Security Information / 2012 / Security Information -- DSA-2497-1 quagga

Debian Security Advisory

DSA-2497-1 quagga -- denial of service

Date Reported:

20 Jun 2012

Affected Packages:

quagga

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 676510.
In Mitre's CVE dictionary: CVE-2012-1820.

More information:

It was discovered that Quagga, a routing daemon, contains a vulnerability in processing the ORF capability in BGP OPEN messages. A malformed OPEN message from a previously configured BGP peer could cause bgpd to crash, causing a denial of service.

For the stable distribution (squeeze), this problem has been fixed in version 0.99.20.1-0+squeeze3.

For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 0.99.21-3.

We recommend that you upgrade your quagga packages.