frr-8.4-8.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13487 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z frr-8.4-8.1 on GA media These are all security issues fixed in the frr-8.4-8.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13487 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13487 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-38406/ SUSE CVE CVE-2023-38406 page https://www.suse.com/security/cve/CVE-2023-38407/ SUSE CVE CVE-2023-38407 page https://www.suse.com/security/cve/CVE-2023-47234/ SUSE CVE CVE-2023-47234 page https://www.suse.com/security/cve/CVE-2023-47235/ SUSE CVE CVE-2023-47235 page openSUSE Tumbleweed frr-8.4-8.1 frr-devel-8.4-8.1 libfrr0-8.4-8.1 libfrr_pb0-8.4-8.1 libfrrcares0-8.4-8.1 libfrrfpm_pb0-8.4-8.1 libfrrospfapiclient0-8.4-8.1 libfrrsnmp0-8.4-8.1 libfrrzmq0-8.4-8.1 libmlag_pb0-8.4-8.1 frr-8.4-8.1 as a component of openSUSE Tumbleweed frr-devel-8.4-8.1 as a component of openSUSE Tumbleweed libfrr0-8.4-8.1 as a component of openSUSE Tumbleweed libfrr_pb0-8.4-8.1 as a component of openSUSE Tumbleweed libfrrcares0-8.4-8.1 as a component of openSUSE Tumbleweed libfrrfpm_pb0-8.4-8.1 as a component of openSUSE Tumbleweed libfrrospfapiclient0-8.4-8.1 as a component of openSUSE Tumbleweed libfrrsnmp0-8.4-8.1 as a component of openSUSE Tumbleweed libfrrzmq0-8.4-8.1 as a component of openSUSE Tumbleweed libmlag_pb0-8.4-8.1 as a component of openSUSE Tumbleweed bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri length of zero, aka a "flowspec overflow." CVE-2023-38406 openSUSE Tumbleweed:frr-8.4-8.1 openSUSE Tumbleweed:frr-devel-8.4-8.1 openSUSE Tumbleweed:libfrr0-8.4-8.1 openSUSE Tumbleweed:libfrr_pb0-8.4-8.1 openSUSE Tumbleweed:libfrrcares0-8.4-8.1 openSUSE Tumbleweed:libfrrfpm_pb0-8.4-8.1 openSUSE Tumbleweed:libfrrospfapiclient0-8.4-8.1 openSUSE Tumbleweed:libfrrsnmp0-8.4-8.1 openSUSE Tumbleweed:libfrrzmq0-8.4-8.1 openSUSE Tumbleweed:libmlag_pb0-8.4-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-38406.html CVE-2023-38406 https://bugzilla.suse.com/1216900 SUSE Bug 1216900 bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond the end of the stream during labeled unicast parsing. CVE-2023-38407 openSUSE Tumbleweed:frr-8.4-8.1 openSUSE Tumbleweed:frr-devel-8.4-8.1 openSUSE Tumbleweed:libfrr0-8.4-8.1 openSUSE Tumbleweed:libfrr_pb0-8.4-8.1 openSUSE Tumbleweed:libfrrcares0-8.4-8.1 openSUSE Tumbleweed:libfrrfpm_pb0-8.4-8.1 openSUSE Tumbleweed:libfrrospfapiclient0-8.4-8.1 openSUSE Tumbleweed:libfrrsnmp0-8.4-8.1 openSUSE Tumbleweed:libfrrzmq0-8.4-8.1 openSUSE Tumbleweed:libmlag_pb0-8.4-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-38407.html CVE-2023-38407 https://bugzilla.suse.com/1216899 SUSE Bug 1216899 An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when processing a crafted BGP UPDATE message with a MP_UNREACH_NLRI attribute and additional NLRI data (that lacks mandatory path attributes). CVE-2023-47234 openSUSE Tumbleweed:frr-8.4-8.1 openSUSE Tumbleweed:frr-devel-8.4-8.1 openSUSE Tumbleweed:libfrr0-8.4-8.1 openSUSE Tumbleweed:libfrr_pb0-8.4-8.1 openSUSE Tumbleweed:libfrrcares0-8.4-8.1 openSUSE Tumbleweed:libfrrfpm_pb0-8.4-8.1 openSUSE Tumbleweed:libfrrospfapiclient0-8.4-8.1 openSUSE Tumbleweed:libfrrsnmp0-8.4-8.1 openSUSE Tumbleweed:libfrrzmq0-8.4-8.1 openSUSE Tumbleweed:libmlag_pb0-8.4-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-47234.html CVE-2023-47234 https://bugzilla.suse.com/1216897 SUSE Bug 1216897 An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when a malformed BGP UPDATE message with an EOR is processed, because the presence of EOR does not lead to a treat-as-withdraw outcome. CVE-2023-47235 openSUSE Tumbleweed:frr-8.4-8.1 openSUSE Tumbleweed:frr-devel-8.4-8.1 openSUSE Tumbleweed:libfrr0-8.4-8.1 openSUSE Tumbleweed:libfrr_pb0-8.4-8.1 openSUSE Tumbleweed:libfrrcares0-8.4-8.1 openSUSE Tumbleweed:libfrrfpm_pb0-8.4-8.1 openSUSE Tumbleweed:libfrrospfapiclient0-8.4-8.1 openSUSE Tumbleweed:libfrrsnmp0-8.4-8.1 openSUSE Tumbleweed:libfrrzmq0-8.4-8.1 openSUSE Tumbleweed:libmlag_pb0-8.4-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-47235.html CVE-2023-47235 https://bugzilla.suse.com/1216896 SUSE Bug 1216896