisd-fix-10505-using-base64-encoding.patch
+Patch7: 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch
+Patch8: 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bison >= 2.7
@@ -191,6 +193,8 @@
%patch5 -p1
gzip -9 tests/isisd/test_fuzz_isis_tlv_tests.h
%patch6 -p1
+%patch7 -p1
+%patch8 -p1
%build
# GCC LTO objects must be "fat" to avoid assembly errors
++ 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch ++
>From ff6db1027f8f36df657ff2e5ea167773752537ed Mon Sep 17 00:00:00 2001
From: Donald Sharp
Date: Thu, 21 Jul 2022 08:11:58 -0400
Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is
expected
References: bsc#1202023,CVE-2022-37032
Upstream: yes
Ensure that if the capability length specified is enough data.
Signed-off-by: Donald Sharp
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index dbf6c0b2e9..45752a8ab6 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2620,6 +2620,14 @@ static int bgp_capability_msg_parse(struct peer *peer,
uint8_t *pnt,
"%s CAPABILITY has action: %d, code: %u, length
%u",
peer->host, action, hdr->code, hdr->length);
+ if (hdr->length < sizeof(struct capability_mp_data)) {
+ zlog_info(
+ "%pBP Capability structure is not properly
filled out, expected at least %zu bytes but header length specified is %d",
+ peer, sizeof(struct capability_mp_data),
+ hdr->length);
+ return BGP_Stop;
+ }
+
/* Capability length check. */
if ((pnt + hdr->length + 3) > end) {
zlog_info("%s Capability length error", peer->host);
--
2.35.3
++ 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch ++
>From 49efc80d342d8e8373c8af040580bd7940808730 Mon Sep 17 00:00:00 2001
From: Donald Sharp
Date: Wed, 20 Jul 2022 16:49:09 -0400
Subject: [PATCH] isisd: Ensure rcap is freed in error case
References: bsc#1202022
Upstream: yes
unpack_tlv_router_cap allocates memory that in the error
case is not being freed.
Signed-off-by: Donald Sharp
diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c
index 11be3c3a71..b3c3fd4b0b 100644
--- a/isisd/isis_tlvs.c
+++ b/isisd/isis_tlvs.c
@@ -3580,9 +3580,9 @@ static int pack_tlv_router_cap(const struct
isis_router_cap *router_cap,
}
static int unpack_tlv_router_cap(enum isis_tlv_context context,
- uint8_t tlv_type, uint8_t tlv_len,
- struct stream *s, struct sbuf *log,
- void *dest, int indent)
+uint8_t tlv_type, uint8_t tlv_len,
+struct stream *s, struct sbuf *log, void *dest,
+int indent)
{
struct isis_tlvs *tlvs = dest;
struct isis_router_cap *rcap;
@@ -3627,7
commit frr for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package frr for openSUSE:Factory checked in
at 2022-03-21 20:11:41
Comparing /work/SRC/openSUSE:Factory/frr (Old)
and /work/SRC/openSUSE:Factory/.frr.new.25692 (New)
Package is "frr"
Mon Mar 21 20:11:41 2022 rev:19 rq:963468 version:8.1
Changes:
--- /work/SRC/openSUSE:Factory/frr/frr.changes 2022-03-01 17:04:02.656341019
+0100
+++ /work/SRC/openSUSE:Factory/.frr.new.25692/frr.changes 2022-03-21
20:11:54.296433027 +0100
@@ -1,0 +2,7 @@
+Thu Mar 17 11:45:00 UTC 2022 - Dominique Leuenberger
+
+- Make build a bit cheaper: do only BuildRequire the primary python
+ interpreter and its modules (python3-FOO) instead of all
+ available versions as done using %{python_module FOO}
+
+---
Other differences:
--
++ frr.spec ++
--- /var/tmp/diff_new_pack.UqGeze/_old 2022-03-21 20:11:55.196433927 +0100
+++ /var/tmp/diff_new_pack.UqGeze/_new 2022-03-21 20:11:55.200433931 +0100
@@ -22,8 +22,6 @@
%bcond_with mininet
%bcond_with grpc
-%define skip_python2 1
-
%define frr_user frr
%define frr_group frr
%define frrvty_group frrvty
@@ -47,15 +45,15 @@
Patch4: 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch
Patch5: 0005-isisd-fix-router-capability-TLV-parsing-issues.patch
Patch6: 0006-isisd-fix-10505-using-base64-encoding.patch
-BuildRequires: %{python_module Sphinx}
-BuildRequires: %{python_module devel}
-BuildRequires: %{python_module pytest}
