Debian Security Advisory

DSA-3532-1 quagga -- security update

Date Reported:
27 Mar 2016
Affected Packages:
quagga
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 819179.
In Mitre's CVE dictionary: CVE-2016-2342.
More information:

Kostya Kortchinsky discovered a stack-based buffer overflow vulnerability in the VPNv4 NLRI parser in bgpd in quagga, a BGP/OSPF/RIP routing daemon. A remote attacker can exploit this flaw to cause a denial of service (daemon crash), or potentially, execution of arbitrary code, if bgpd is configured with BGP peers enabled for VPNv4.

For the oldstable distribution (wheezy), this problem has been fixed in version 0.99.22.4-1+wheezy2.

For the stable distribution (jessie), this problem has been fixed in version 0.99.23.1-1+deb8u1.

We recommend that you upgrade your quagga packages.