Debian Security Advisory
DSA-3532-1 quagga -- security update
- Date Reported:
- 27 Mar 2016
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 819179.
In Mitre's CVE dictionary: CVE-2016-2342.
- More information:
Kostya Kortchinsky discovered a stack-based buffer overflow vulnerability in the VPNv4 NLRI parser in bgpd in quagga, a BGP/OSPF/RIP routing daemon. A remote attacker can exploit this flaw to cause a denial of service (daemon crash), or potentially, execution of arbitrary code, if bgpd is configured with BGP peers enabled for VPNv4.
For the oldstable distribution (wheezy), this problem has been fixed in version 0.99.22.4-1+wheezy2.
For the stable distribution (jessie), this problem has been fixed in version 0.99.23.1-1+deb8u1.
We recommend that you upgrade your quagga packages.