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bison >= 2.7
BuildRequires: flex
BuildRequires: libtool
BuildRequires: makeinfo
+BuildRequires: python3-Sphinx
+BuildRequires: python3-devel
+BuildRequires: python3-pytest
%if %{with mininet}
BuildRequires: mininet
%endif
commit frr for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package frr for openSUSE:Factory checked in
at 2022-03-01 17:03:26
Comparing /work/SRC/openSUSE:Factory/frr (Old)
and /work/SRC/openSUSE:Factory/.frr.new.1958 (New)
Package is "frr"
Tue Mar 1 17:03:26 2022 rev:18 rq:958103 version:8.1
Changes:
--- /work/SRC/openSUSE:Factory/frr/frr.changes 2021-12-09 19:46:25.077156612
+0100
+++ /work/SRC/openSUSE:Factory/.frr.new.1958/frr.changes2022-03-01
17:04:02.656341019 +0100
@@ -1,0 +2,18 @@
+Mon Feb 28 11:05:48 UTC 2022 - Marius Tomaschewski
+
+- Apply fix for a buffer overflow in isisd due to the use of strdup
+ with a non-zero-terminated binary string (bsc#1196506,CVE-2022-26126)
+ [+ 0006-isisd-fix-10505-using-base64-encoding.patch]
+- Apply fix for a buffer overflow in isisd due to wrong checks on
+ the input packet length (bsc#1196505,CVE-2022-26125) with workaround
+ for the GIT binary patch to tests/isisd/test_fuzz_isis_tlv_tests.h.gz
+ [+ 0005-isisd-fix-router-capability-TLV-parsing-issues.patch]
+- Apply fix for a buffer overflow in babeld due to wrong checks on
+ the input packet length in the packet_examin and subtlv parsing
+ (bsc#1196504,bsc#1196507,CVE-2022-26128,CVE-2022-26129)
+ [+ 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch]
+- Apply fix for a heap buffer overflow in babeld due to missing check
+ on the input packet length (bsc#1196503,CVE-2022-26127)
+ [+ 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch]
+
+---
New:
0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch
0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch
0005-isisd-fix-router-capability-TLV-parsing-issues.patch
0006-isisd-fix-10505-using-base64-encoding.patch
Other differences:
--
++ frr.spec ++
--- /var/tmp/diff_new_pack.YWGqFE/_old 2022-03-01 17:04:03.404341218 +0100
+++ /var/tmp/diff_new_pack.YWGqFE/_new 2022-03-01 17:04:03.408341218 +0100
@@ -1,7 +1,7 @@
#
# spec file for package frr
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
# Copyright (c) 2019-2021, Martin Hauke
#
# All modifications and additions to the file contributed by third parties
@@ -43,6 +43,10 @@
Source1:%{name}-tmpfiles.d
Patch1: 0001-disable-zmq-test.patch
Patch2: harden_frr.service.patch
+Patch3: 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch
+Patch4: 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch
+Patch5: 0005-isisd-fix-router-capability-TLV-parsing-issues.patch
+Patch6: 0006-isisd-fix-10505-using-base64-encoding.patch
BuildRequires: %{python_module Sphinx}
BuildRequires: %{python_module devel}
BuildRequires: %{python_module pytest}
@@ -79,7 +83,7 @@
Requires(post): %{install_info_prereq}
Requires(pre): %{install_info_prereq}
Requires(pre): shadow
-Requires(preun): %{install_info_prereq}
+Requires(preun):%{install_info_prereq}
Recommends: logrotate
Conflicts: quagga
Provides: zebra = %{version}
@@ -183,6 +187,12 @@
%setup -q -n %{name}-%{name}-%{version}
%patch1 -p1
%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+gzip -d tests/isisd/test_fuzz_isis_tlv_tests.h.gz
+%patch5 -p1
+gzip -9 tests/isisd/test_fuzz_isis_tlv_tests.h
+%patch6 -p1
%build
# GCC LTO objects must be "fat" to avoid assembly errors
++ 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch ++
>From 50044ec7fe129e0a74d3a679dd29fe17ce30e6bf Mon Sep 17 00:00:00 2001
From: whichbug
Date: Thu, 3 Feb 2022 12:01:31 -0500
Upstream: yes
References: bsc#1196503,CVE-2022-26127
Subject: [PATCH] babeld: fix #10487 by adding a check on packet length
The body length of a packet should satisfy the condition:
packetlen >= bodylen + 4. Otherwise, heap overflows may happen.
