Bugzilla – Bug 1213284
VUL-0: CVE-2023-38802: quagga,frr: bad length handling in BGP attribute handling
Last modified: 2024-04-18 08:39:51 UTC
CRD: 2023-08-28
CRD: unknown
FRR attempts to handle bad attributes using RFC 7606 behaviour. However the fuzzer discovered that a corrupted attribute 23 (Tunnel Encapsulation) will cause a session to go down regardless. References https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling https://github.com/FRRouting/frr/pull/14290 https://github.com/FRRouting/frr/issues/14289
SUSE-SU-2023:3709-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1213284, 1213434, 1214735, 1214739, 1215065 CVE References: CVE-2023-3748, CVE-2023-38802, CVE-2023-41358, CVE-2023-41360, CVE-2023-41909 Sources used: openSUSE Leap 15.5 (src): frr-8.4-150500.4.8.1 Server Applications Module 15-SP5 (src): frr-8.4-150500.4.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3762-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1213284, 1214735, 1215065 CVE References: CVE-2023-38802, CVE-2023-41358, CVE-2023-41909 Sources used: SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): frr-7.4-150300.4.17.1 SUSE Manager Proxy 4.2 (src): frr-7.4-150300.4.17.1 SUSE Manager Retail Branch Server 4.2 (src): frr-7.4-150300.4.17.1 SUSE Manager Server 4.2 (src): frr-7.4-150300.4.17.1 SUSE Enterprise Storage 7.1 (src): frr-7.4-150300.4.17.1 openSUSE Leap 15.4 (src): frr-7.4-150300.4.17.1 Server Applications Module 15-SP4 (src): frr-7.4-150300.4.17.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): frr-7.4-150300.4.17.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): frr-7.4-150300.4.17.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): frr-7.4-150300.4.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3793-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1213284, 1214735 CVE References: CVE-2023-38802, CVE-2023-41358 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): quagga-1.1.1-17.10.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): quagga-1.1.1-17.10.1 SUSE Linux Enterprise Server 12 SP5 (src): quagga-1.1.1-17.10.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): quagga-1.1.1-17.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3839-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1213284, 1214735 CVE References: CVE-2023-38802, CVE-2023-41358 Sources used: openSUSE Leap 15.4 (src): quagga-1.1.1-150400.12.5.1 openSUSE Leap 15.5 (src): quagga-1.1.1-150400.12.5.1 Server Applications Module 15-SP4 (src): quagga-1.1.1-150400.12.5.1 Server Applications Module 15-SP5 (src): quagga-1.1.1-150400.12.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3836-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1213284, 1214735 CVE References: CVE-2023-38802, CVE-2023-41358 Sources used: SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): quagga-1.1.1-150000.4.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): quagga-1.1.1-150000.4.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): quagga-1.1.1-150000.4.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): quagga-1.1.1-150000.4.3.1 SUSE Manager Proxy 4.2 (src): quagga-1.1.1-150000.4.3.1 SUSE Manager Retail Branch Server 4.2 (src): quagga-1.1.1-150000.4.3.1 SUSE Manager Server 4.2 (src): quagga-1.1.1-150000.4.3.1 SUSE Enterprise Storage 7.1 (src): quagga-1.1.1-150000.4.3.1 SUSE CaaS Platform 4.0 (src): quagga-1.1.1-150000.4.3.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): quagga-1.1.1-150000.4.3.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): quagga-1.1.1-150000.4.3.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): quagga-1.1.1-150000.4.3.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): quagga-1.1.1-150000.4.3.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): quagga-1.1.1-150000.4.3.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): quagga-1.1.1-150000.4.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
released