Overview

File _patchinfo of Package patchinfo.5249

<patchinfo incident="5249">
  <issue id="1021669" tracker="bnc">VUL-1: CVE-2017-5495: quagga: Telnet interface input buffer allocates unbounded amounts of memory</issue>
  <issue id="1034273" tracker="bnc">Upgrade to Quagga 1.1.1 for Midokura so they can get a PTF</issue>
  <issue id="1005258" tracker="bnc">VUL-0: CVE-2016-1245: quagga: Buffer Overflow in IPv6 RA handling</issue>
  <issue id="2016-1245" tracker="cve" />
  <issue id="2017-5495" tracker="cve" />
  <issue id="323168" tracker="fate" />
  <issue id="323170" tracker="fate" />
  <category>security</category>
  <rating>important</rating>
  <packager>mtomaschewski</packager>
  <description>This update provides Quagga 1.1.1, which brings several fixes and enhancements.

Security issues fixed:

- CVE-2017-5495: Telnet 'vty' interface DoS due to unbounded memory allocation. (bsc#1021669)
- CVE-2016-1245: Stack overrun in IPv6 RA receive code. (bsc#1005258)

Bug fixes:

- Do not enable zebra's TCP interface (port 2600) to use default UNIX socket for communication
  between the daemons. (fate#323170)

Between 0.99.22.1 and 1.1.1 the following improvements have been implemented:

- Changed the default of 'link-detect' state, controlling whether zebra will respond to
  link-state events and consider an interface to be down when link is down. To retain the
  current behavior save your config before updating, otherwise remove the 'link-detect'
  flag from your config prior to updating. There is also a new global 'default link-detect
  (on|off)' flag to configure the global default.
- Greatly improved nexthop resolution for recursive routes.
- Event driven nexthop resolution for BGP.
- Route tags support.
- Transport of TE related metrics over OSPF, IS-IS.
- IPv6 Multipath for zebra and BGP.
- Multicast RIB support has been extended. It still is IPv4 only.
- RIP for IPv4 now supports equal-cost multipath (ECMP).
- route-maps have a new action "set ipv6 next-hop peer-address".
- route-maps have a new action "set as-path prepend last-as".
- "next-hop-self all" to override nexthop on iBGP route reflector setups.
- New pimd daemon provides IPv4 PIM-SSM multicast routing.
- IPv6 address management has been improved regarding tentative addresses. This is visible in
  that a freshly configured address will not immediately be marked as usable.
- Recursive route support has been overhauled. Scripts parsing "show ip route" output may need
  adaptation.
- A large amount of changes has been merged for ospf6d. Careful evaluation prior to deployment
  is recommended.
- Multiprotocol peerings over IPv6 now try to find a more appropriate IPv4 nexthop by looking at
  the interface.
- Relaxed bestpath criteria for multipath and improved display of multipath routes in "show ip bgp".
  Scripts parsing this output may need to be updated.
- Support for iBGP TTL security.
</description>
  <summary>Security update for quagga</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places