Signed-off-by: whichbug
diff --git a/babeld/message.c b/babeld/message.c
index 5c2e29d8b..3a29b6a60 100644
--- a/babeld/message.c
+++ b/babeld/message.c
@@ -288,13 +288,18 @@ channels_len(unsigned char *channels)
static int
babel_packet_examin(const unsigned char *packet, int packetlen)
{
-unsigned i = 0, bodylen;
+int i = 0, bodylen;
const unsigned char *message;
unsigned char type, len;
if(packetlen < 4 || packet[0] != 42 || packet[1] != 2)
return 1;
DO_NTOHS(bodylen, packet + 2);
+if(bodylen + 4 > packetlen) {
+debugf(BABEL_DEBUG_COMMON, "Received truncated packet (%d + 4 > %d).",
+ bodylen, packetlen);
+return 1;
+}
while (i < bodylen){
message = packet + 4 + i;
type = message[0];
@@ -366,12 +371,6 @@
commit frr for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package frr for openSUSE:Factory checked in at 2021-12-09 19:45:43 Comparing /work/SRC/openSUSE:Factory/frr (Old) and /work/SRC/openSUSE:Factory/.frr.new.2520 (New) Package is "frr" Thu Dec 9 19:45:43 2021 rev:17 rq:937650 version:8.1 Changes: --- /work/SRC/openSUSE:Factory/frr/frr.changes 2021-11-18 10:34:49.299962570 +0100 +++ /work/SRC/openSUSE:Factory/.frr.new.2520/frr.changes2021-12-09 19:46:25.077156612 +0100 @@ -1,0 +2,5 @@ +Thu Dec 9 08:40:11 UTC 2021 - Johannes Segitz + +- Add ReadWritePaths=/etc/frr to harden_frr.service.patch (bsc#1181400). + +--- Other differences: -- ++ harden_frr.service.patch ++ --- /var/tmp/diff_new_pack.ptUvZ3/_old 2021-12-09 19:46:25.809156964 +0100 +++ /var/tmp/diff_new_pack.ptUvZ3/_new 2021-12-09 19:46:25.809156964 +0100 @@ -1,14 +1,15 @@ -Index: frr-frr-8.0.1/tools/frr.service.in +Index: frr-frr-8.1/tools/frr.service.in === frr-frr-8.0.1.orig/tools/frr.service.in -+++ frr-frr-8.0.1/tools/frr.service.in -@@ -7,6 +7,15 @@ Before=network.target +--- frr-frr-8.1.orig/tools/frr.service.in frr-frr-8.1/tools/frr.service.in +@@ -7,6 +7,16 @@ Before=network.target OnFailure=heartbeat-failed@%n [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full ++ReadWritePaths=/etc/frr +ProtectHome=true +ProtectKernelModules=true +ProtectKernelLogs=true @@ -18,17 +19,18 @@ Nice=-5 Type=forking NotifyAccess=all -Index: frr-frr-8.0.1/tools/f...@.service.in +Index: frr-frr-8.1/tools/f...@.service.in === frr-frr-8.0.1.orig/tools/f...@.service.in -+++ frr-frr-8.0.1/tools/f...@.service.in -@@ -7,6 +7,15 @@ Before=network.target +--- frr-frr-8.1.orig/tools/f...@.service.in frr-frr-8.1/tools/f...@.service.in +@@ -7,6 +7,16 @@ Before=network.target OnFailure=heartbeat-failed@%n [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full ++ReadWritePaths=/etc/frr +ProtectHome=true +ProtectKernelModules=true +ProtectKernelLogs=true
commit frr for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package frr for openSUSE:Factory checked in
at 2021-11-18 10:34:47
