[ubuntu/lunar-proposed] frr 8.4.1-2ubuntu1 (Accepted)

Andreas Hasenack andreas at canonical.com
Wed Jan 11 12:27:23 UTC 2023 

frr (8.4.1-2ubuntu1) lunar; urgency=medium

  * Merge with Debian unstable (LP: #1993401). Remaining changes:
    - Fix logging with Ubuntu's unprivileged rsyslog (LP #1958162):
      + d/frr.postinst: change log files ownership
      + d/frr.logrotate: change rotated log file ownership
  * Dropped (fixed upstream):
    - SECURITY UPDATE: overflow via input packet length
      + debian/patches/CVE-2022-26125.patch: fix router capability TLV
        parsing issues in isisd/isis_tlvs.*.
      + debian/patches/disable_isisd_fuzz_test.patch: disable fuzz tests as
        the security update changed expected results in
        tests/isisd/test_fuzz_isis_tlv.py.
      + CVE-2022-26125
    - SECURITY UPDATE: overflow via use of strdup with binary string
      + debian/patches/CVE-2022-26126.patch: use base64 encoding in
        isisd/isis_nb_notifications.c, lib/base64.c, lib/base64.h,
        lib/subdir.am, lib/yang_wrappers.c, lib/yang_wrappers.h.
      + CVE-2022-26126
    - SECURITY UPDATE: overflow via missing check on the input packet length
      + debian/patches/CVE-2022-26127.patch: add check on packet length in
        babeld/message.c.
      + CVE-2022-2612
    - SECURITY UPDATE: overflow via wrong checks
      + debian/patches/CVE-2022-26128_9.patch: fix checks on length in
        babeld/message.c.
      + CVE-2022-26128
      + CVE-2022-26129
    - SECURITY UPDATE: DoS via out-of-bounds read
      + debian/patches/CVE-2022-37032.patch: make sure hdr length is at a
        minimum of what is expected in bgpd/bgp_packet.c.
      + CVE-2022-37032
    - SECURITY UPDATE: use-after-free due to a race condition
      + debian/patches/CVE-2022-37035.patch: avoid notify race between io and
        main pthreads in bgpd/bgp_io.c, bgpd/bgp_packet.c, bgpd/bgp_packet.h.
      + CVE-2022-37035

Date: Sun, 08 Jan 2023 17:57:05 -0300
Changed-By: Andreas Hasenack <andreas at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/frr/8.4.1-2ubuntu1
-------------- next part --------------
Format: 1.8
Date: Sun, 08 Jan 2023 17:57:05 -0300
Source: frr
Built-For-Profiles: noudeb
Architecture: source
Version: 8.4.1-2ubuntu1
Distribution: lunar
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Andreas Hasenack <andreas at canonical.com>
Launchpad-Bugs-Fixed: 1993401
Changes:
 frr (8.4.1-2ubuntu1) lunar; urgency=medium
 .
   * Merge with Debian unstable (LP: #1993401). Remaining changes:
     - Fix logging with Ubuntu's unprivileged rsyslog (LP #1958162):
       + d/frr.postinst: change log files ownership
       + d/frr.logrotate: change rotated log file ownership
   * Dropped (fixed upstream):
     - SECURITY UPDATE: overflow via input packet length
       + debian/patches/CVE-2022-26125.patch: fix router capability TLV
         parsing issues in isisd/isis_tlvs.*.
       + debian/patches/disable_isisd_fuzz_test.patch: disable fuzz tests as
         the security update changed expected results in
         tests/isisd/test_fuzz_isis_tlv.py.
       + CVE-2022-26125
     - SECURITY UPDATE: overflow via use of strdup with binary string
       + debian/patches/CVE-2022-26126.patch: use base64 encoding in
         isisd/isis_nb_notifications.c, lib/base64.c, lib/base64.h,
         lib/subdir.am, lib/yang_wrappers.c, lib/yang_wrappers.h.
       + CVE-2022-26126
     - SECURITY UPDATE: overflow via missing check on the input packet length
       + debian/patches/CVE-2022-26127.patch: add check on packet length in
         babeld/message.c.
       + CVE-2022-2612
     - SECURITY UPDATE: overflow via wrong checks
       + debian/patches/CVE-2022-26128_9.patch: fix checks on length in
         babeld/message.c.
       + CVE-2022-26128
       + CVE-2022-26129
     - SECURITY UPDATE: DoS via out-of-bounds read
       + debian/patches/CVE-2022-37032.patch: make sure hdr length is at a
         minimum of what is expected in bgpd/bgp_packet.c.
       + CVE-2022-37032
     - SECURITY UPDATE: use-after-free due to a race condition
       + debian/patches/CVE-2022-37035.patch: avoid notify race between io and
         main pthreads in bgpd/bgp_io.c, bgpd/bgp_packet.c, bgpd/bgp_packet.h.
       + CVE-2022-37035
Checksums-Sha1:
 2daef293eab2574bf93d65000a2cbb141483a686 2807 frr_8.4.1-2ubuntu1.dsc
 472086fd79f54133334154414886adab471ae0e0 7294592 frr_8.4.1.orig.tar.xz
 3d49624c59e367ecef29efbc615b50260864ae5b 33904 frr_8.4.1-2ubuntu1.debian.tar.xz
 93513093e18d31da47378cf9fcdba1115371bc83 8395 frr_8.4.1-2ubuntu1_source.buildinfo
Checksums-Sha256:
 3c12bccd327774dd3f13baacb6bbd35be819b4ad32a6e5b0f23b7b16fbe08a8c 2807 frr_8.4.1-2ubuntu1.dsc
 cfce29dbb52817c2185861152a262e48b33beba8a21e3f4cbfb9153822e433bf 7294592 frr_8.4.1.orig.tar.xz
 d7a65d76bc0fa7fe8f7c8a99b9a6b943dd74655a4f2fe02ebad665b3cfeb61d8 33904 frr_8.4.1-2ubuntu1.debian.tar.xz
 56148fc9982c286aeb8f5688facb31e38e34fec8d12213642bd55d4035ce1f3b 8395 frr_8.4.1-2ubuntu1_source.buildinfo
Files:
 9b3c97c504c80cdab5b7b8f6b4f381fc 2807 net optional frr_8.4.1-2ubuntu1.dsc
 fe4024888b8129dacceb07cb5ec17012 7294592 net optional frr_8.4.1.orig.tar.xz
 8106312d5a41b827467e941ae0adce1d 33904 net optional frr_8.4.1-2ubuntu1.debian.tar.xz
 6adeb38b17e8dde9c66cc3fe1d8c2a2e 8395 net optional frr_8.4.1-2ubuntu1_source.buildinfo
Original-Maintainer: David Lamparter <equinox-debian at diac24.net>
Vcs-Git: https://git.launchpad.net/~ahasenack/ubuntu/+source/frr
Vcs-Git-Commit: b56bfcd32351e1ffb4c00a53a0802af05a7e5109
Vcs-Git-Ref: refs/heads/lunar-frr-merge-841

More information about the lunar-changes mailing list