lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <OpenPKG-SA-2007.015@openpkg.com>
Date: Fri, 18 May 2007 08:00:38 +0200
From: OpenPKG GmbH <openpkg-noreply@...npkg.com>
To: full-disclosure@...ts.grok.org.uk
Subject: [OpenPKG-SA-2007.015] OpenPKG Security Advisory
	(quagga)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

____________________________________________________________________________

Publisher Name:          OpenPKG GmbH
Publisher Home:          http://openpkg.com/

Advisory Id (public):    OpenPKG-SA-2007.015
Advisory Type:           OpenPKG Security Advisory (SA)
Advisory Directory:      http://openpkg.com/go/OpenPKG-SA
Advisory Document:       http://openpkg.com/go/OpenPKG-SA-2007.015
Advisory Published:      2007-05-18 08:00 UTC

Issue Id (internal):     OpenPKG-SI-20070518.01
Issue First Created:     2007-05-18
Issue Last Modified:     2007-05-18
Issue Revision:          02
____________________________________________________________________________

Subject Name:            Quagga
Subject Summary:         Routing Daemon
Subject Home:            http://www.quagga.net/
Subject Versions:        * <= 0.99.6

Vulnerability Id:        CVE-2007-1995
Vulnerability Scope:     global (not OpenPKG specific)

Attack Feasibility:      run-time
Attack Vector:           remote network
Attack Impact:           denial of service

Description:
    A Denial of Service (DoS) vulnerability exists in the routing
    daemon Quagga [0], versions up to and including 0.99.6. The Quagga
    bgpd(8) daemon is vulnerable as configured peers may cause it to
    abort because of an assertion which can be triggered by peers by
    sending an "UPDATE" message with a specially crafted, malformed
    Multi-Protocol reachable/unreachable "NLRI" attribute [1].

References:
    [0] http://www.quagga.net/
    [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1995
____________________________________________________________________________

Primary Package Name:    quagga
Primary Package Home:    http://openpkg.org/go/package/quagga

Corrected Distribution:  Corrected Branch: Corrected Package:
OpenPKG Enterprise       E1.0-SOLID        quagga-0.99.5-E1.0.1
OpenPKG Community        CURRENT           quagga-0.99.7-20070430
____________________________________________________________________________

For security reasons, this document was digitally signed with the
OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34)
which you can download from http://openpkg.com/openpkg.com.pgp
or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/.
Follow the instructions at http://openpkg.com/security/signatures/
for more details on how to verify the integrity of this document.
____________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG GmbH <http://openpkg.com/>

iD8DBQFGTUD+ZwQuyWG3rjQRApgTAJ9lXl+n8y1zkQTntreB42qA/dRLuwCff7dp
1QxgtYur89bdTFHxJo65+Vg=
=UMkX
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