Comparing /work/SRC/openSUSE:Factory/frr (Old)
and /work/SRC/openSUSE:Factory/.frr.new.1895 (New)
Package is "frr"
Thu Nov 18 10:34:47 2021 rev:16 rq:932045 version:8.1
Changes:
--- /work/SRC/openSUSE:Factory/frr/frr.changes 2021-10-15 23:03:48.450090786
+0200
+++ /work/SRC/openSUSE:Factory/.frr.new.1895/frr.changes2021-11-18
10:34:49.299962570 +0100
@@ -1,0 +2,12 @@
+Wed Nov 17 05:48:12 UTC 2021 - Linnaea Lavia
+
+- Update to version 8.1
+ * Graceful Restart for OSPFv2 and OSPFv3
+ * OSPFv3 NSSA and NSSA-TSA support
+ * OSPFv3 ASBR Summarisation Support
+ * BGP SRv6 and Prefix-SID Type 5 improvements
+ * BGP EVPN type-5 gateway IP overlay Index
+ * Lua hook support
+ * See: https://frrouting.org/release/8.1/
+
+---
Old:
frr-8.0.1.tar.gz
New:
frr-8.1.tar.gz
Other differences:
--
++ frr.spec ++
--- /var/tmp/diff_new_pack.BEi3fV/_old 2021-11-18 10:34:49.915963143 +0100
+++ /var/tmp/diff_new_pack.BEi3fV/_new 2021-11-18 10:34:49.919963147 +0100
@@ -32,7 +32,7 @@
%define frr_daemondir %{_prefix}/lib/frr
Name: frr
-Version:8.0.1
+Version:8.1
Release:0
Summary:FRRouting Routing daemon
License:GPL-2.0-or-later AND LGPL-2.1-or-later
++ frr-8.0.1.tar.gz -> frr-8.1.tar.gz ++
/work/SRC/openSUSE:Factory/frr/frr-8.0.1.tar.gz
/work/SRC/openSUSE:Factory/.frr.new.1895/frr-8.1.tar.gz differ: char 13, line 1
commit frr for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package frr for openSUSE:Factory checked in
at 2021-10-15 23:03:35
Comparing /work/SRC/openSUSE:Factory/frr (Old)
and /work/SRC/openSUSE:Factory/.frr.new.1890 (New)
Package is "frr"
Fri Oct 15 23:03:35 2021 rev:15 rq:925497 version:8.0.1
Changes:
--- /work/SRC/openSUSE:Factory/frr/frr.changes 2021-09-28 19:17:25.160247152
+0200
+++ /work/SRC/openSUSE:Factory/.frr.new.1890/frr.changes2021-10-15
23:03:48.450090786 +0200
@@ -1,0 +2,20 @@
+Fri Oct 15 12:11:50 UTC 2021 - Johannes Segitz
+
+- Drop ProtectClock hardening, can cause issues if other device acceess is
needed
+
+---
+Sat Oct 9 01:58:08 UTC 2021 - Linnaea Lavia
+
+- Update to version 8.0.1
+ * refreshed patch:
+- 0001-disable-zmq-test.patch
+- harden_frr.service.patch
+ * LDP gained SNMP support
+ * OSPFv3 gained VRF support
+ * EVPN Multihoming is now fully supported
+ * TI-LFA implemented in IS-IS and OSPS
+ * New Segment Routing daemon
+ * See: https://frrouting.org/release/8.0/
+ and https://github.com/FRRouting/frr/releases/tag/frr-8.0.1
+
+---
Old:
frr-7.5.1.tar.gz
New:
frr-8.0.1.tar.gz
Other differences:
--
++ frr.spec ++
--- /var/tmp/diff_new_pack.qPiLTI/_old 2021-10-15 23:03:49.038091205 +0200
+++ /var/tmp/diff_new_pack.qPiLTI/_new 2021-10-15 23:03:49.042091208 +0200
@@ -32,7 +32,7 @@
%define frr_daemondir %{_prefix}/lib/frr
Name: frr
-Version:7.5.1
+Version:8.0.1
Release:0
Summary:FRRouting Routing daemon
License:GPL-2.0-or-later AND LGPL-2.1-or-later
@@ -51,7 +51,6 @@
BuildRequires: bison >= 2.7
BuildRequires: flex
BuildRequires: libtool
-BuildRequires: libyang-extentions
BuildRequires: makeinfo
%if %{with mininet}
BuildRequires: mininet
@@ -69,10 +68,11 @@
BuildRequires: pkgconfig(json-c)
BuildRequires: pkgconfig(libcap)
BuildRequires: pkgconfig(libcares)
+BuildRequires: pkgconfig(libelf)
BuildRequires: pkgconfig(libpcre)
BuildRequires: pkgconfig(libprotobuf-c)
BuildRequires: pkgconfig(libsystemd)
-BuildRequires: pkgconfig(libyang) >= 1.0.184
+BuildRequires: pkgconfig(libyang) >= 2.0.0
BuildRequires: pkgconfig(libzmq) >= 4.0.0
BuildRequires: pkgconfig(rtrlib) >= 0.5.0
BuildRequires: pkgconfig(sqlite3)
@@ -84,7 +84,6 @@
Conflicts: quagga
Provides: zebra = %{version}
Obsoletes: zebra < %{version}
-Requires: libyang-extentions
%description
FRR is free software which manages TCP/IP based routing protocols.
@@ -192,7 +191,6 @@
autoreconf -fiv
%configure \
--disable-silent-rules \
---enable-exampledir=%{_docdir}/%{name}/examples \
--sysconfdir=%{_sysconfdir}/%{name} \
--localstatedir=%{frr_statedir} \
--sbindir=%{frr_daemondir} \
@@ -351,7 +349,6 @@
%license COPYING COPYING-LGPLv2.1
%doc README.md
%doc doc/mpls
-%doc %{_docdir}/%{name}/examples
%dir %attr(750,%{frr_user},%{frr_user}) %{_sysconfdir}/%{name}
%config(noreplace) %attr(640,%{frr_user},%{frr_group})
%{_sysconfdir}/%{name}/[!v]*.conf*
%config(noreplace) %attr(640,%{frr_user},%{frrvty_group})
%{_sysconfdir}/%{name}/vtysh.conf
@@ -387,6 +384,7 @@
%{frr_daemondir}/nhrpd
%{frr_daemondir}/ospf6d
%{frr_daemondir}/ospfd
+%{frr_daemondir}/pathd
%{frr_daemondir}/pbrd
%{frr_daemondir}/pimd
%{frr_daemondir}/ripd
@@ -401,6 +399,7 @@
%{_libdir}/frr/modules/zebra_cumulus_mlag.so
%{_libdir}/frr/modules/zebra_fpm.so
%{_libdir}/frr/modules/zebra_irdp.so
+%{_libdir}/frr/modules/pathd_pcep.so
%{_libdir}/frr/modules/bgpd_rpki.so
%if %{with grpc}
%{_libdir}/frr/modules/grpc.so
@@ -448,6 +447,8 @@
%{_includedir}/%{name}/ospfapi/*.h
%dir %{_includedir}/%{name}/eigrpd
%{_includedir}/%{name}/eigrpd/*.h
+%dir %{_includedir}/%{name}/bfdd
+%{_includedir}/%{name}/bfdd/*.h
%{_libdir}/lib*.so
%changelog
++ 0001-disable-zmq-test.patch ++
--- /var/tmp/diff_new_pack.qPiLTI/_old 2021-10-15 23:03:49.062091222 +0200
+++ /var/tmp/diff_new_pack.qPiLTI/_new 2021-10-15 23:03:49.066091225 +0200
@@ -11,13 +11,14 @@
index 1f8ee5416..b298fe7b5 100644
--- a/tests/lib/test_zmq.py
+++ b/tests/lib/test_zmq.py
-@@ -5,7 +5,6 @@ import os
- class TestZMQ(frrtest.TestRefOut):
- program = './test_zmq'
+@@ -5,8 +5,7 @@ import os
+ program = "./test_zmq"
--@pytest.mark.skipif('S["ZEROMQ_TRUE"]=""\n' not in
open('../config.status').readlines(),
--reason='ZEROMQ not enabled')
-+@pytest.mark.skip(reason="Test disabled due to intermittent build service
timeouts")
+ @pytest.mark.skipif(
+-
