Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted frr 9.1-0.1 (source) into unstable
Date: Sat, 09 Mar 2024 00:04:55 +0000
Signed by: Daniel Baumann <daniel@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 08 Mar 2024 23:21:21 +0100
Source: frr
Architecture: source
Version: 9.1-0.1
Distribution: unstable
Urgency: high
Maintainer: David Lamparter <equinox-debian@diac24.net>
Changed-By: Daniel Baumann <daniel.baumann@progress-linux.org>
Closes: 1042473 1044470 1055852 1065144
Changes:
 frr (9.1-0.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * New upstream release (Closes: #1042473, #1055852):
     - CVE-2023-3748: parsing certain babeld unicast hello messages that are
       intended to be ignored. This issue may allow an attacker to send specially
       crafted hello messages with the unicast flag set, the interval field set
       to 0, or any TLV that contains a sub-TLV with the Mandatory flag set to
       enter an infinite loop and cause a denial of service.
     - CVE-2023-38407: bgpd/bgp_label.c attempts to read beyond the end of the
       stream during labeled unicast parsing.
     - CVE-2023-41361: bgpd/bgp_open.c does not check for an overly large
       length of the rcv software version.
     - CVE-2023-46752: It mishandles malformed MP_REACH_NLRI data, leading to a
       crash.
     - CVE-2023-46753: A crash can occur for a crafted BGP UPDATE message
       without mandatory attributes, e.g., one with only an unknown transit
       attribute.
     - CVE-2023-47234: A crash can occur when processing a crafted BGP UPDATE
       message with a MP_UNREACH_NLRI attribute and additional NLRI data (that
       lacks mandatory path attributes).
     - CVE-2023-47235: A crash can occur when a malformed BGP UPDATE message
       with an EOR is processed, because the presence of EOR does not lead to a
       treat-as-withdraw outcome.
   * Updating patches:
     - removing CVE-2023-38802.patch, included upstream.
     - removing CVE-2023-41358.patch, included upstream.
     - removing CVE-2023-41360.patch, included upstream.
     - removing unapplied CVE-2023-41361.patch, included upstream.
     - adding CVE-2024-27913.patch from upstream:
       ospf_te_parse_te in ospfd/ospf_te.c allows remote attackers to cause a
       denial of service (ospfd daemon crash) via a malformed OSPF LSA packet,
       because of an attempted access to a missing attribute field (Closes:
       #1065144).
   * Updating build-depends:
     - adding now required protobuf-c-compiler to build-depends.
     - adding now required libprotobuf-c-dev to build-depends.
     - adding new libmgmt_be_nb.so to frr.install.
     - removing obsolete lsb-base.
     - prefering new pkgconf over old pkg-config.
   * Updating override_dh_auto_clean to fix FTBFS when built twice in a row
     (Closes: #1044470):
     - call dh_auto_clean which is safe to run now.
     - remove tests/.pytest_cache.
   * Removing obsolete doc-base.
Checksums-Sha1:
 fa8ccd2fbde1dd12bd2b9b75a6b1e73c429a5755 2734 frr_9.1-0.1.dsc
 b96093130eb27fd472e03a7fda3613f080dc6e99 8231024 frr_9.1.orig.tar.xz
 c0d3f1806539be400ea783f3d35f3967a530216d 32564 frr_9.1-0.1.debian.tar.xz
 f84ba762264d886a4458615178dc7c5a16794242 11698 frr_9.1-0.1_amd64.buildinfo
Checksums-Sha256:
 fe61b7fc08e26ed1ed0555e5a41986a8c23a2d0014f048bd62659cfe683a6f86 2734 frr_9.1-0.1.dsc
 da24cc625121f7f215cc2c57dfb491266f7634b0b50422f8911bb0c44e812e60 8231024 frr_9.1.orig.tar.xz
 0f6e95c12ddb133d420eabab1bf5bff2f001edec7473ea3a635887a02b113e24 32564 frr_9.1-0.1.debian.tar.xz
 012b55f3fad830c07c6ddf3a05b96948b31a7e76fc6df42a97812059b28449be 11698 frr_9.1-0.1_amd64.buildinfo
Files:
 5b55fe3b9eb1abc04d1ce0155fc0cbc3 2734 net optional frr_9.1-0.1.dsc
 f87041fcdbcaa3663df69a9425f97876 8231024 net optional frr_9.1.orig.tar.xz
 348a84a902d34edb280f6c83a4ba61db 32564 net optional frr_9.1-0.1.debian.tar.xz
 8e99cdb7bc0b4d41ebe78090d829b0ce 11698 net optional frr_9.1-0.1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEgTbtJcfWfpLHSkKSVc8b+YaruccFAmXrou4ACgkQVc8b+Yar
ucfNPA/+LcXs6oES7ubU+eVvuDL1E5DFQLmYIdrtIyuqu0V7wo0OfzDk7vmzHaTf
aCDvwFuGwVuDTVd/HfQU5lmrdB8Oty+OCZKjXRKgOtQsvkxD4Vit+EYGYa7cic82
O27zq27U7jm0Je9zyjMsk6etG27bQQVH+Synfuv4ju+1j+G+fsJ5ymxb1K20dEwV
hnSZ7TVQOvmgtCRzuWeZuMvc1tbB6YGPhNDQLl2y6Vug15hKUfYqjOQrtLJHigvQ
FsgQiDDDaFFWcKlmO3XizW38FKUS3N8a3v+KaF6Lmw19Sh0LGM8YLqkzoxf04E2o
u6TtaZNXW82WiIboz1OUYAKP8olFYy+hBPspqjx8aVlUJlwdfNBsgTttphUB7AEE
YsdG7VXncdpBONif5gWGPIQGKvJgjPSh7kzgpna4Yx4u9JaCd+b58ZoAPsgbM2Hs
z7cY8DzNkboxBK0z2OC6+qsYt2UxTSwZS7FvlUWcNdP4+grensR9JurisOqDwNnQ
bif1hvWPa26VPoBlfFFbOX9tthr5xxm3ojLi9oEI6+UBETdsJLZnye7k00s66lh/
MxknI0X+4RTwplId844psJFsh3Aql67t3ORmQ41orFlWCkz/esIYr1UvAlf1bFtA
Hm2k55H59zn4O04eUC8GQUoWqI3p4Go1qlHvnjy2p6MOdW4uXl0=
=7fB/
-----END PGP SIGNATURE-----
News for package frr
