Merge frr from Debian unstable for oracular
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
frr (Ubuntu) |
Fix Released
|
Undecided
|
Andreas Hasenack |
Bug Description
Upstream: tbd
Debian: 10.0-1
Ubuntu: 8.4.4-1.1ubuntu6
Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle.
If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired.
If this merge pulls in a new upstream version, also consider adding an entry to the Oracular Release Notes: https:/
### New Debian Changes ###
frr (10.0-1) unstable; urgency=medium
* IRDP module is no longer packaged (slated to be removed upstream)
* added mkdir+chown /var/lib/frr which is now used by FRR
* sysconfdir and localstatedir configure args are no longer needed
* NB: refer to never-released 8.5.2-1 changes below!
* Link libatomic unconditionally (closes: #1067077)
* known to not build on hppa due to struct.calcsize python exception
-- David Lamparter <email address hidden> Tue, 30 Apr 2024 19:36:44 +0200
frr (10.0-0.2) unstable; urgency=medium
* Non-maintainer upload.
* Linking with atomic like armel to fix FTBFS.
-- Daniel Baumann <email address hidden> Sat, 27 Apr 2024 07:44:24 +0200
frr (10.0-0.1) unstable; urgency=medium
* Non-maintainer upload.
* New upstream release.
* Bumping libyang2 build-depends to required version.
* Removing CVE-2024-
* Adding now explicit configure flag to keep enabled building zebra_irdp.
-- Daniel Baumann <email address hidden> Sat, 27 Apr 2024 05:46:52 +0200
frr (9.1-0.1) unstable; urgency=high
* Non-maintainer upload.
* New upstream release (Closes: #1042473, #1055852):
- CVE-2023-3748: parsing certain babeld unicast hello messages that are
intended to be ignored. This issue may allow an attacker to send specially
crafted hello messages with the unicast flag set, the interval field set
to 0, or any TLV that contains a sub-TLV with the Mandatory flag set to
enter an infinite loop and cause a denial of service.
- CVE-2023-38407: bgpd/bgp_label.c attempts to read beyond the end of the
stream during labeled unicast parsing.
- CVE-2023-41361: bgpd/bgp_open.c does not check for an overly large
length of the rcv software version.
- CVE-2023-46752: It mishandles malformed MP_REACH_NLRI data, leading to a
crash.
- CVE-2023-46753: A crash can occur for a crafted BGP UPDATE message
without mandatory attributes, e.g., one with only an unknown transit
attribute.
- CVE-2023-47234: A crash can occur when processing a crafted BGP UPDATE
message with a MP_UNREACH_NLRI attribute and additional NLRI data (that
lacks mandatory path attributes).
- CVE-2023-47235: A crash can occur when a malformed BGP UPDATE message
with an EOR is processed, because the presence of EOR does not lead to a
treat-
* Updating patches:
- removing CVE-2023-
- removing CVE-2023-
- removing CVE-2023-
- removing unapplied CVE-2023-
- adding CVE-2024-
ospf_
denial of service (ospfd daemon crash) via a malformed OSPF LSA packet,
because of an attempted access to a missing attribute field (Closes:
#1065144).
* Updating build-depends:
- adding now required protobuf-c-compiler to build-depends.
- adding now required libprotobuf-c-dev to build-depends.
- adding new libmgmt_be_nb.so to frr.install.
- removing obsolete lsb-base.
- prefering new pkgconf over old pkg-config.
* Updating override_
(Closes: #1044470):
- call dh_auto_clean which is safe to run now.
- remove tests/.
* Removing obsolete doc-base.
-- Daniel Baumann <email address hidden> Fri, 08 Mar 2024 23:21:21 +0100
frr (8.5.2-1) UNRELEASED; urgency=medium
* new upstream release FRR 8.5.2
* cleaned up outdated debian/README files
* build against libunwind. Results in better backtraces captured for both
crashes and non-crash deviations from expected operations.
(libunwind is used automatically if present, this also fixes an
uncontrolled build environment influence on the result binaries by always
requiring it.)
* this version was never uploaded to Debian, the changelog entry is here for
reference.
-- David Lamparter <email address hidden> Sat, 15 Jul 2023 08:33:59 -0700
frr (8.4.4-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Upstream fixes for CVE-2023-38802, CVE-2023-41358, CVE-2023-41360
-- Aron Xu <email address hidden> Fri, 01 Sep 2023 16:57:41 +0800
frr (8.4.4-1) unstable; urgency=medium
* new upstream release FRR 8.4.4
### Old Ubuntu Delta ###
frr (8.4.4-1.1ubuntu6) noble; urgency=medium
* No-change rebuild for c-ares t64.
-- Matthias Klose <email address hidden> Tue, 16 Apr 2024 11:56:13 +0200
frr (8.4.4-1.1ubuntu5) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
-- Steve Langasek <email address hidden> Sun, 31 Mar 2024 05:25:32 +0000
frr (8.4.4-1.1ubuntu4) noble; urgency=medium
* SECURITY UPDATE: DoS via malformed OSPF LSA packet
- debian/
in ospfd/ospf_te.c.
