The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Quagga Routing Suite: two vulnerabilities

Synthesis of the vulnerability

Two vulnerabilities in Quagga Routing Suite can be used by an attacker to create a denial of service or possibly to execute code.
Severity of this announce: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 24/08/2010.
Références of this computer vulnerability: 626783, 626795, BID-42635, BID-42642, CVE-2010-2948, CVE-2010-2949, DSA-2104-1, FEDORA-2010-13928, FEDORA-2010-14002, FEDORA-2010-14009, MDVSA-2010:174, openSUSE-SU-2010:0984-1, RHSA-2010:0785-01, RHSA-2010:0945-01, SUSE-SR:2010:022, VIGILANCE-VUL-9877.

Description of the vulnerability

Two vulnerabilities were announced in Quagga Routing Suite.

An attacker can send a malicious BGP "Outbound Route Filtering" message in order to generate a stack overflow in the BGP daemon. [severity:2/4; 626783, BID-42635, CVE-2010-2948]

An attacker can send a malicious BGP "update AS path" in order to generate a denial of service of the BPG daemon. [severity:2/4; 626795, BID-42642, CVE-2010-2949]
Full Vigil@nce bulletin... (Free trial)

This security weakness impacts software or systems such as Debian, Fedora, openSUSE, Solaris, RHEL, ROX, RuggedSwitch, SLES.

Our Vigil@nce team determined that the severity of this threat bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

This bulletin is about 2 vulnerabilities.

An attacker with a expert ability can exploit this threat.

Solutions for this threat

Quagga Routing Suite: version 0.99.17.
Version 0.99.17 is corrected:
  http://www.quagga.net/

Quagga Routing Suite: patch.
A patch is available in information sources.

RuggedCom ROX: version 1.15.
The version 1.15 is fixed:
  http://www.ruggedcom.com/support/software/

Debian: new quagga packages.
New packages are available:
  quagga_0.99.10-1lenny3

Fedora: new quagga packages.
New packages are available:
  quagga-0.99.17-1.fc12
  quagga-0.99.17-1.fc13
  quagga-0.99.17-1.fc14

Mandriva Corporate 4: new quagga packages.
New packages are available:
  quagga-0.99.17-0.1.20060mlcs4

openSUSE: new quagga packages.
New packages are available:
  openSUSE 11.1 : quagga-0.99.17-1.1.1
  openSUSE 11.2 : quagga-0.99.17-1.3.1
  openSUSE 11.3 : quagga-0.99.17-1.3.1

RHEL 4, 5: new quagga packages.
New packages are available:
Red Hat Enterprise Linux version 4:
  quagga-0.98.3-4.el4_8.1
Red Hat Enterprise Linux version 5:
  quagga-0.98.6-5.el5_5.2

RHEL 6.0: new quagga packages.
New packages are available:
  quagga-*-0.99.15-5.el6_0.1

Solaris: patch for Quagga.
A patch is available:
  Solaris 10 :
    SPARC: 126206-09
    X86: 126207-09
  Solaris 11 :
    11/11 SRU 4

SUSE: new packages (30/11/2010).
New packages are available, as indicated in information sources.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computers vulnerabilities patch. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.