Quagga: Multiple vulnerabilities


### Background Quagga is a free routing daemon replacing Zebra supporting RIP, OSPF and BGP. ### Description Multiple vulnerabilities have been discovered in Quagga. Please review the CVE identifiers referenced below for details. ### Impact A BGP peer could send a Route-Refresh message with specially-crafted ORF record, which can cause Quagga's bgpd to crash or possibly execute arbitrary code with the privileges of the user running Quagga's bgpd; a BGP update AS path request with unknown AS type, or malformed AS-Pathlimit or Extended-Community attributes could lead to Denial of Service (daemon crash), an error in bgpd when handling AS_PATH attributes within UPDATE messages can be exploited to cause a heap-based buffer overflow resulting in a crash of the daemon and disruption of IPv4 routing, two errors in ospf6d and ospfd can each be exploited to crash the daemon and disrupt IP routing. ### Workaround There is no known workaround at this time. ### Resolution All Quagga users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/quagga-0.99.20"

Affected Package

OS OS Version Package Name Package Version
Gentoo any net-misc/quagga 0.99.20