This bug was fixed in the package frr - 10.0.1-0.1ubuntu1 --------------- frr (10.0.1-0.1ubuntu1) oracular; urgency=medium
* Merge with Debian unstable (LP: #2064404). Remaining changes: - Fix logging with Ubuntu's unprivileged rsyslog (LP #1958162): + d/frr.postinst: change log files ownership + d/frr.logrotate: change rotated log file ownership * Dropped security patches included upstream: - SECURITY UPDATE: DoS via MP_REACH_NLRI data + debian/patches/CVE-2023-46752.patch: handle MP_REACH_NLRI malformed packets with session reset in bgpd/bgp_attr.c, bgpd/bgp_attr.h, bgpd/bgp_packet.c. + CVE-2023-46752 - SECURITY UPDATE: DoS via BGP UPDATE without mandatory attributes + debian/patches/CVE-2023-46753.patch: check mandatory attributes more carefully for UPDATE message in bgpd/bgp_attr.c. + CVE-2023-46753 - SECURITY UPDATE: read beyond stream during labeled unicast parsing + debian/patches/CVE-2023-38407.patch: fix use beyond end of stream of labeled unicast parsing in bgpd/bgp_label.c. + CVE-2023-38407 - SECURITY UPDATE: crash via malformed BGP UPDATE message + debian/patches/CVE-2023-47235.patch: treat EOR as withdrawn to avoid unwanted handling of malformed attrs in bgpd/bgp_attr.c. + CVE-2023-47235 - SECURITY UPDATE: crash via MP_UNREACH_NLRI attribute + debian/patches/CVE-2023-47234.patch: ignore handling NLRIs if we received MP_UNREACH_NLRI in bgpd/bgp_attr.c, bgpd/bgp_attr.h, bgpd/bgp_packet.c. + CVE-2023-47234 - SECURITY UPDATE: DoS via malformed OSPF LSA packet + debian/patches/CVE-2024-27913.patch: solved crash in OSPF TE parsing in ospfd/ospf_te.c. + CVE-2024-27913 -- Andreas Hasenack <andr...@canonical.com> Mon, 29 Jul 2024 09:49:25 -0300 ** Changed in: frr (Ubuntu) Status: In Progress => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-38407 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-46752 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-46753 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-47234 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-47235 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-27913 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064404 Title: Merge frr from Debian unstable for oracular To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/frr/+bug/2064404/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs