Debian Security Advisory

DSA-3654-1 quagga -- security update

Date Reported:
26 Aug 2016
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 822787, Bug 835223.
In Mitre's CVE dictionary: CVE-2016-4036, CVE-2016-4049, CVE-2016-4036, CVE-2016-4049.
More information:

Two vulnerabilities were discovered in quagga, a BGP/OSPF/RIP routing daemon.

  • CVE-2016-4036

    Tamás Németh discovered that sensitive configuration files in /etc/quagga were world-readable despite containing sensitive information.

  • CVE-2016-4049

    Evgeny Uskov discovered that a bgpd instance handling many peers could be crashed by a malicious user when requesting a route dump.

For the stable distribution (jessie), these problems have been fixed in version

We recommend that you upgrade your quagga packages.