[Bug 2064404] Re: Merge frr from Debian unstable for oracular

Wed, 31 Jul 2024 18:55:31 -0700 

This bug was fixed in the package frr - 10.0.1-0.1ubuntu1

---------------
frr (10.0.1-0.1ubuntu1) oracular; urgency=medium

  * Merge with Debian unstable (LP: #2064404). Remaining changes:
    - Fix logging with Ubuntu's unprivileged rsyslog (LP #1958162):
      + d/frr.postinst: change log files ownership
      + d/frr.logrotate: change rotated log file ownership
  * Dropped security patches included upstream:
    - SECURITY UPDATE: DoS via MP_REACH_NLRI data
      + debian/patches/CVE-2023-46752.patch: handle MP_REACH_NLRI malformed
        packets with session reset in bgpd/bgp_attr.c, bgpd/bgp_attr.h,
        bgpd/bgp_packet.c.
      + CVE-2023-46752
    - SECURITY UPDATE: DoS via BGP UPDATE without mandatory attributes
      + debian/patches/CVE-2023-46753.patch: check mandatory attributes more
        carefully for UPDATE message in bgpd/bgp_attr.c.
      + CVE-2023-46753
    - SECURITY UPDATE: read beyond stream during labeled unicast parsing
      + debian/patches/CVE-2023-38407.patch: fix use beyond end of stream of
        labeled unicast parsing in bgpd/bgp_label.c.
      + CVE-2023-38407
    - SECURITY UPDATE: crash via malformed BGP UPDATE message
      + debian/patches/CVE-2023-47235.patch: treat EOR as withdrawn to avoid
        unwanted handling of malformed attrs in bgpd/bgp_attr.c.
      + CVE-2023-47235
    - SECURITY UPDATE: crash via MP_UNREACH_NLRI attribute
      + debian/patches/CVE-2023-47234.patch: ignore handling NLRIs if we
        received MP_UNREACH_NLRI in bgpd/bgp_attr.c, bgpd/bgp_attr.h,
        bgpd/bgp_packet.c.
      + CVE-2023-47234
    - SECURITY UPDATE: DoS via malformed OSPF LSA packet
      + debian/patches/CVE-2024-27913.patch: solved crash in OSPF TE parsing
        in ospfd/ospf_te.c.
      + CVE-2024-27913

 -- Andreas Hasenack <andr...@canonical.com>  Mon, 29 Jul 2024 09:49:25
-0300

** Changed in: frr (Ubuntu)
       Status: In Progress => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-38407

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-46752

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-46753

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-47234

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-47235

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-27913

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2064404

Title:
  Merge frr from Debian unstable for oracular

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/frr/+bug/2064404/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to