This bug was fixed in the package frr - 10.0.1-0.1ubuntu1
---
frr (10.0.1-0.1ubuntu1) oracular; urgency=medium
* Merge with Debian unstable (LP: #2064404). Remaining changes:
- Fix logging with Ubuntu's unprivileged rsyslog (LP #1958162):
+ d/frr.postinst: change log files ownership
+ d/frr.logrotate: change rotated log file ownership
* Dropped security patches included upstream:
- SECURITY UPDATE: DoS via MP_REACH_NLRI data
+ debian/patches/CVE-2023-46752.patch: handle MP_REACH_NLRI malformed
packets with session reset in bgpd/bgp_attr.c, bgpd/bgp_attr.h,
bgpd/bgp_packet.c.
+ CVE-2023-46752
- SECURITY UPDATE: DoS via BGP UPDATE without mandatory attributes
+ debian/patches/CVE-2023-46753.patch: check mandatory attributes more
carefully for UPDATE message in bgpd/bgp_attr.c.
+ CVE-2023-46753
- SECURITY UPDATE: read beyond stream during labeled unicast parsing
+ debian/patches/CVE-2023-38407.patch: fix use beyond end of stream of
labeled unicast parsing in bgpd/bgp_label.c.
+ CVE-2023-38407
- SECURITY UPDATE: crash via malformed BGP UPDATE message
+ debian/patches/CVE-2023-47235.patch: treat EOR as withdrawn to avoid
unwanted handling of malformed attrs in bgpd/bgp_attr.c.
+ CVE-2023-47235
- SECURITY UPDATE: crash via MP_UNREACH_NLRI attribute
+ debian/patches/CVE-2023-47234.patch: ignore handling NLRIs if we
received MP_UNREACH_NLRI in bgpd/bgp_attr.c, bgpd/bgp_attr.h,
bgpd/bgp_packet.c.
+ CVE-2023-47234
- SECURITY UPDATE: DoS via malformed OSPF LSA packet
+ debian/patches/CVE-2024-27913.patch: solved crash in OSPF TE parsing
in ospfd/ospf_te.c.
+ CVE-2024-27913
-- Andreas Hasenack Mon, 29 Jul 2024 09:49:25
-0300
** Changed in: frr (Ubuntu)
Status: In Progress => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-38407
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-46752
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-46753
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-47234
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-47235
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-27913
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2064404
Title:
Merge frr from Debian unstable for oracular
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/frr/+bug/2064404/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs