CVE-2010-2949

Publication date 10 September 2010

Last updated 24 July 2024

Ubuntu priority

Description

bgpd in Quagga before 0.99.17 does not properly parse AS paths, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unknown AS type in an AS path attribute in a BGP UPDATE message.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
quagga	10.10 maverick	Not affected
	10.04 LTS lucid	Fixed 0.99.15-1ubuntu0.1
	9.10 karmic	Fixed 0.99.13-1ubuntu0.1
	9.04 jaunty	Ignored end of life
	8.04 LTS hardy	Fixed 0.99.9-2ubuntu1.4
	6.06 LTS dapper	Fixed 0.99.2-1ubuntu3.7

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
quagga	Upstream: http://code.quagga.net/?p=quagga.git;a=commitdiff;h=cddb8112b80fa9867156c637d63e6e79eeac67bb Vendor: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3.diff.gz

References

Related Ubuntu Security Notices (USN)

USN-1027-1
Quagga vulnerabilities
7 December 2010