libospf0-1.0.20160315-5.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10362-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libospf0-1.0.20160315-5.1 on GA media These are all security issues fixed in the libospf0-1.0.20160315-5.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10362 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2010-1674/ SUSE CVE CVE-2010-1674 page https://www.suse.com/security/cve/CVE-2010-1675/ SUSE CVE CVE-2010-1675 page https://www.suse.com/security/cve/CVE-2013-2236/ SUSE CVE CVE-2013-2236 page https://www.suse.com/security/cve/CVE-2016-1245/ SUSE CVE CVE-2016-1245 page https://www.suse.com/security/cve/CVE-2016-2342/ SUSE CVE CVE-2016-2342 page https://www.suse.com/security/cve/CVE-2016-4049/ SUSE CVE CVE-2016-4049 page openSUSE Tumbleweed libospf0-1.0.20160315-5.1 libospfapiclient0-1.0.20160315-5.1 libzebra0-1.0.20160315-5.1 quagga-1.0.20160315-5.1 quagga-devel-1.0.20160315-5.1 libospf0-1.0.20160315-5.1 as a component of openSUSE Tumbleweed libospfapiclient0-1.0.20160315-5.1 as a component of openSUSE Tumbleweed libzebra0-1.0.20160315-5.1 as a component of openSUSE Tumbleweed quagga-1.0.20160315-5.1 as a component of openSUSE Tumbleweed quagga-devel-1.0.20160315-5.1 as a component of openSUSE Tumbleweed The extended-community parser in bgpd in Quagga before 0.99.18 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a malformed Extended Communities attribute. CVE-2010-1674 openSUSE Tumbleweed:libospf0-1.0.20160315-5.1 openSUSE Tumbleweed:libospfapiclient0-1.0.20160315-5.1 openSUSE Tumbleweed:libzebra0-1.0.20160315-5.1 openSUSE Tumbleweed:quagga-1.0.20160315-5.1 openSUSE Tumbleweed:quagga-devel-1.0.20160315-5.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-1674.html CVE-2010-1674 https://bugzilla.suse.com/654270 SUSE Bug 654270 https://bugzilla.suse.com/685558 SUSE Bug 685558 bgpd in Quagga before 0.99.18 allows remote attackers to cause a denial of service (session reset) via a malformed AS_PATHLIMIT path attribute. CVE-2010-1675 openSUSE Tumbleweed:libospf0-1.0.20160315-5.1 openSUSE Tumbleweed:libospfapiclient0-1.0.20160315-5.1 openSUSE Tumbleweed:libzebra0-1.0.20160315-5.1 openSUSE Tumbleweed:quagga-1.0.20160315-5.1 openSUSE Tumbleweed:quagga-devel-1.0.20160315-5.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-1675.html CVE-2010-1675 https://bugzilla.suse.com/654270 SUSE Bug 654270 https://bugzilla.suse.com/685558 SUSE Bug 685558 Stack-based buffer overflow in the new_msg_lsa_change_notify function in the OSPFD API (ospf_api.c) in Quagga before 0.99.22.2, when --enable-opaque-lsa and the -a command line option are used, allows remote attackers to cause a denial of service (crash) via a large LSA. CVE-2013-2236 openSUSE Tumbleweed:libospf0-1.0.20160315-5.1 openSUSE Tumbleweed:libospfapiclient0-1.0.20160315-5.1 openSUSE Tumbleweed:libzebra0-1.0.20160315-5.1 openSUSE Tumbleweed:quagga-1.0.20160315-5.1 openSUSE Tumbleweed:quagga-devel-1.0.20160315-5.1 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-2236.html CVE-2013-2236 https://bugzilla.suse.com/828117 SUSE Bug 828117 It was discovered that the zebra daemon in Quagga before 1.0.20161017 suffered from a stack-based buffer overflow when processing IPv6 Neighbor Discovery messages. The root cause was relying on BUFSIZ to be compatible with a message size; however, BUFSIZ is system-dependent. CVE-2016-1245 openSUSE Tumbleweed:libospf0-1.0.20160315-5.1 openSUSE Tumbleweed:libospfapiclient0-1.0.20160315-5.1 openSUSE Tumbleweed:libzebra0-1.0.20160315-5.1 openSUSE Tumbleweed:quagga-1.0.20160315-5.1 openSUSE Tumbleweed:quagga-devel-1.0.20160315-5.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-1245.html CVE-2016-1245 https://bugzilla.suse.com/1005258 SUSE Bug 1005258 The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in the VPNv4 NLRI parser in bgpd in Quagga before 1.0.20160309, when a certain VPNv4 configuration is used, relies on a Labeled-VPN SAFI routes-data length field during a data copy, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted packet. CVE-2016-2342 openSUSE Tumbleweed:libospf0-1.0.20160315-5.1 openSUSE Tumbleweed:libospfapiclient0-1.0.20160315-5.1 openSUSE Tumbleweed:libzebra0-1.0.20160315-5.1 openSUSE Tumbleweed:quagga-1.0.20160315-5.1 openSUSE Tumbleweed:quagga-devel-1.0.20160315-5.1 moderate 6 AV:N/AC:M/Au:S/C:P/I:P/A:P 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2342.html CVE-2016-2342 https://bugzilla.suse.com/970952 SUSE Bug 970952 The bgp_dump_routes_func function in bgpd/bgp_dump.c in Quagga does not perform size checks when dumping data, which might allow remote attackers to cause a denial of service (assertion failure and daemon crash) via a large BGP packet. CVE-2016-4049 openSUSE Tumbleweed:libospf0-1.0.20160315-5.1 openSUSE Tumbleweed:libospfapiclient0-1.0.20160315-5.1 openSUSE Tumbleweed:libzebra0-1.0.20160315-5.1 openSUSE Tumbleweed:quagga-1.0.20160315-5.1 openSUSE Tumbleweed:quagga-devel-1.0.20160315-5.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-4049.html CVE-2016-4049 https://bugzilla.suse.com/977012 SUSE Bug 977012