Ubuntu
frr package

Merge frr from Debian unstable for oracular

Bug #2064404 reported by Bryce Harrington
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
frr (Ubuntu)
New
Undecided
Andreas Hasenack
Ubuntu ubuntu-24.07

Bug Description

Upstream: tbd
Debian: 10.0-1
Ubuntu: 8.4.4-1.1ubuntu6

Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle.

If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired.

If this merge pulls in a new upstream version, also consider adding an entry to the Oracular Release Notes: https://discourse.ubuntu.com/c/release/38

### New Debian Changes ###

frr (10.0-1) unstable; urgency=medium

  * IRDP module is no longer packaged (slated to be removed upstream)
  * added mkdir+chown /var/lib/frr which is now used by FRR
  * sysconfdir and localstatedir configure args are no longer needed
  * NB: refer to never-released 8.5.2-1 changes below!
  * Link libatomic unconditionally (closes: #1067077)
  * known to not build on hppa due to struct.calcsize python exception

 -- David Lamparter <email address hidden> Tue, 30 Apr 2024 19:36:44 +0200

frr (10.0-0.2) unstable; urgency=medium

  * Non-maintainer upload.
  * Linking with atomic like armel to fix FTBFS.

 -- Daniel Baumann <email address hidden> Sat, 27 Apr 2024 07:44:24 +0200

frr (10.0-0.1) unstable; urgency=medium

  * Non-maintainer upload.
  * New upstream release.
  * Bumping libyang2 build-depends to required version.
  * Removing CVE-2024-27913.patch, included upstream.
  * Adding now explicit configure flag to keep enabled building zebra_irdp.

 -- Daniel Baumann <email address hidden> Sat, 27 Apr 2024 05:46:52 +0200

frr (9.1-0.1) unstable; urgency=high

  * Non-maintainer upload.
  * New upstream release (Closes: #1042473, #1055852):
    - CVE-2023-3748: parsing certain babeld unicast hello messages that are
      intended to be ignored. This issue may allow an attacker to send specially
      crafted hello messages with the unicast flag set, the interval field set
      to 0, or any TLV that contains a sub-TLV with the Mandatory flag set to
      enter an infinite loop and cause a denial of service.
    - CVE-2023-38407: bgpd/bgp_label.c attempts to read beyond the end of the
      stream during labeled unicast parsing.
    - CVE-2023-41361: bgpd/bgp_open.c does not check for an overly large
      length of the rcv software version.
    - CVE-2023-46752: It mishandles malformed MP_REACH_NLRI data, leading to a
      crash.
    - CVE-2023-46753: A crash can occur for a crafted BGP UPDATE message
      without mandatory attributes, e.g., one with only an unknown transit
      attribute.
    - CVE-2023-47234: A crash can occur when processing a crafted BGP UPDATE
      message with a MP_UNREACH_NLRI attribute and additional NLRI data (that
      lacks mandatory path attributes).
    - CVE-2023-47235: A crash can occur when a malformed BGP UPDATE message
      with an EOR is processed, because the presence of EOR does not lead to a
      treat-as-withdraw outcome.
  * Updating patches:
    - removing CVE-2023-38802.patch, included upstream.
    - removing CVE-2023-41358.patch, included upstream.
    - removing CVE-2023-41360.patch, included upstream.
    - removing unapplied CVE-2023-41361.patch, included upstream.
    - adding CVE-2024-27913.patch from upstream:
      ospf_te_parse_te in ospfd/ospf_te.c allows remote attackers to cause a
      denial of service (ospfd daemon crash) via a malformed OSPF LSA packet,
      because of an attempted access to a missing attribute field (Closes:
      #1065144).
  * Updating build-depends:
    - adding now required protobuf-c-compiler to build-depends.
    - adding now required libprotobuf-c-dev to build-depends.
    - adding new libmgmt_be_nb.so to frr.install.
    - removing obsolete lsb-base.
    - prefering new pkgconf over old pkg-config.
  * Updating override_dh_auto_clean to fix FTBFS when built twice in a row
    (Closes: #1044470):
    - call dh_auto_clean which is safe to run now.
    - remove tests/.pytest_cache.
  * Removing obsolete doc-base.

