Ubuntu

quagga security issue CVE-2012-1820

Reported by Ernest Johanson on 2012-06-26
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
quagga (Ubuntu)
Low
Unassigned
Lucid
Low
Unassigned
Natty
Low
Unassigned
Oneiric
Low
Unassigned
Precise
Low
Unassigned
Quantal
Low
Unassigned

Bug Description

Hello,

I'd like to know when the security issue reported in CVE-2012-1820 will be fixed in the Ubuntu quagga pacakge. I'm running Ubuntu 10.04.1 LTS with quagga 0.99.20.1-0ubuntu0.10.04.2 installed. The changelog.Debian doesn't mention CVE-2012-1820. The Debain package is currently fixed: http://www.debian.org/security/2012/dsa-2497.

Thanks,

Ernie Johanson
Network Engineer
California Institute of Technology

CVE References

Serge Hallyn (serge-hallyn) wrote :

Thanks for reporting this bug. Indeed it looks as though it has been fixed in quantal but not lucid, and looking at the patch it looks as though it may also be vulnerable.

Changed in quagga (Ubuntu):
importance: Undecided → High
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

We have rated this as a "low" severity issue, so it will only get fixed if more important vulnerabilities are discovered in Quagga. See the security team tracker:

http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-1820.html

Changed in quagga (Ubuntu Quantal):
status: Confirmed → Fix Released
Changed in quagga (Ubuntu Precise):
importance: Undecided → Low
Changed in quagga (Ubuntu Quantal):
importance: High → Low
Changed in quagga (Ubuntu Oneiric):
importance: Undecided → Low
Changed in quagga (Ubuntu Natty):
importance: Undecided → Low
Changed in quagga (Ubuntu Lucid):
importance: Undecided → Low
status: New → Confirmed
Changed in quagga (Ubuntu Natty):
status: New → Confirmed
Changed in quagga (Ubuntu Oneiric):
status: New → Confirmed
Changed in quagga (Ubuntu Precise):
status: New → Confirmed
security vulnerability: no → yes
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quagga - 0.99.20.1-0ubuntu0.12.04.3

---------------
quagga (0.99.20.1-0ubuntu0.12.04.3) precise-security; urgency=low

  * SECURITY UPDATE: denial of service via malformed ORF capability TLV
    (LP: #1018052)
    - debian/patches/CVE-2012-1820.patch: correctly follow spec in
      bgpd/bgp_open.c.
    - CVE-2012-1820
 -- Marc Deslauriers <email address hidden> Thu, 11 Oct 2012 09:57:06 -0400

Changed in quagga (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quagga - 0.99.20.1-0ubuntu0.10.04.3

---------------
quagga (0.99.20.1-0ubuntu0.10.04.3) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service via malformed ORF capability TLV
    (LP: #1018052)
    - debian/patches/CVE-2012-1820.patch: correctly follow spec in
      bgpd/bgp_open.c.
    - CVE-2012-1820
 -- Marc Deslauriers <email address hidden> Thu, 11 Oct 2012 10:02:33 -0400

Changed in quagga (Ubuntu Lucid):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quagga - 0.99.20.1-0ubuntu0.11.04.3

---------------
quagga (0.99.20.1-0ubuntu0.11.04.3) natty-security; urgency=low

  * SECURITY UPDATE: denial of service via malformed ORF capability TLV
    (LP: #1018052)
    - debian/patches/CVE-2012-1820.patch: correctly follow spec in
      bgpd/bgp_open.c.
    - CVE-2012-1820
 -- Marc Deslauriers <email address hidden> Thu, 11 Oct 2012 10:01:33 -0400

Changed in quagga (Ubuntu Natty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quagga - 0.99.20.1-0ubuntu0.11.10.3

---------------
quagga (0.99.20.1-0ubuntu0.11.10.3) oneiric-security; urgency=low

  * SECURITY UPDATE: denial of service via malformed ORF capability TLV
    (LP: #1018052)
    - debian/patches/CVE-2012-1820.patch: correctly follow spec in
      bgpd/bgp_open.c.
    - CVE-2012-1820
 -- Marc Deslauriers <email address hidden> Thu, 11 Oct 2012 10:00:32 -0400

Changed in quagga (Ubuntu Oneiric):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers