libfpm_pb0-1.2.4-2.14 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11290-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libfpm_pb0-1.2.4-2.14 on GA media These are all security issues fixed in the libfpm_pb0-1.2.4-2.14 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11290 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2006-2223/ SUSE CVE CVE-2006-2223 page https://www.suse.com/security/cve/CVE-2007-1995/ SUSE CVE CVE-2007-1995 page https://www.suse.com/security/cve/CVE-2017-16227/ SUSE CVE CVE-2017-16227 page https://www.suse.com/security/cve/CVE-2017-5495/ SUSE CVE CVE-2017-5495 page https://www.suse.com/security/cve/CVE-2018-5278/ SUSE CVE CVE-2018-5278 page https://www.suse.com/security/cve/CVE-2018-5279/ SUSE CVE CVE-2018-5279 page https://www.suse.com/security/cve/CVE-2018-5280/ SUSE CVE CVE-2018-5280 page https://www.suse.com/security/cve/CVE-2018-5281/ SUSE CVE CVE-2018-5281 page https://www.suse.com/security/cve/CVE-2018-5378/ SUSE CVE CVE-2018-5378 page https://www.suse.com/security/cve/CVE-2018-5379/ SUSE CVE CVE-2018-5379 page https://www.suse.com/security/cve/CVE-2018-5380/ SUSE CVE CVE-2018-5380 page https://www.suse.com/security/cve/CVE-2018-5381/ SUSE CVE CVE-2018-5381 page openSUSE Tumbleweed libfpm_pb0-1.2.4-2.14 libospf0-1.2.4-2.14 libospfapiclient0-1.2.4-2.14 libquagga_pb0-1.2.4-2.14 libzebra1-1.2.4-2.14 quagga-1.2.4-2.14 quagga-devel-1.2.4-2.14 libfpm_pb0-1.2.4-2.14 as a component of openSUSE Tumbleweed libospf0-1.2.4-2.14 as a component of openSUSE Tumbleweed libospfapiclient0-1.2.4-2.14 as a component of openSUSE Tumbleweed libquagga_pb0-1.2.4-2.14 as a component of openSUSE Tumbleweed libzebra1-1.2.4-2.14 as a component of openSUSE Tumbleweed quagga-1.2.4-2.14 as a component of openSUSE Tumbleweed quagga-devel-1.2.4-2.14 as a component of openSUSE Tumbleweed RIPd in Quagga 0.98 and 0.99 before 20060503 does not properly implement configurations that (1) disable RIPv1 or (2) require plaintext or MD5 authentication, which allows remote attackers to obtain sensitive information (routing state) via REQUEST packets such as SEND UPDATE. CVE-2006-2223 openSUSE Tumbleweed:libfpm_pb0-1.2.4-2.14 openSUSE Tumbleweed:libospf0-1.2.4-2.14 openSUSE Tumbleweed:libospfapiclient0-1.2.4-2.14 openSUSE Tumbleweed:libquagga_pb0-1.2.4-2.14 openSUSE Tumbleweed:libzebra1-1.2.4-2.14 openSUSE Tumbleweed:quagga-1.2.4-2.14 openSUSE Tumbleweed:quagga-devel-1.2.4-2.14 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2006-2223.html CVE-2006-2223 https://bugzilla.suse.com/173828 SUSE Bug 173828 bgpd/bgp_attr.c in Quagga 0.98.6 and earlier, and 0.99.6 and earlier 0.99 versions, does not validate length values in the MP_REACH_NLRI and MP_UNREACH_NLRI attributes, which allows remote attackers to cause a denial of service (daemon crash or exit) via crafted UPDATE messages that trigger an assertion error or out of bounds read. CVE-2007-1995 openSUSE Tumbleweed:libfpm_pb0-1.2.4-2.14 openSUSE Tumbleweed:libospf0-1.2.4-2.14 openSUSE Tumbleweed:libospfapiclient0-1.2.4-2.14 openSUSE Tumbleweed:libquagga_pb0-1.2.4-2.14 openSUSE Tumbleweed:libzebra1-1.2.4-2.14 openSUSE Tumbleweed:quagga-1.2.4-2.14 openSUSE Tumbleweed:quagga-devel-1.2.4-2.14 moderate 6.3 AV:N/AC:M/Au:S/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-1995.html CVE-2007-1995 https://bugzilla.suse.com/266100 SUSE Bug 266100 The aspath_put function in bgpd/bgp_aspath.c in Quagga before 1.2.2 allows remote attackers to cause a denial of service (session drop) via BGP UPDATE messages, because AS_PATH