Ubuntu: Quagga vulnerability
Posted by Benjamin D. Thomas   
Ubuntu It was discovered that Quagga did not correctly verify length information sent from configured peers. Remote malicious peers could send a specially crafted UPDATE message which would cause bgpd to abort, leading to a denial of service.
=========================================================== 
Ubuntu Security Notice USN-461-1               May 17, 2007
quagga vulnerability
CVE-2007-1995
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  quagga                                   0.99.2-1ubuntu3.1

Ubuntu 6.10:
  quagga                                   0.99.4-4ubuntu1.1

Ubuntu 7.04:
  quagga                                   0.99.6-2ubuntu3.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that Quagga did not correctly verify length 
information sent from configured peers.  Remote malicious peers could 
send a specially crafted UPDATE message which would cause bgpd to abort, 
leading to a denial of service.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.1.diff.gz
      Size/MD5:    31906 040e4fc7aceb2e2aa030086d619162dc
    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.1.dsc
      Size/MD5:      762 f891a5b866522b3d748e66de9d242ffb
    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2.orig.tar.gz
      Size/MD5:  2185137 88087d90697fcf5fe192352634f340b3

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.2-1ubuntu3.1_all.deb
      Size/MD5:   663694 bf76e66aff39c9b91dd5e4def6a59b06

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.1_amd64.deb
      Size/MD5:  1403368 cc3e45625001b0f1a3a6b1263d26cd1b

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.1_i386.deb
      Size/MD5:  1198576 096b5b4bdf88c9d26d166b73930084bf

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.1_powerpc.deb
      Size/MD5:  1351228 237c96d9f7237843cdd8e9b88673eb14

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.1_sparc.deb
      Size/MD5:  1322256 1772df6aa3a48bffed70b57b0812763f

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.4-4ubuntu1.1.diff.gz
      Size/MD5:    29987 d1cd101f3729161fc0b4c86c6023f82f
    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.4-4ubuntu1.1.dsc
      Size/MD5:      762 4afe7890ba2c178777089bfa9de81534
    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.4.orig.tar.gz
      Size/MD5:  2207774 a75d3f5ed0b3354274c28d195e3f6479

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.4-4ubuntu1.1_all.deb
      Size/MD5:   706328 b47bf93109b4c5365aab5a2774d4674b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.4-4ubuntu1.1_amd64.deb
      Size/MD5:  1409208 5ebc2a4f27407f05b3779c2dce6bab03

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.4-4ubuntu1.1_i386.deb
      Size/MD5:  1244392 1ab4d693a5dc869eb2f1b234451ed2c8

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.4-4ubuntu1.1_powerpc.deb
      Size/MD5:  1375444 91e3aaccf2ef113ebd55e1b7cf8680e0

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.4-4ubuntu1.1_sparc.deb
      Size/MD5:  1342382 c3b394ce9fffc99d5167dcfefdedacf0

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.6-2ubuntu3.1.diff.gz
      Size/MD5:    48290 868fad25987463f3373b8e3a7baa6d8c
    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.6-2ubuntu3.1.dsc
      Size/MD5:      861 fde685263db0edc6ef32c0c0081097dd
    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.6.orig.tar.gz
      Size/MD5:  2324051 78137ecaa66ff4c3780bd05f60e51cf5

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.6-2ubuntu3.1_all.deb
      Size/MD5:   720644 707acb63b8a1cabfa38d7748f834f814

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.6-2ubuntu3.1_amd64.deb
      Size/MD5:  1476654 91bc4654c0e615b55a88de93c19de2ec

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.6-2ubuntu3.1_i386.deb
      Size/MD5:  1309546 3c99a46e8d40ef40dd4ee1bc218e6b8e

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.6-2ubuntu3.1_powerpc.deb
      Size/MD5:  1485312 803b3da7540d5b0c0287ae9f0068b2e0

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.6-2ubuntu3.1_sparc.deb
      Size/MD5:  1417036 14443669e7396b193ef9f2d76778bc86


--M9u+pkcMrQJw6us1
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGTODoH/9LqRcGPm0RAkGkAJ9Z/wrYZV2wKZzLZYKjVBRVss34LQCgmtoi
BUwyv4xnQriQKCcjN01RP3o=N8WF
-----END PGP SIGNATURE-----

--M9u+pkcMrQJw6us1--


--==============e21554068961596648=Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--==============e21554068961596648==--