[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 601-1] quagga security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : quagga
Version        : 0.99.22.4-1+wheezy3
CVE ID         : CVE-2016-4036 CVE-2016-4049
Debian Bug     : 835223, 822787 

The quagga package installs world readable sensitive files in /etc/quagga,
and might be subject to denial of service because of lacking packet size 
checks.

CVE-2016-4036

  The quagga package before 0.99.23-2.6.1 uses weak permissions for 
  /etc/quagga, which allows local users to obtain sensitive information
  by reading files in the directory.

CVE-2016-4049

  The bgp_dump_routes_func function in bgpd/bgp_dump.c in Quagga does
  not perform size checks when dumping data, which might allow remote 
  attackers to cause a denial of service (assertion failure and daemon
  crash) via a large BGP packet.

For Debian 7 "Wheezy", these problems have been fixed in version
0.99.22.4-1+wheezy3.

We recommend that you upgrade your quagga packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJXwbFMAAoJEKyQrD7FJAZemlkP/071gHbOvL+/EnP3w5gI0+/F
U5D415WvPbI9oR8b5igd4LHdVKs22tKlPkJ1jHEghsGQFg4VehudVH4GqsKeV+6X
XwHCYdH6pPBtxey1yd+qY94ZfeaoK2ko9FiIspxrtuu1V48n4fGkrRuOToq6Z1Yw
+zlGnYOgkTtAck8J2uI7G1heXkVeLBw4msmXZRMyhh+Tx75DGIqvbdwGa8ahPI7w
ZNFhhcTmYTNJquA8gTPXRCtmDwcVIcnkMJzlo0BOdTTAL7SFdkcNIlAMCz5OWwFi
osnnBVd8zCOqjrOx0YhiljX7XGxpoYLjuBXOlcFjuwT0MXgMp5Yr1I4MZTaG7ynb
ARgnhyzZ1fp0lj3r+vlZqThCiu89aUlBc1msqJNS7IptCDaIQ+IuM7v7/yMeDB/y
Olb4YKkKf6BZojjU6A1MW7KTMzNqbFK/zuV8sO8Vbgm6zxxQyWFC8Npb/nDdGTML
ZpPYmMCsKwhwcMujAsbD7afPol9eUMIvLaLx4/L40SfMOeuTomaUJH7BuMi6N/Lk
ugWe0+vKkWEY/qhQLvNGVTxnutqZ81bXQI7l+MSYNDhReZmKz2akUEr0j7/3ZODH
BTWwCiDo+IIWi+M2LaLrdL5r8gxC6vz3n6u43/dDkYoIpU7RFmRHh/NghBP+7v0t
54gUBa2NBrhSEcIEFE5U
=n5Oq
-----END PGP SIGNATURE-----


Reply to: