[ubuntu/noble-proposed] frr 8.4.4-1.1ubuntu3 (Accepted)

Marc Deslauriers marc.deslauriers at ubuntu.com
Thu Nov 16 14:44:13 UTC 2023 

frr (8.4.4-1.1ubuntu3) noble; urgency=medium

  * SECURITY UPDATE: read beyond stream during labeled unicast parsing
    - debian/patches/CVE-2023-38407.patch: fix use beyond end of stream of
      labeled unicast parsing in bgpd/bgp_label.c.
    - CVE-2023-38407
  * SECURITY UPDATE: crash via MP_UNREACH_NLRI attribute
    - debian/patches/CVE-2023-47234.patch: ignore handling NLRIs if we
      received MP_UNREACH_NLRI in bgpd/bgp_attr.c, bgpd/bgp_attr.h,
      bgpd/bgp_packet.c.
    - CVE-2023-47234
  * SECURITY UPDATE: crash via malformed BGP UPDATE message
    - debian/patches/CVE-2023-47235.patch: treat EOR as withdrawn to avoid
      unwanted handling of malformed attrs in bgpd/bgp_attr.c.
    - CVE-2023-47235

Date: Thu, 16 Nov 2023 09:19:43 -0500
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/frr/8.4.4-1.1ubuntu3
-------------- next part --------------
Format: 1.8
Date: Thu, 16 Nov 2023 09:19:43 -0500
Source: frr
Built-For-Profiles: noudeb
Architecture: source
Version: 8.4.4-1.1ubuntu3
Distribution: noble
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
 frr (8.4.4-1.1ubuntu3) noble; urgency=medium
 .
   * SECURITY UPDATE: read beyond stream during labeled unicast parsing
     - debian/patches/CVE-2023-38407.patch: fix use beyond end of stream of
       labeled unicast parsing in bgpd/bgp_label.c.
     - CVE-2023-38407
   * SECURITY UPDATE: crash via MP_UNREACH_NLRI attribute
     - debian/patches/CVE-2023-47234.patch: ignore handling NLRIs if we
       received MP_UNREACH_NLRI in bgpd/bgp_attr.c, bgpd/bgp_attr.h,
       bgpd/bgp_packet.c.
     - CVE-2023-47234
   * SECURITY UPDATE: crash via malformed BGP UPDATE message
     - debian/patches/CVE-2023-47235.patch: treat EOR as withdrawn to avoid
       unwanted handling of malformed attrs in bgpd/bgp_attr.c.
     - CVE-2023-47235
Checksums-Sha1:
 2c9ee0defc7ba49ccbca6f99397039c321872d40 2815 frr_8.4.4-1.1ubuntu3.dsc
 42ba9e48150a06d8b67a8359d70350eb39a06d0d 40236 frr_8.4.4-1.1ubuntu3.debian.tar.xz
 9152e994ff81423396694c868973f95576b84bd1 9669 frr_8.4.4-1.1ubuntu3_source.buildinfo
Checksums-Sha256:
 c8045c9c7011c774146ddf9c495fc33dec91910b9018fb88fb1e6cd7f1b9732a 2815 frr_8.4.4-1.1ubuntu3.dsc
 7d5275ecc56cbb98e9533b91c71618c388c723491672087bc43d8fc1d7a18748 40236 frr_8.4.4-1.1ubuntu3.debian.tar.xz
 5c74b8e2a762886f0948d94e31343e25ddf7d5c1ef4240eec48837486fa9e623 9669 frr_8.4.4-1.1ubuntu3_source.buildinfo
Files:
 72a5412011a07b0068af2a65fccee581 2815 net optional frr_8.4.4-1.1ubuntu3.dsc
 e1d3667c7bee5e85572852ba50aa696d 40236 net optional frr_8.4.4-1.1ubuntu3.debian.tar.xz
 97595d4f7e2b867e7121dc87ae3aa374 9669 net optional frr_8.4.4-1.1ubuntu3_source.buildinfo
Original-Maintainer: David Lamparter <equinox-debian at diac24.net>

More information about the noble-changes mailing list