File _patchinfo of Package patchinfo.31712

<patchinfo incident="31712">
  <issue tracker="cve" id="2023-38407"/>
  <issue tracker="cve" id="2023-47234"/>
  <issue tracker="cve" id="2023-47235"/>
  <issue tracker="cve" id="2023-38406"/>
  <issue tracker="bnc" id="1216896">VUL-0: CVE-2023-47235: frr,quagga: An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when a malformed BGP UPDATE message with an EOR is processed, because the presence of EOR does not lead to a treat-as-withdraw outcome.</issue>
  <issue tracker="bnc" id="1216897">VUL-0: CVE-2023-47234: frr,quagga: An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when processing a crafted BGP UPDATE message with a MP_UNREACH_NLRI attribute and additional NLRI data (that lacks mandatory path attributes).</issue>
  <issue tracker="bnc" id="1216900">VUL-0: CVE-2023-38406: frr,quagga: bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri length of zero, aka a "flowspec overflow."</issue>
  <issue tracker="bnc" id="1216899">VUL-0: CVE-2023-38407: frr,quagga: bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond the end of the stream during labeled unicast parsing.</issue>
  <packager>mtomaschewski</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for frr</summary>
  <description>This update for frr fixes the following issues:

- CVE-2023-47235: Fixed denial of service caused by malformed BGP UPDATE message with an EOR is processed (bsc#1216896).
- CVE-2023-47234: Fixed denial of service caused by crafted BGP UPDATE message with a MP_UNREACH_NLRI attribute (bsc#1216897).
- CVE-2023-38407: Fixed read beyond the end of the stream during labeled unicast parsing (bsc#1216899).
- CVE-2023-38406: Fixed mishandling of nlri length of zero, aka a "flowspec overflow (bsc#1216900).
</description>
</patchinfo>