[SECURITY] [DLA 601-1] quagga security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : quagga
Version : 0.99.22.4-1+wheezy3
CVE ID : CVE-2016-4036 CVE-2016-4049
Debian Bug : 835223, 822787
The quagga package installs world readable sensitive files in /etc/quagga,
and might be subject to denial of service because of lacking packet size
checks.
CVE-2016-4036
The quagga package before 0.99.23-2.6.1 uses weak permissions for
/etc/quagga, which allows local users to obtain sensitive information
by reading files in the directory.
CVE-2016-4049
The bgp_dump_routes_func function in bgpd/bgp_dump.c in Quagga does
not perform size checks when dumping data, which might allow remote
attackers to cause a denial of service (assertion failure and daemon
crash) via a large BGP packet.
For Debian 7 "Wheezy", these problems have been fixed in version
0.99.22.4-1+wheezy3.
We recommend that you upgrade your quagga packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJXwbFMAAoJEKyQrD7FJAZemlkP/071gHbOvL+/EnP3w5gI0+/F
U5D415WvPbI9oR8b5igd4LHdVKs22tKlPkJ1jHEghsGQFg4VehudVH4GqsKeV+6X
XwHCYdH6pPBtxey1yd+qY94ZfeaoK2ko9FiIspxrtuu1V48n4fGkrRuOToq6Z1Yw
+zlGnYOgkTtAck8J2uI7G1heXkVeLBw4msmXZRMyhh+Tx75DGIqvbdwGa8ahPI7w
ZNFhhcTmYTNJquA8gTPXRCtmDwcVIcnkMJzlo0BOdTTAL7SFdkcNIlAMCz5OWwFi
osnnBVd8zCOqjrOx0YhiljX7XGxpoYLjuBXOlcFjuwT0MXgMp5Yr1I4MZTaG7ynb
ARgnhyzZ1fp0lj3r+vlZqThCiu89aUlBc1msqJNS7IptCDaIQ+IuM7v7/yMeDB/y
Olb4YKkKf6BZojjU6A1MW7KTMzNqbFK/zuV8sO8Vbgm6zxxQyWFC8Npb/nDdGTML
ZpPYmMCsKwhwcMujAsbD7afPol9eUMIvLaLx4/L40SfMOeuTomaUJH7BuMi6N/Lk
ugWe0+vKkWEY/qhQLvNGVTxnutqZ81bXQI7l+MSYNDhReZmKz2akUEr0j7/3ZODH
BTWwCiDo+IIWi+M2LaLrdL5r8gxC6vz3n6u43/dDkYoIpU7RFmRHh/NghBP+7v0t
54gUBa2NBrhSEcIEFE5U
=n5Oq
-----END PGP SIGNATURE-----
Reply to: