Debian
frr package

frr 9.1-0.1 source package in Debian

Changelog

frr (9.1-0.1) unstable; urgency=high

  * Non-maintainer upload.
  * New upstream release (Closes: #1042473, #1055852):
    - CVE-2023-3748: parsing certain babeld unicast hello messages that are
      intended to be ignored. This issue may allow an attacker to send specially
      crafted hello messages with the unicast flag set, the interval field set
      to 0, or any TLV that contains a sub-TLV with the Mandatory flag set to
      enter an infinite loop and cause a denial of service.
    - CVE-2023-38407: bgpd/bgp_label.c attempts to read beyond the end of the
      stream during labeled unicast parsing.
    - CVE-2023-41361: bgpd/bgp_open.c does not check for an overly large
      length of the rcv software version.
    - CVE-2023-46752: It mishandles malformed MP_REACH_NLRI data, leading to a
      crash.
    - CVE-2023-46753: A crash can occur for a crafted BGP UPDATE message
      without mandatory attributes, e.g., one with only an unknown transit
      attribute.
    - CVE-2023-47234: A crash can occur when processing a crafted BGP UPDATE
      message with a MP_UNREACH_NLRI attribute and additional NLRI data (that
      lacks mandatory path attributes).
    - CVE-2023-47235: A crash can occur when a malformed BGP UPDATE message
      with an EOR is processed, because the presence of EOR does not lead to a
      treat-as-withdraw outcome.
  * Updating patches:
    - removing CVE-2023-38802.patch, included upstream.
    - removing CVE-2023-41358.patch, included upstream.
    - removing CVE-2023-41360.patch, included upstream.
    - removing unapplied CVE-2023-41361.patch, included upstream.
    - adding CVE-2024-27913.patch from upstream:
      ospf_te_parse_te in ospfd/ospf_te.c allows remote attackers to cause a
      denial of service (ospfd daemon crash) via a malformed OSPF LSA packet,
      because of an attempted access to a missing attribute field (Closes:
      #1065144).
  * Updating build-depends:
    - adding now required protobuf-c-compiler to build-depends.
    - adding now required libprotobuf-c-dev to build-depends.
    - adding new libmgmt_be_nb.so to frr.install.
    - removing obsolete lsb-base.
    - prefering new pkgconf over old pkg-config.
  * Updating override_dh_auto_clean to fix FTBFS when built twice in a row
    (Closes: #1044470):
    - call dh_auto_clean which is safe to run now.
    - remove tests/.pytest_cache.
  * Removing obsolete doc-base.

 -- Daniel Baumann <email address hidden>  Fri, 08 Mar 2024 23:21:21 +0100

Upload details

Uploaded by:
David Lamparter
Uploaded to:
Sid
Original maintainer:
David Lamparter
Architectures:
linux-any all
Section:
misc
Urgency:
Very Urgent

See full publishing history Publishing

Series Pocket Published Component Section

Builds

Downloads

File Size SHA-256 Checksum
frr_9.1-0.1.dsc 2.7 KiB fe61b7fc08e26ed1ed0555e5a41986a8c23a2d0014f048bd62659cfe683a6f86
frr_9.1.orig.tar.xz 7.8 MiB da24cc625121f7f215cc2c57dfb491266f7634b0b50422f8911bb0c44e812e60
frr_9.1-0.1.debian.tar.xz 31.8 KiB 0f6e95c12ddb133d420eabab1bf5bff2f001edec7473ea3a635887a02b113e24

No changes file available.

Binary packages built by this source