size calculation for long paths counts certain bytes twice and consequently constructs an invalid message. CVE-2017-16227 openSUSE Tumbleweed:libfpm_pb0-1.2.4-2.14 openSUSE Tumbleweed:libospf0-1.2.4-2.14 openSUSE Tumbleweed:libospfapiclient0-1.2.4-2.14 openSUSE Tumbleweed:libquagga_pb0-1.2.4-2.14 openSUSE Tumbleweed:libzebra1-1.2.4-2.14 openSUSE Tumbleweed:quagga-1.2.4-2.14 openSUSE Tumbleweed:quagga-devel-1.2.4-2.14 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-16227.html CVE-2017-16227 https://bugzilla.suse.com/1065641 SUSE Bug 1065641 All versions of Quagga, 0.93 through 1.1.0, are vulnerable to an unbounded memory allocation in the telnet 'vty' CLI, leading to a Denial-of-Service of Quagga daemons, or even the entire host. When Quagga daemons are configured with their telnet CLI enabled, anyone who can connect to the TCP ports can trigger this vulnerability, prior to authentication. Most distributions restrict the Quagga telnet interface to local access only by default. The Quagga telnet interface 'vty' input buffer grows automatically, without bound, so long as a newline is not entered. This allows an attacker to cause the Quagga daemon to allocate unbounded memory by sending very long strings without a newline. Eventually the daemon is terminated by the system, or the system itself runs out of memory. This is fixed in Quagga 1.1.1 and Free Range Routing (FRR) Protocol Suite 2017-01-10. CVE-2017-5495 openSUSE Tumbleweed:libfpm_pb0-1.2.4-2.14 openSUSE Tumbleweed:libospf0-1.2.4-2.14 openSUSE Tumbleweed:libospfapiclient0-1.2.4-2.14 openSUSE Tumbleweed:libquagga_pb0-1.2.4-2.14 openSUSE Tumbleweed:libzebra1-1.2.4-2.14 openSUSE Tumbleweed:quagga-1.2.4-2.14 openSUSE Tumbleweed:quagga-devel-1.2.4-2.14 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5495.html CVE-2017-5495 https://bugzilla.suse.com/1021669 SUSE Bug 1021669 ** DISPUTED ** In Malwarebytes Premium 3.3.1.2183, the driver file (FARFLT.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c40e00c. NOTE: the vendor reported that they "have not been able to reproduce the issue on any Windows operating system version (32-bit or 64-bit)." CVE-2018-5278 openSUSE Tumbleweed:libfpm_pb0-1.2.4-2.14 openSUSE Tumbleweed:libospf0-1.2.4-2.14 openSUSE Tumbleweed:libospfapiclient0-1.2.4-2.14 openSUSE Tumbleweed:libquagga_pb0-1.2.4-2.14 openSUSE Tumbleweed:libzebra1-1.2.4-2.14 openSUSE Tumbleweed:quagga-1.2.4-2.14 openSUSE Tumbleweed:quagga-devel-1.2.4-2.14 moderate 6.1 AV:L/AC:L/Au:N/C:P/I:P/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5278.html CVE-2018-5278 ** DISPUTED ** In Malwarebytes Premium 3.3.1.2183, the driver file (FARFLT.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c40e02c. NOTE: the vendor reported that they "have not been able to reproduce the issue on any Windows operating system version (32-bit or 64-bit)." CVE-2018-5279 openSUSE Tumbleweed:libfpm_pb0-1.2.4-2.14 openSUSE Tumbleweed:libospf0-1.2.4-2.14 openSUSE Tumbleweed:libospfapiclient0-1.2.4-2.14 openSUSE Tumbleweed:libquagga_pb0-1.2.4-2.14 openSUSE Tumbleweed:libzebra1-1.2.4-2.14 openSUSE Tumbleweed:quagga-1.2.4-2.14 openSUSE Tumbleweed:quagga-devel-1.2.4-2.14 moderate 6.1 AV:L/AC:L/Au:N/C:P/I:P/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5279.html CVE-2018-5279 SonicWall SonicOS on Network Security Appliance (NSA) 2016 Q4 devices has XSS via the Configure SSO screens. CVE-2018-5280 openSUSE Tumbleweed:libfpm_pb0-1.2.4-2.14 openSUSE Tumbleweed:libospf0-1.2.4-2.14 openSUSE Tumbleweed:libospfapiclient0-1.2.4-2.14 openSUSE