Quagga Autonomous System Number Remote Denial Of Service Vulnerability (#35) · Issues · alpine / aports

Quagga Autonomous System Number Remote Denial Of Service Vulnerability

Alpine Linux related: All quagga-0.99.xx packages in Alpine Linux releases up to alpine-1.9.0_alpha9

Severity: Medium
Potential loss type: Availability
Patch available: Yes

Vulnerability description:

The BGP daemon (bgpd) in Quagga 0.99.11 and earlier allows remote attackers to cause a denial of service (crash) via an AS path containing ASN elements whose string representation is longer than expected, which triggers an assert error.

References:

DEBIAN: http://www.debian.org/security/2009/dsa-1788
MLIST: http://marc.info/?l=quagga-dev&m=123364779626078&w=2
CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526311
XF: http://xforce.iss.net/xforce/xfdb/50317
UBUNTU: http://www.ubuntu.com/usn/usn-775-1
SECTRACK: http://www.securitytracker.com/id?1022164
BID: http://www.securityfocus.com/bid/34817
OSVDB: http://www.osvdb.org/54200
MLIST: http://www.openwall.com/lists/oss-security/2009/05/01/2
MLIST: http://www.openwall.com/lists/oss-security/2009/05/01/1
MANDRIVA: http://www.mandriva.com/security/advisories?name=MDVSA-2009:109
MISC: http://thread.gmane.org/gmane.network.quagga.devel/6513
SECUNIA: http://secunia.com/advisories/35061
SECUNIA: http://secunia.com/advisories/34999

(from redmine: issue id 35, created on 2009-05-21, closed on 2009-06-23)

**Alpine Linux related**: All *quagga-0.99.xx* packages in Alpine Linux
releases up to *alpine-1.9.0\_alpha9*

**Severity**: Medium  
**Potential loss type**: Availability  
**Patch available**: Yes

**Vulnerability description**:  
>The BGP daemon (bgpd) in Quagga 0.99.11 and earlier allows remote
attackers to cause a denial of service (crash) via an AS path containing
ASN elements whose string representation is longer than expected, which
triggers an assert error.

**References**:

-   DEBIAN: http://www.debian.org/security/2009/dsa-1788
-   MLIST: http://marc.info/?l=quagga-dev&m=123364779626078&w=2
-   CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526311
-   XF: http://xforce.iss.net/xforce/xfdb/50317
-   UBUNTU: http://www.ubuntu.com/usn/usn-775-1
-   SECTRACK: http://www.securitytracker.com/id?1022164
-   BID: http://www.securityfocus.com/bid/34817
-   OSVDB: http://www.osvdb.org/54200
-   MLIST: http://www.openwall.com/lists/oss-security/2009/05/01/2
-   MLIST: http://www.openwall.com/lists/oss-security/2009/05/01/1
-   MANDRIVA:
    http://www.mandriva.com/security/advisories?name=MDVSA-2009:109
-   MISC: http://thread.gmane.org/gmane.network.quagga.devel/6513
-   SECUNIA: http://secunia.com/advisories/35061
-   SECUNIA: http://secunia.com/advisories/34999

*(from redmine: issue id 35, created on 2009-05-21, closed on 2009-06-23)*

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information