Ubuntu
frr package

Merge frr from Debian unstable for kinetic

Bug #1971277 reported by Bryce Harrington
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
frr (Ubuntu)
Incomplete
Undecided
Andreas Hasenack
Ubuntu ubuntu-22.06

Bug Description

Upstream: tbd
Debian: 8.1-1
Ubuntu: 8.1-1ubuntu1

Debian typically updates frr every 2 months on average, but it was last updated 21.11 and looks overdue. Check back in on this monthly.

Based on Upstream's release history for frr we should have expected a new upstream update around 2022.04. Presumably it could come any time now.

### New Debian Changes ###

frr (8.1-1) unstable; urgency=medium

  * New upstream release FRR 8.1
  * Upload to unstable.

 -- Ondřej Surý <email address hidden> Sat, 13 Nov 2021 13:32:48 +0100

frr (8.1-0) unstable; urgency=medium

  * New upstream release FRR 8.1

 -- Jafar Al-Gharaibeh <email address hidden> Tue, 02 Nov 2021 14:00:00 +0500

frr (8.0-0) unstable; urgency=medium

  * New upstream release FRR 8.0

 -- Martin Winter <email address hidden> Wed, 21 Jul 2021 13:42:00 +0200

frr (7.5.1-1) unstable; urgency=medium

  * Update the d/gbp.conf for 7.5.1 release
  * Use wrap-and-sort -a to unify debian/ wrapping and sorting
  * Work around the sphinx-build error that doesn't copy images to texinfo
  * Change the upstream-tag in d/gbp.conf to track the upstream tarballs

 -- Ondřej Surý <email address hidden> Mon, 08 Mar 2021 09:40:19 +0100

frr (7.5-1) unstable; urgency=medium

  * New upstream version 7.5

 -- Ondřej Surý <email address hidden> Sun, 14 Feb 2021 21:38:50 +0100

frr (7.4-2) unstable; urgency=medium

  * Bump libyang dependency to >= 1.0.184-1~
  * Make the autopkgtest more resilient (Closes: #980111)
  * Adjust the ax_python.m4 to hardcode python3.9

 -- Ondřej Surý <email address hidden> Sun, 07 Feb 2021 13:15:07 +0100

frr (7.4-1.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Backport upstream fix for FTBFS with Python 3.9. (Closes: #972767)

 -- Adrian Bunk <email address hidden> Thu, 21 Jan 2021 16:06:12 +0200

frr (7.4-1) unstable; urgency=medium

  [ Ondřej Surý ]
  * Use dh_installinit capabilities to install frr.tmpfile
  * Remove unused debian/watchfrr.rc file
  * Add missing lsof dependency
  * Remove mention of pkg.frr.snmp build profile from debian/README.Debian
  * Make lsb-base a hard dependency
  * Update gbp.conf for 7.4 release
  * Update and simplify d/watch
  * Change the debian source format from 3.0 (git) to 3.0 (quilt)
  * Convert the package to dh compat level 10
  * Add myself to Uploaders
  * Bump standards version to 4.5.0.2 (latest) - no change
  * Use wrap-and-sort -a to unify debian/ wrapping and sorting
  * Work around the sphinx-build error that doesn't copy images to texinfo
    (Properly closes: #955067)
  * Depend on debhelper >= 9.20160709 and drop dh-systemd dependency
    (Closes: #958626)

 -- Ondřej Surý <email address hidden> Mon, 10 Aug 2020 11:50:45 +0200

frr (7.3.1-1) unstable; urgency=medium

  [ David Lamparter ]
  * allow cross-compile with sbuild --host

  [ Ondřej Surý ]
  * Add myself to Uploaders
  * Add d/gbp.conf
  * Update changelog for 7.3.1-1~1.gbp2292a4 release
  * Change the source format from git to quilt to use git-buildpackage
  * Don't install frr-doc texinfo images, they are gone (Closes: #955067)
  * Bump the dh_compat to 10

 -- Ondřej Surý <email address hidden> Mon, 01 Jun 2020 08:41:03 +0200

frr (7.3-1) unstable; urgency=medium

  * new upstream release

 -- David Lamparter <email address hidden> Tue, 25 Feb 2020 17:45:16 +0100

frr (7.2.1-1) unstable; urgency=medium

  * new upstream release
  * daemon man pages renamed to frr-* (closes: #944392)
  * fix/improve multi-arch markers on doc
  * fix git URLs to point to debian branch

 -- David Lamparter <email address hidden> Mon, 20 Jan 2020 17:06:21 +0100

### Old Ubuntu Delta ###

frr (8.1-1ubuntu1) jammy; urgency=medium

  * SECURITY UPDATE: overflow via input packet length
    - debian/patches/CVE-2022-26125.patch: fix router capability TLV
      parsing issues in isisd/isis_tlvs.*.
    - debian/patches/disable_isisd_fuzz_test.patch: disable fuzz tests as
      the security update changed expected results in
      tests/isisd/test_fuzz_isis_tlv.py.
    - CVE-2022-26125
  * SECURITY UPDATE: overflow via use of strdup with binary string
    - debian/patches/CVE-2022-26126.patch: use base64 encoding in
      isisd/isis_nb_notifications.c, lib/base64.c, lib/base64.h,
      lib/subdir.am, lib/yang_wrappers.c, lib/yang_wrappers.h.
    - CVE-2022-26126
  * SECURITY UPDATE: overflow via missing check on the input packet length
    - debian/patches/CVE-2022-26127.patch: add check on packet length in
      babeld/message.c.
    - CVE-2022-26127
  * SECURITY UPDATE: overflow via wrong checks
    - debian/patches/CVE-2022-26128_9.patch: fix checks on length in
      babeld/message.c.
    - CVE-2022-26128
    - CVE-2022-26129

 -- Marc Deslauriers <email address hidden> Fri, 11 Mar 2022 07:33:41 -0500

Bryce Harrington (bryce)
Changed in frr (Ubuntu):
milestone: none → ubuntu-22.06
status: New → Incomplete
Revision history for this message
Bryce Harrington (bryce) wrote :

LP: #1959896 can be considered with this merge. Upstream implemented a fix for this bug which landed in git, so may be included with the release and thus can be closed during merge.

However, might want to take a closer look at the fix (https://github.com/FRRouting/frr/pull/10485) because it is changing from strncmp to strcmp. I can see how this addresses the warning, but I wonder if strncmp might be preferable to strcmp from a security POV?

Andreas Hasenack (ahasenack)
Changed in frr (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.