Alpine Linux related: All quagga-0.99.xx packages in Alpine Linux releases up to alpine-1.9.0_alpha9

Severity: Medium
Potential loss type: Availability
Patch available: Yes

Vulnerability description:

The BGP daemon (bgpd) in Quagga 0.99.11 and earlier allows remote attackers to cause a denial of service (crash) via an AS path containing ASN elements whose string representation is longer than expected, which triggers an assert error.

References:

• DEBIAN: http://www.debian.org/security/2009/dsa-1788
• MLIST: http://marc.info/?l=quagga-dev&m=123364779626078&w=2
• CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526311
• XF: http://xforce.iss.net/xforce/xfdb/50317
• UBUNTU: http://www.ubuntu.com/usn/usn-775-1
• SECTRACK: http://www.securitytracker.com/id?1022164
• BID: http://www.securityfocus.com/bid/34817
• OSVDB: http://www.osvdb.org/54200
• MLIST: http://www.openwall.com/lists/oss-security/2009/05/01/2
• MLIST: http://www.openwall.com/lists/oss-security/2009/05/01/1
• MANDRIVA: http://www.mandriva.com/security/advisories?name=MDVSA-2009:109
• MISC: http://thread.gmane.org/gmane.network.quagga.devel/6513
• SECUNIA: http://secunia.com/advisories/35061
• SECUNIA: http://secunia.com/advisories/34999

(from redmine: issue id 35, created on 2009-05-21, closed on 2009-06-23)