- CVE-2024-27913
-- Marc Deslauriers <email address hidden> Tue, 05 Mar 2024 08:25:28 -0500
frr (8.4.4-1.1ubuntu3) noble; urgency=medium
* SECURITY UPDATE: read beyond stream during labeled unicast parsing
- debian/
labeled unicast parsing in bgpd/bgp_label.c.
- CVE-2023-38407
* SECURITY UPDATE: crash via MP_UNREACH_NLRI attribute
- debian/
received MP_UNREACH_NLRI in bgpd/bgp_attr.c, bgpd/bgp_attr.h,
bgpd/
- CVE-2023-47234
* SECURITY UPDATE: crash via malformed BGP UPDATE message
- debian/
unwanted handling of malformed attrs in bgpd/bgp_attr.c.
- CVE-2023-47235
-- Marc Deslauriers <email address hidden> Thu, 16 Nov 2023 09:19:43 -0500
frr (8.4.4-1.1ubuntu2) noble; urgency=medium
* SECURITY UPDATE: DoS via MP_REACH_NLRI data
- debian/
packets with session reset in bgpd/bgp_attr.c, bgpd/bgp_attr.h,
bgpd/
- CVE-2023-46752
* SECURITY UPDATE: DoS via BGP UPDATE without mandatory attributes
- debian/
carefully for UPDATE message in bgpd/bgp_attr.c.
- CVE-2023-46753
-- Marc Deslauriers <email address hidden> Wed, 01 Nov 2023 14:12:59 -0400
frr (8.4.4-1.1ubuntu1) mantic; urgency=medium
* Merge with Debian unstable (LP: #2033921). Remaining changes:
- Fix logging with Ubuntu's unprivileged rsyslog (LP #1958162):
+ d/frr.postinst: change log files ownership
+ d/frr.logrotate: change rotated log file ownership
-- Andreas Hasenack <email address hidden> Fri, 01 Sep 2023 15:15:39 -0300
Related branches
- git-ubuntu bot: Approve
- Bryce Harrington (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 349 lines (+263/-3)4 files modifieddebian/changelog (+234/-0)
debian/control (+2/-1)
debian/frr.logrotate (+1/-1)
debian/frr.postinst (+26/-1)
CVE References
Changed in frr (Ubuntu): | |
milestone: | none → ubuntu-24.07 |
Changed in frr (Ubuntu): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in frr (Ubuntu): | |
status: | New → In Progress |
This bug was fixed in the package frr - 10.0.1-0.1ubuntu1
---------------
frr (10.0.1-0.1ubuntu1) oracular; urgency=medium
* Merge with Debian unstable (LP: #2064404). Remaining changes: patches/ CVE-2023- 46752.patch: handle MP_REACH_NLRI malformed
bgpd/bgp_ packet. c. patches/ CVE-2023- 46753.patch: check mandatory attributes more patches/ CVE-2023- 38407.patch: fix use beyond end of stream of patches/ CVE-2023- 47235.patch: treat EOR as withdrawn to avoid patches/ CVE-2023- 47234.patch: ignore handling NLRIs if we
bgpd/bgp_ packet. c. patches/ CVE-2024- 27913.patch: solved crash in OSPF TE parsing
- Fix logging with Ubuntu's unprivileged rsyslog (LP #1958162):
+ d/frr.postinst: change log files ownership
+ d/frr.logrotate: change rotated log file ownership
* Dropped security patches included upstream:
- SECURITY UPDATE: DoS via MP_REACH_NLRI data
+ debian/
packets with session reset in bgpd/bgp_attr.c, bgpd/bgp_attr.h,
+ CVE-2023-46752
- SECURITY UPDATE: DoS via BGP UPDATE without mandatory attributes
+ debian/
carefully for UPDATE message in bgpd/bgp_attr.c.
+ CVE-2023-46753
- SECURITY UPDATE: read beyond stream during labeled unicast parsing
+ debian/
labeled unicast parsing in bgpd/bgp_label.c.
+ CVE-2023-38407
- SECURITY UPDATE: crash via malformed BGP UPDATE message
+ debian/
unwanted handling of malformed attrs in bgpd/bgp_attr.c.
+ CVE-2023-47235
- SECURITY UPDATE: crash via MP_UNREACH_NLRI attribute
+ debian/
received MP_UNREACH_NLRI in bgpd/bgp_attr.c, bgpd/bgp_attr.h,
+ CVE-2023-47234
- SECURITY UPDATE: DoS via malformed OSPF LSA packet
+ debian/
in ospfd/ospf_te.c.
+ CVE-2024-27913
-- Andreas Hasenack <email address hidden> Mon, 29 Jul 2024 09:49:25 -0300