Changelog
quagga (0.99.22.4-1) unstable; urgency=high
* SECURITY:
"ospfd: CVE-2013-2236, stack overrun in apiserver
the OSPF API-server (exporting the LSDB and allowing announcement of
Opaque-LSAs) writes past the end of fixed on-stack buffers. This leads
to an exploitable stack overflow.
For this condition to occur, the following two conditions must be true:
- Quagga is configured with --enable-opaque-lsa
- ospfd is started with the "-a" command line option
If either of these does not hold, the relevant code is not executed and
the issue does not get triggered."
Closes: #726724
* New upstream release
- ospfd: protect vs. VU#229804 (malformed Router-LSA)
(Quagga is said to be non-vulnerable but still adds some protection)
-- Christian Hammers <email address hidden> Thu, 24 Oct 2013 22:58:37 +0200