Tumbleweed:libquagga_pb0-1.2.4-2.14 openSUSE Tumbleweed:libzebra1-1.2.4-2.14 openSUSE Tumbleweed:quagga-1.2.4-2.14 openSUSE Tumbleweed:quagga-devel-1.2.4-2.14 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5280.html CVE-2018-5280 SonicWall SonicOS on Network Security Appliance (NSA) 2017 Q4 devices has XSS via the CFS Custom Category and Cloud AV DB Exclusion Settings screens. CVE-2018-5281 openSUSE Tumbleweed:libfpm_pb0-1.2.4-2.14 openSUSE Tumbleweed:libospf0-1.2.4-2.14 openSUSE Tumbleweed:libospfapiclient0-1.2.4-2.14 openSUSE Tumbleweed:libquagga_pb0-1.2.4-2.14 openSUSE Tumbleweed:libzebra1-1.2.4-2.14 openSUSE Tumbleweed:quagga-1.2.4-2.14 openSUSE Tumbleweed:quagga-devel-1.2.4-2.14 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5281.html CVE-2018-5281 The Quagga BGP daemon (bgpd) prior to version 1.2.3 does not properly bounds check the data sent with a NOTIFY to a peer, if an attribute length is invalid. Arbitrary data from the bgpd process may be sent over the network to a peer and/or bgpd may crash. CVE-2018-5378 openSUSE Tumbleweed:libfpm_pb0-1.2.4-2.14 openSUSE Tumbleweed:libospf0-1.2.4-2.14 openSUSE Tumbleweed:libospfapiclient0-1.2.4-2.14 openSUSE Tumbleweed:libquagga_pb0-1.2.4-2.14 openSUSE Tumbleweed:libzebra1-1.2.4-2.14 openSUSE Tumbleweed:quagga-1.2.4-2.14 openSUSE Tumbleweed:quagga-devel-1.2.4-2.14 moderate 4.9 AV:N/AC:M/Au:S/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5378.html CVE-2018-5378 https://bugzilla.suse.com/1079798 SUSE Bug 1079798 The Quagga BGP daemon (bgpd) prior to version 1.2.3 can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes. A successful attack could cause a denial of service or potentially allow an attacker to execute arbitrary code. CVE-2018-5379 openSUSE Tumbleweed:libfpm_pb0-1.2.4-2.14 openSUSE Tumbleweed:libospf0-1.2.4-2.14 openSUSE Tumbleweed:libospfapiclient0-1.2.4-2.14 openSUSE Tumbleweed:libquagga_pb0-1.2.4-2.14 openSUSE Tumbleweed:libzebra1-1.2.4-2.14 openSUSE Tumbleweed:quagga-1.2.4-2.14 openSUSE Tumbleweed:quagga-devel-1.2.4-2.14 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5379.html CVE-2018-5379 https://bugzilla.suse.com/1079799 SUSE Bug 1079799 The Quagga BGP daemon (bgpd) prior to version 1.2.3 can overrun internal BGP code-to-string conversion tables used for debug by 1 pointer value, based on input. CVE-2018-5380 openSUSE Tumbleweed:libfpm_pb0-1.2.4-2.14 openSUSE Tumbleweed:libospf0-1.2.4-2.14 openSUSE Tumbleweed:libospfapiclient0-1.2.4-2.14 openSUSE Tumbleweed:libquagga_pb0-1.2.4-2.14 openSUSE Tumbleweed:libzebra1-1.2.4-2.14 openSUSE Tumbleweed:quagga-1.2.4-2.14 openSUSE Tumbleweed:quagga-devel-1.2.4-2.14 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5380.html CVE-2018-5380 https://bugzilla.suse.com/1079800 SUSE Bug 1079800 The Quagga BGP daemon (bgpd) prior to version 1.2.3 has a bug in its parsing of "Capabilities" in BGP OPEN messages, in the bgp_packet.c:bgp_capability_msg_parse function. The parser can enter an infinite loop on invalid capabilities if a Multi-Protocol capability does not have a recognized AFI/SAFI, causing a denial of service. CVE-2018-5381 openSUSE Tumbleweed:libfpm_pb0-1.2.4-2.14 openSUSE Tumbleweed:libospf0-1.2.4-2.14 openSUSE Tumbleweed:libospfapiclient0-1.2.4-2.14 openSUSE Tumbleweed:libquagga_pb0-1.2.4-2.14 openSUSE Tumbleweed:libzebra1-1.2.4-2.14 openSUSE Tumbleweed:quagga-1.2.4-2.14 openSUSE Tumbleweed:quagga-devel-1.2.4-2.14 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5381.html CVE-2018-5381 https://bugzilla.suse.com/1079801 SUSE Bug 1079801