Debian Security Advisory
DSA-3654-1 quagga -- security update
- Date Reported:
- 26 Aug 2016
- Affected Packages:
- quagga
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 822787, Bug 835223.
In Mitre's CVE dictionary: CVE-2016-4036, CVE-2016-4049, CVE-2016-4036, CVE-2016-4049. - More information:
-
Two vulnerabilities were discovered in quagga, a BGP/OSPF/RIP routing daemon.
- CVE-2016-4036
Tamás Németh discovered that sensitive configuration files in /etc/quagga were world-readable despite containing sensitive information.
- CVE-2016-4049
Evgeny Uskov discovered that a bgpd instance handling many peers could be crashed by a malicious user when requesting a route dump.
For the stable distribution (jessie), these problems have been fixed in version 0.99.23.1-1+deb8u2.
We recommend that you upgrade your quagga packages.
- CVE-2016-4036