Re: [SECURITY] [DSA 3654-1] quagga security update

To: debian-security@lists.debian.org

Subject: Re: [SECURITY] [DSA 3654-1] quagga security update

From: Daniel Chen <daniel@olivetech.com>

Date: Fri, 26 Aug 2016 06:04:37 -0500

Message-id: <[🔎] CAAiF3tkV0pp5gahvb-Sx30p1pzJR93-mkYBuJhEKomt-ZFfnKg@mail.gmail.com>

In-reply-to: <E1bd8N1-0000aS-VU@seger.debian.org>

References: <E1bd8N1-0000aS-VU@seger.debian.org>

unsubscrbe

On Thu, Aug 25, 2016 at 11:03 PM, Sebastien Delafond <seb@debian.org> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3654-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
August 26, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : quagga
CVE ID : CVE-2016-4036 CVE-2016-4049
Debian Bug : 822787 835223

Two vulnerabilities were discovered in quagga, a BGP/OSPF/RIP routing
daemon.

CVE-2016-4036

Tamás Németh discovered that sensitive configuration files in
/etc/quagga were world-readable despite containing sensitive
information.

CVE-2016-4049

Evgeny Uskov discovered that a bgpd instance handling many peers
could be crashed by a malicious user when requesting a route dump.

For the stable distribution (jessie), these problems have been fixed in
version 0.99.23.1-1+deb8u2.

We recommend that you upgrade your quagga packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJXv7uWAAoJEBC+iYPz1Z1k9gEIAIJFfP8HBGxxk0wi9VtvH8YP
ns5vxN2NJecHqaSK9KGVq1HPn14/mlSu+ylhdSJ9tFyU7ELoqbkrGH4C4EqH3FnJ
2sHQLdJ82It9/W4OzXf0+WXW9gUOKS4SvkhSphuGJL9DNJRclb3LGYUnRBzP7qhB
w5tR1/tKNYqpgMUzFauHt1dDmWhNr3T0++ejFOJv6S1VAFGTDFFBhNoLD3wT25gd
aAgGFUfYWkGqz+vhcHGBXD1w4x8+SjBQ4jycIUoGHMNDfIu9rb/R2xVbl6XDzZXZ
NIB9aL3c6KU4MILl9MGt2YVbKlYgf7Yuc4c7ZyrZ+YwamwveVhdZwEBwWx7Hiog=
=SWnF
-----END PGP SIGNATURE-----

**************** CAUTION - Disclaimer *****************

This e-mail communication (including any and all attachments transmitted with it) may contain legally privileged and confidential information and is intended solely for the use of the recipient named. If the reader of this e-mail communication is not the intended recipient, you are hereby notified that any reading, dissemination, distribution, copying, or other use of this e-mail communication (including any and all attachments), or any of its contents, is strictly prohibited. If you have received this e-mail communication in error, please notify the sender immediately by electronic mail (sender's e-mail address). Thereafter, immediately delete the original e-mail communication (including any and all attachments), all copies, including but not limited to, all backups thereof from your computer system. Thank you

****************** End of Disclaimer ***OliveTech******

Reply to:

Follow-Ups:

Re: [SECURITY] [DSA 3654-1] quagga security update
- From: Steven Conrad Bayer <steven.bayer@neunzichgrad.de>