commit frr for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package frr for openSUSE:Factory checked in
at 2021-09-28 19:16:31
Comparing /work/SRC/openSUSE:Factory/frr (Old)
and /work/SRC/openSUSE:Factory/.frr.new.1899 (New)
Package is "frr"
Tue Sep 28 19:16:31 2021 rev:14 rq:921883 version:7.5.1
Changes:
--- /work/SRC/openSUSE:Factory/frr/frr.changes 2021-04-24 23:10:05.519474463
+0200
+++ /work/SRC/openSUSE:Factory/.frr.new.1899/frr.changes2021-09-28
19:17:25.160247152 +0200
@@ -1,0 +2,6 @@
+Thu Sep 16 07:12:55 UTC 2021 - Johannes Segitz
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+ * harden_frr.service.patch
+
+---
New:
harden_frr.service.patch
Other differences:
--
++ frr.spec ++
--- /var/tmp/diff_new_pack.g7uFf1/_old 2021-09-28 19:17:25.608247667 +0200
+++ /var/tmp/diff_new_pack.g7uFf1/_new 2021-09-28 19:17:25.612247672 +0200
@@ -42,6 +42,7 @@
Source:
https://github.com/FRRouting/frr/archive/%{name}-%{version}.tar.gz
Source1:%{name}-tmpfiles.d
Patch1: 0001-disable-zmq-test.patch
+Patch2:harden_frr.service.patch
BuildRequires: %{python_module Sphinx}
BuildRequires: %{python_module devel}
BuildRequires: %{python_module pytest}
@@ -182,6 +183,7 @@
%prep
%setup -q -n %{name}-%{name}-%{version}
%patch1 -p1
+%patch2 -p1
%build
# GCC LTO objects must be "fat" to avoid assembly errors
++ harden_frr.service.patch ++
Index: frr-frr-7.5.1/tools/frr.service
===
--- frr-frr-7.5.1.orig/tools/frr.service
+++ frr-frr-7.5.1/tools/frr.service
@@ -7,6 +7,16 @@ Before=network.target
OnFailure=heartbeat-failed@%n.service
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectClock=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Nice=-5
Type=forking
NotifyAccess=all
commit frr for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package frr for openSUSE:Factory checked in
at 2021-04-24 23:08:55
Comparing /work/SRC/openSUSE:Factory/frr (Old)
and /work/SRC/openSUSE:Factory/.frr.new.12324 (New)
Package is "frr"
Sat Apr 24 23:08:55 2021 rev:13 rq:888005 version:7.5.1
Changes:
--- /work/SRC/openSUSE:Factory/frr/frr.changes 2021-03-05 13:51:20.579956286
+0100
+++ /work/SRC/openSUSE:Factory/.frr.new.12324/frr.changes 2021-04-24
23:10:05.519474463 +0200
@@ -1,0 +2,6 @@
+Fri Apr 23 03:05:06 UTC 2021 - Marius Tomaschewski
+
+- Use skip, not xfail in 0001-disable-zmq-test.patch to disable
+ zmq test as it is not expected to fail but hangs (bsc#1180217)
+
+---
Other differences:
--
++ 0001-disable-zmq-test.patch ++
--- /var/tmp/diff_new_pack.vVWYKD/_old 2021-04-24 23:10:05.983475120 +0200
+++ /var/tmp/diff_new_pack.vVWYKD/_new 2021-04-24 23:10:05.983475120 +0200
@@ -17,7 +17,7 @@
-@pytest.mark.skipif('S["ZEROMQ_TRUE"]=""\n' not in
open('../config.status').readlines(),
-reason='ZEROMQ not enabled')
-+@pytest.mark.xfail(reason="Test disabled due to intermittent build