 -- Daniel Baumann <email address hidden> Fri, 08 Mar 2024 23:21:21 +0100

frr (8.5.2-1) UNRELEASED; urgency=medium

  * new upstream release FRR 8.5.2
  * cleaned up outdated debian/README files
  * build against libunwind. Results in better backtraces captured for both
    crashes and non-crash deviations from expected operations.
    (libunwind is used automatically if present, this also fixes an
    uncontrolled build environment influence on the result binaries by always
    requiring it.)
  * this version was never uploaded to Debian, the changelog entry is here for
    reference.

 -- David Lamparter <email address hidden> Sat, 15 Jul 2023 08:33:59 -0700

frr (8.4.4-1.1) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Upstream fixes for CVE-2023-38802, CVE-2023-41358, CVE-2023-41360

 -- Aron Xu <email address hidden> Fri, 01 Sep 2023 16:57:41 +0800

frr (8.4.4-1) unstable; urgency=medium

  * new upstream release FRR 8.4.4

### Old Ubuntu Delta ###

frr (8.4.4-1.1ubuntu6) noble; urgency=medium

  * No-change rebuild for c-ares t64.

 -- Matthias Klose <email address hidden> Tue, 16 Apr 2024 11:56:13 +0200

frr (8.4.4-1.1ubuntu5) noble; urgency=medium

  * No-change rebuild for CVE-2024-3094

 -- Steve Langasek <email address hidden> Sun, 31 Mar 2024 05:25:32 +0000

frr (8.4.4-1.1ubuntu4) noble; urgency=medium

  * SECURITY UPDATE: DoS via malformed OSPF LSA packet
    - debian/patches/CVE-2024-27913.patch: solved crash in OSPF TE parsing
      in ospfd/ospf_te.c.
    - CVE-2024-27913

 -- Marc Deslauriers <email address hidden> Tue, 05 Mar 2024 08:25:28 -0500

frr (8.4.4-1.1ubuntu3) noble; urgency=medium

  * SECURITY UPDATE: read beyond stream during labeled unicast parsing
    - debian/patches/CVE-2023-38407.patch: fix use beyond end of stream of
      labeled unicast parsing in bgpd/bgp_label.c.
    - CVE-2023-38407
  * SECURITY UPDATE: crash via MP_UNREACH_NLRI attribute
    - debian/patches/CVE-2023-47234.patch: ignore handling NLRIs if we
      received MP_UNREACH_NLRI in bgpd/bgp_attr.c, bgpd/bgp_attr.h,
      bgpd/bgp_packet.c.
    - CVE-2023-47234
  * SECURITY UPDATE: crash via malformed BGP UPDATE message
    - debian/patches/CVE-2023-47235.patch: treat EOR as withdrawn to avoid
      unwanted handling of malformed attrs in bgpd/bgp_attr.c.
    - CVE-2023-47235

 -- Marc Deslauriers <email address hidden> Thu, 16 Nov 2023 09:19:43 -0500

frr (8.4.4-1.1ubuntu2) noble; urgency=medium

  * SECURITY UPDATE: DoS via MP_REACH_NLRI data
    - debian/patches/CVE-2023-46752.patch: handle MP_REACH_NLRI malformed
      packets with session reset in bgpd/bgp_attr.c, bgpd/bgp_attr.h,
      bgpd/bgp_packet.c.
    - CVE-2023-46752
  * SECURITY UPDATE: DoS via BGP UPDATE without mandatory attributes
    - debian/patches/CVE-2023-46753.patch: check mandatory attributes more
      carefully for UPDATE message in bgpd/bgp_attr.c.
    - CVE-2023-46753

 -- Marc Deslauriers <email address hidden> Wed, 01 Nov 2023 14:12:59 -0400

frr (8.4.4-1.1ubuntu1) mantic; urgency=medium

  * Merge with Debian unstable (LP: #2033921). Remaining changes:
    - Fix logging with Ubuntu's unprivileged rsyslog (LP #1958162):
      + d/frr.postinst: change log files ownership
      + d/frr.logrotate: change rotated log file ownership

 -- Andreas Hasenack <email address hidden> Fri, 01 Sep 2023 15:15:39 -0300

Bryce Harrington (bryce)
Changed in frr (Ubuntu):
milestone: none → ubuntu-24.07
Andreas Hasenack (ahasenack)
Changed in frr (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.