Multiple vulnerabilities were discovered in Quagga, a BGP/OSPF/RIP routing daemon: CVE-2013-2236 A buffer overflow was found in the OSPF API-server (exporting the LSDB and allowing announcement of Opaque-LSAs). CVE-2013-6051 bgpd could be crashed through BGP updates. This only affects Wheezy/stable.

For the oldstable distribution (squeeze), these problems have been fixed in version 0.99.20.1-0+squeeze5. For the stable distribution (wheezy), these problems have been fixed in version 0.99.22.4-1+wheezy1. For the unstable distribution (sid), these problems have been fixed in version 0.99.22.4-1. We recommend that you upgrade your quagga packages.

GNU Quagga is free software which manages TCP/IP based routing protocols. It supports BGP4, BGP4+, OSPFv2, OSPFv3, IS-IS, RIPv1, RIPv2, and RIPng as well as the IPv6 versions of these.

quagga on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2013/dsa-2803.html

---

Updated on 2015-03-25