[ubuntu/oracular-proposed] frr 10.0.1-0.1ubuntu1 (Accepted)

Andreas Hasenack andreas at canonical.com
Wed Jul 31 20:46:12 UTC 2024 

frr (10.0.1-0.1ubuntu1) oracular; urgency=medium

  * Merge with Debian unstable (LP: #2064404). Remaining changes:
    - Fix logging with Ubuntu's unprivileged rsyslog (LP #1958162):
      + d/frr.postinst: change log files ownership
      + d/frr.logrotate: change rotated log file ownership
  * Dropped security patches included upstream:
    - SECURITY UPDATE: DoS via MP_REACH_NLRI data
      + debian/patches/CVE-2023-46752.patch: handle MP_REACH_NLRI malformed
        packets with session reset in bgpd/bgp_attr.c, bgpd/bgp_attr.h,
        bgpd/bgp_packet.c.
      + CVE-2023-46752
    - SECURITY UPDATE: DoS via BGP UPDATE without mandatory attributes
      + debian/patches/CVE-2023-46753.patch: check mandatory attributes more
        carefully for UPDATE message in bgpd/bgp_attr.c.
      + CVE-2023-46753
    - SECURITY UPDATE: read beyond stream during labeled unicast parsing
      + debian/patches/CVE-2023-38407.patch: fix use beyond end of stream of
        labeled unicast parsing in bgpd/bgp_label.c.
      + CVE-2023-38407
    - SECURITY UPDATE: crash via malformed BGP UPDATE message
      + debian/patches/CVE-2023-47235.patch: treat EOR as withdrawn to avoid
        unwanted handling of malformed attrs in bgpd/bgp_attr.c.
      + CVE-2023-47235
    - SECURITY UPDATE: crash via MP_UNREACH_NLRI attribute
      + debian/patches/CVE-2023-47234.patch: ignore handling NLRIs if we
        received MP_UNREACH_NLRI in bgpd/bgp_attr.c, bgpd/bgp_attr.h,
        bgpd/bgp_packet.c.
      + CVE-2023-47234
    - SECURITY UPDATE: DoS via malformed OSPF LSA packet
      + debian/patches/CVE-2024-27913.patch: solved crash in OSPF TE parsing
        in ospfd/ospf_te.c.
      + CVE-2024-27913

Date: Mon, 29 Jul 2024 09:49:25 -0300
Changed-By: Andreas Hasenack <andreas at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/frr/10.0.1-0.1ubuntu1
-------------- next part --------------
Format: 1.8
Date: Mon, 29 Jul 2024 09:49:25 -0300
Source: frr
Built-For-Profiles: noudeb
Architecture: source
Version: 10.0.1-0.1ubuntu1
Distribution: oracular
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Andreas Hasenack <andreas at canonical.com>
Launchpad-Bugs-Fixed: 2064404
Changes:
 frr (10.0.1-0.1ubuntu1) oracular; urgency=medium
 .
   * Merge with Debian unstable (LP: #2064404). Remaining changes:
     - Fix logging with Ubuntu's unprivileged rsyslog (LP #1958162):
       + d/frr.postinst: change log files ownership
       + d/frr.logrotate: change rotated log file ownership
   * Dropped security patches included upstream:
     - SECURITY UPDATE: DoS via MP_REACH_NLRI data
       + debian/patches/CVE-2023-46752.patch: handle MP_REACH_NLRI malformed
         packets with session reset in bgpd/bgp_attr.c, bgpd/bgp_attr.h,
         bgpd/bgp_packet.c.
       + CVE-2023-46752
     - SECURITY UPDATE: DoS via BGP UPDATE without mandatory attributes
       + debian/patches/CVE-2023-46753.patch: check mandatory attributes more
         carefully for UPDATE message in bgpd/bgp_attr.c.
       + CVE-2023-46753
     - SECURITY UPDATE: read beyond stream during labeled unicast parsing
       + debian/patches/CVE-2023-38407.patch: fix use beyond end of stream of
         labeled unicast parsing in bgpd/bgp_label.c.
       + CVE-2023-38407
     - SECURITY UPDATE: crash via malformed BGP UPDATE message
       + debian/patches/CVE-2023-47235.patch: treat EOR as withdrawn to avoid
         unwanted handling of malformed attrs in bgpd/bgp_attr.c.
       + CVE-2023-47235
     - SECURITY UPDATE: crash via MP_UNREACH_NLRI attribute
       + debian/patches/CVE-2023-47234.patch: ignore handling NLRIs if we
         received MP_UNREACH_NLRI in bgpd/bgp_attr.c, bgpd/bgp_attr.h,
         bgpd/bgp_packet.c.
       + CVE-2023-47234
     - SECURITY UPDATE: DoS via malformed OSPF LSA packet
       + debian/patches/CVE-2024-27913.patch: solved crash in OSPF TE parsing
         in ospfd/ospf_te.c.
       + CVE-2024-27913
Checksums-Sha1:
 2eb7343bbe28b16324ec9a0ccddd6846b76fbe5a 2852 frr_10.0.1-0.1ubuntu1.dsc
 4fe1a8fe93e0d71e25727a96958a48a6006d3697 8252364 frr_10.0.1.orig.tar.xz
 9bae2281c70378dd8b1beba2e824033262f6423d 34824 frr_10.0.1-0.1ubuntu1.debian.tar.xz
 30b7c6615edb2514b4e6c2452ce693409b4193c5 7444 frr_10.0.1-0.1ubuntu1_source.buildinfo
Checksums-Sha256:
 f9cf07e6ed981f697ac66811f573dd1d5eb69dde769a5d946ae460e4444dcff7 2852 frr_10.0.1-0.1ubuntu1.dsc
 9f4eccc4b165f0593e5d49085ad4d31ddf7f05043fb068ce8ce99340d7a37728 8252364 frr_10.0.1.orig.tar.xz
 c45c5eef8c69671a3cb860363a003c04088136177c865c1af4b9408e1cef83bc 34824 frr_10.0.1-0.1ubuntu1.debian.tar.xz
 d928bf884434f6c2ce25f6c42011cb2bdf765b72e2ebcd4bd407f18db2883c27 7444 frr_10.0.1-0.1ubuntu1_source.buildinfo
Files:
 5f21b89d0d2ea1ffc26bb5fd847a4758 2852 net optional frr_10.0.1-0.1ubuntu1.dsc
 51de4f8c64f3455b98da16ce6b71c510 8252364 net optional frr_10.0.1.orig.tar.xz
 7fefdb4d12e8788b11066ab025b1f51d 34824 net optional frr_10.0.1-0.1ubuntu1.debian.tar.xz
 4bbada88f927ba618f190a5f996df7e3 7444 net optional frr_10.0.1-0.1ubuntu1_source.buildinfo
Original-Maintainer: David Lamparter <equinox-debian at diac24.net>
Vcs-Git: https://git.launchpad.net/~ahasenack/ubuntu/+source/frr
Vcs-Git-Commit: 2586b52bb8bda26257c9a15b1fde4c7bdc8c38ef
Vcs-Git-Ref: refs/heads/oracular-frr-merge-1

More information about the oracular-changes mailing list