service timeouts")
++@pytest.mark.skip(reason="Test disabled due to intermittent build service
timeouts")
def test_refout(self):
return super(TestZMQ, self).test_refout()
--
commit frr for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package frr for openSUSE:Factory checked in
at 2021-03-05 13:48:58
Comparing /work/SRC/openSUSE:Factory/frr (Old)
and /work/SRC/openSUSE:Factory/.frr.new.2378 (New)
Package is "frr"
Fri Mar 5 13:48:58 2021 rev:12 rq:876921 version:7.5.1
Changes:
--- /work/SRC/openSUSE:Factory/frr/frr.changes 2021-01-15 19:47:31.558137740
+0100
+++ /work/SRC/openSUSE:Factory/.frr.new.2378/frr.changes2021-03-05
13:51:20.579956286 +0100
@@ -1,0 +2,7 @@
+Thu Mar 4 21:20:02 UTC 2021 - Martin Hauke
+
+- Update to version 7.5.1
+ * Maintenance release
+See: https://github.com/FRRouting/frr/blob/stable/7.5/changelog-auto.in
+
+---
Old:
frr-7.5.tar.gz
New:
frr-7.5.1.tar.gz
Other differences:
--
++ frr.spec ++
--- /var/tmp/diff_new_pack.7TG6kj/_old 2021-03-05 13:51:21.175956860 +0100
+++ /var/tmp/diff_new_pack.7TG6kj/_new 2021-03-05 13:51:21.179956864 +0100
@@ -1,8 +1,8 @@
#
# spec file for package frr
#
-# Copyright (c) 2020 SUSE LLC
-# Copyright (c) 2019-2020, Martin Hauke
+# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2019-2021, Martin Hauke
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -32,7 +32,7 @@
%define frr_daemondir %{_prefix}/lib/frr
Name: frr
-Version:7.5
+Version:7.5.1
Release:0
Summary:FRRouting Routing daemon
License:GPL-2.0-or-later AND LGPL-2.1-or-later
++ frr-7.5.tar.gz -> frr-7.5.1.tar.gz ++
/work/SRC/openSUSE:Factory/frr/frr-7.5.tar.gz
/work/SRC/openSUSE:Factory/.frr.new.2378/frr-7.5.1.tar.gz differ: char 13, line
1
commit frr for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package frr for openSUSE:Factory checked in at 2021-01-15 19:46:49 Comparing /work/SRC/openSUSE:Factory/frr (Old) and /work/SRC/openSUSE:Factory/.frr.new.28504 (New) Package is "frr" Fri Jan 15 19:46:49 2021 rev:11 rq:863290 version:7.5 Changes: --- /work/SRC/openSUSE:Factory/frr/frr.changes 2020-12-22 15:14:43.949997200 +0100 +++ /work/SRC/openSUSE:Factory/.frr.new.28504/frr.changes 2021-01-15 19:47:31.558137740 +0100 @@ -1,0 +2,5 @@ +Fri Jan 8 08:08:08 UTC 2021 - o...@aepfle.de + +- Requires libyang 1.0.184 + +--- Other differences: -- ++ frr.spec ++ --- /var/tmp/diff_new_pack.2K8ENx/_old 2021-01-15 19:47:32.194138687 +0100 +++ /var/tmp/diff_new_pack.2K8ENx/_new 2021-01-15 19:47:32.198138693 +0100 @@ -71,7 +71,7 @@ BuildRequires: pkgconfig(libpcre) BuildRequires: pkgconfig(libprotobuf-c) BuildRequires: pkgconfig(libsystemd) -BuildRequires: pkgconfig(libyang) >= 1.0.101 +BuildRequires: pkgconfig(libyang) >= 1.0.184 BuildRequires: pkgconfig(libzmq) >= 4.0.0 BuildRequires: pkgconfig(rtrlib) >= 0.5.0 BuildRequires: pkgconfig(sqlite3)
