Fedora has issued an advisory on February 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NKP6QWJW7XWDE4O42UCR5L534GOHVIQN/ Patched packages uploaded for Mageia 5 and Cauldron. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=6512#c1 Advisory: ======================== Updated quagga packages fix security vulnerability: All versions of Quagga, 0.93 through 1.1.0, are vulnerable to an unbounded memory allocation in the telnet 'vty' CLI, leading to a Denial-of-Service of Quagga daemons, or even the entire host (CVE-2017-5495). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5495 https://lists.quagga.net/pipermail/quagga-dev/2017-January/016586.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NKP6QWJW7XWDE4O42UCR5L534GOHVIQN/ ======================== Updated packages in core/updates_testing: ======================== quagga-0.99.22.4-4.4.mga5 quagga-contrib-0.99.22.4-4.4.mga5 libquagga0-0.99.22.4-4.4.mga5 libquagga-devel-0.99.22.4-4.4.mga5 from quagga-0.99.22.4-4.4.mga5.src.rpm
Whiteboard: (none) => has_procedure
CC: (none) => davidwhodginsWhiteboard: has_procedure => has_procedure advisory
x86_64 real hardware Installed the updates and followed the indicated procedure. # systemctl start zebra # systemctl start bgpd.service # systemctl start ospfd # systemctl start ripd # systemctl start isisd # systemctl start ripngd # watchquagga zebra bgpd ospfd ospf6d ripd isisd ripngd 2017/02/18 21:43:56 NONE: watchquagga 0.99.22.4 watching [zebra bgpd ospfd ospf6d ripd isisd ripngd], mode [monitor] 2017/02/18 21:43:56 NONE: bgpd state -> up : connect succeeded 2017/02/18 21:43:56 NONE: ospf6d state -> down : initial connection attempt failed 2017/02/18 21:43:56 NONE: ospfd state -> up : connect succeeded 2017/02/18 21:43:56 NONE: isisd state -> up : connect succeeded 2017/02/18 21:43:56 NONE: zebra state -> up : connect succeeded 2017/02/18 21:43:56 NONE: ripd state -> up : connect succeeded 2017/02/18 21:43:57 NONE: ripngd state -> up : connect succeeded $ sudo systemctl start ospf6d watchquagga output: 2017/02/18 21:45:17 NONE: ospf6d state -> up : connect succeeded # netstat -tapnl | grep ':26' tcp 0 0 0.0.0.0:2601 0.0.0.0:* LISTEN 28358/zebra tcp 0 0 0.0.0.0:2602 0.0.0.0:* LISTEN 28552/ripd tcp 0 0 0.0.0.0:2603 0.0.0.0:* LISTEN 28653/ripngd tcp 0 0 0.0.0.0:2604 0.0.0.0:* LISTEN 28516/ospfd tcp 0 0 0.0.0.0:2605 0.0.0.0:* LISTEN 28415/bgpd tcp 0 0 0.0.0.0:2606 0.0.0.0:* LISTEN 29360/ospf6d tcp 0 0 0.0.0.0:2608 0.0.0.0:* LISTEN 28597/isisd tcp6 0 0 :::2601 :::* LISTEN 28358/zebra tcp6 0 0 :::2602 :::* LISTEN 28552/ripd tcp6 0 0 :::2603 :::* LISTEN 28653/ripngd tcp6 0 0 :::2604 :::* LISTEN 28516/ospfd tcp6 0 0 :::2605 :::* LISTEN 28415/bgpd tcp6 0 0 :::2606 :::* LISTEN 29360/ospf6d tcp6 0 0 :::2608 :::* LISTEN 28597/isisd Used telnet to access some of the services via their TCP ports and logged in and looked at help and ran some safe commands. Passwords are set in the configuration files. # telnet localhost 2601 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Hello, this is Quagga (version 0.99.22.4). Copyright 1996-2005 Kunihiro Ishiguro, et al. User Access Verification Password: Router> ? echo Echo a message back to the vty enable Turn on privileged mode command exit Exit current mode and down to previous mode etc. And in a similar fashion for IPv6 services. # telnet ::1 2604 Trying ::1... Connected to ::1. Escape character is '^]'. Hello, this is Quagga (version 0.99.22.4). Copyright 1996-2005 Kunihiro Ishiguro, et al. User Access Verification Password: ospfd> show ? history Display the session command history ip IP information ipv6 IPv6 information logging Show current logging configuration memory Memory statistics mpls-te MPLS-TE information thread Thread information version Displays zebra version work-queues Work Queue information ospfd> show ip ospf OSPF Routing Process, Router ID: 192.168.122.1 Supports only single TOS (TOS0) routes This implementation conforms to RFC2328 RFC1583Compatibility flag is disabled OpaqueCapability flag is disabled Initial SPF scheduling delay 200 millisec(s) and more information than we need at this stage..... # systemctl stop zebra.service # systemctl start zebra.service watchquagga output: 2017/02/18 22:06:47 NONE: isisd state -> down : read returned EOF 2017/02/18 22:06:47 NONE: ripngd state -> down : read returned EOF 2017/02/18 22:06:47 NONE: ospfd state -> down : read returned EOF 2017/02/18 22:06:47 NONE: ripd state -> down : read returned EOF 2017/02/18 22:06:47 NONE: ospf6d state -> down : read returned EOF 2017/02/18 22:06:47 NONE: bgpd state -> down : read returned EOF 2017/02/18 22:06:47 NONE: zebra state -> down : read returned EOF 2017/02/18 22:07:32 NONE: zebra state -> up : connect succeeded Individual services need to be restarted as needed. Back into the router: Router> show ip mroute Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, A - Babel, > - selected route, * - FIB route C>* 127.0.0.0/8 is directly connected, lo C>* 192.168.1.0/24 is directly connected, enp3s0 C>* 192.168.122.0/24 is directly connected, virbr0 # telnet ::1 2606 ..................... ospf6d@plant# It was possible to reach ::1 2603 ( == ripngd ) Restarted ripd and telnet to ::1 2602 worked. This all looks good enough for an OK.
CC: (none) => tarazed25
Whiteboard: has_procedure advisory => has_procedure advisory MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure advisory MGA5-64-OK => has_procedure advisory MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
i586 on virtualbox Installed the quagga packages, edited the /etc/quagga conf files and checked that everything worked as before. Updated the packages and ran a battery of tests similar to those inthe 64bit test and saw the same kind of output. Services could be stopped and restarted cleanly. telnet logins worked on the ip ports and also the ipv6 ports. Tried out help and show commands. Used watchquagga to see services coming up and going down. netstat provided information on the TCP ports, showing assignments for individual services. With the 32-bit OK this can be validated.
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0071.html
Status: NEW => RESOLVEDResolution: (none) => FIXED