File _patchinfo of Package patchinfo.34473

<patchinfo incident="34473">
  <issue tracker="cve" id="2023-38407"/>
  <issue tracker="cve" id="2023-47235"/>
  <issue tracker="cve" id="2023-38406"/>
  <issue tracker="cve" id="2023-47234"/>
  <issue tracker="bnc" id="1216897">VUL-0: CVE-2023-47234: frr,quagga: An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when processing a crafted BGP UPDATE message with a MP_UNREACH_NLRI attribute and additional NLRI data (that lacks mandatory path attributes).</issue>
  <issue tracker="bnc" id="1216899">VUL-0: CVE-2023-38407: frr,quagga: bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond the end of the stream during labeled unicast parsing.</issue>
  <issue tracker="bnc" id="1216896">VUL-0: CVE-2023-47235: frr,quagga: An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when a malformed BGP UPDATE message with an EOR is processed, because the presence of EOR does not lead to a treat-as-withdraw outcome.</issue>
  <issue tracker="bnc" id="1216900">VUL-0: CVE-2023-38406: frr,quagga: bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri length of zero, aka a "flowspec overflow."</issue>
  <packager>mtomaschewski</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for frr</summary>
  <description>This update for frr fixes the following issues:

- CVE-2023-38406: Fixed nlri length of zero mishandling, aka "flowspec overflow". (bsc#1216900)
- CVE-2023-47235: Fixed a crash on malformed BGP UPDATE message with an EOR, because the presence of EOR does not lead to a treat-as-withdraw outcome. (bsc#1216896)
- CVE-2023-47234: Fixed a crash on crafted BGP UPDATE message with a MP_UNREACH_NLRI attribute and additional NLRI data. (bsc#1216897)
- CVE-2023-38407: Fixed attempts to read beyond the end of the stream during labeled unicast parsing. (bsc#1216899)
</description>
</patchinfo>