Ubuntu
quagga package

quagga security issue CVE-2012-1820

  1. Oneiric (11.10)
  2. Bug #1018052
Bug #1018052 reported by Ernest Johanson
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
quagga (Ubuntu)
Fix Released
Low
Unassigned
Lucid
Fix Released
Low
Unassigned
Natty
Fix Released
Low
Unassigned
Oneiric
Fix Released
Low
Unassigned
Precise
Fix Released
Low
Unassigned
Quantal
Fix Released
Low
Unassigned

Bug Description

Hello,

I'd like to know when the security issue reported in CVE-2012-1820 will be fixed in the Ubuntu quagga pacakge. I'm running Ubuntu 10.04.1 LTS with quagga 0.99.20.1-0ubuntu0.10.04.2 installed. The changelog.Debian doesn't mention CVE-2012-1820. The Debain package is currently fixed: http://www.debian.org/security/2012/dsa-2497.

Thanks,

Ernie Johanson
Network Engineer
California Institute of Technology

CVE References

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks for reporting this bug. Indeed it looks as though it has been fixed in quantal but not lucid, and looking at the patch it looks as though it may also be vulnerable.

Changed in quagga (Ubuntu):
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

We have rated this as a "low" severity issue, so it will only get fixed if more important vulnerabilities are discovered in Quagga. See the security team tracker:

http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-1820.html

Changed in quagga (Ubuntu Quantal):
status: Confirmed → Fix Released
Changed in quagga (Ubuntu Precise):
importance: Undecided → Low
Changed in quagga (Ubuntu Quantal):
importance: High → Low
Changed in quagga (Ubuntu Oneiric):
importance: Undecided → Low
Changed in quagga (Ubuntu Natty):
importance: Undecided → Low
Changed in quagga (Ubuntu Lucid):
importance: Undecided → Low
status: New → Confirmed
Changed in quagga (Ubuntu Natty):
status: New → Confirmed
Changed in quagga (Ubuntu Oneiric):
status: New → Confirmed
Changed in quagga (Ubuntu Precise):
status: New → Confirmed
security vulnerability: no → yes
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quagga - 0.99.20.1-0ubuntu0.12.04.3

---------------
quagga (0.99.20.1-0ubuntu0.12.04.3) precise-security; urgency=low

  * SECURITY UPDATE: denial of service via malformed ORF capability TLV
    (LP: #1018052)
    - debian/patches/CVE-2012-1820.patch: correctly follow spec in
      bgpd/bgp_open.c.
    - CVE-2012-1820
 -- Marc Deslauriers <email address hidden> Thu, 11 Oct 2012 09:57:06 -0400

Changed in quagga (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quagga - 0.99.20.1-0ubuntu0.10.04.3

---------------
quagga (0.99.20.1-0ubuntu0.10.04.3) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service via malformed ORF capability TLV
    (LP: #1018052)
    - debian/patches/CVE-2012-1820.patch: correctly follow spec in
      bgpd/bgp_open.c.
    - CVE-2012-1820
 -- Marc Deslauriers <email address hidden> Thu, 11 Oct 2012 10:02:33 -0400

Changed in quagga (Ubuntu Lucid):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quagga - 0.99.20.1-0ubuntu0.11.04.3

---------------
quagga (0.99.20.1-0ubuntu0.11.04.3) natty-security; urgency=low

  * SECURITY UPDATE: denial of service via malformed ORF capability TLV
    (LP: #1018052)
    - debian/patches/CVE-2012-1820.patch: correctly follow spec in
      bgpd/bgp_open.c.
    - CVE-2012-1820
 -- Marc Deslauriers <email address hidden> Thu, 11 Oct 2012 10:01:33 -0400

Changed in quagga (Ubuntu Natty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quagga - 0.99.20.1-0ubuntu0.11.10.3

---------------
quagga (0.99.20.1-0ubuntu0.11.10.3) oneiric-security; urgency=low

  * SECURITY UPDATE: denial of service via malformed ORF capability TLV
    (LP: #1018052)
    - debian/patches/CVE-2012-1820.patch: correctly follow spec in
      bgpd/bgp_open.c.
    - CVE-2012-1820
 -- Marc Deslauriers <email address hidden> Thu, 11 Oct 2012 10:00:32 -0400

Changed in quagga (Ubuntu Oneiric):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.