Bugzilla – Bug 1214739
VUL-0: CVE-2023-41360: frr,quagga: bgpd/bgp_packet.c can read the initial byte of the ORF header in an ahead-of-stream situation
Last modified: 2024-04-18 12:22:26 UTC
CVE-2023-41360 An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c can read the initial byte of the ORF header in an ahead-of-stream situation. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-41360 https://www.cve.org/CVERecord?id=CVE-2023-41360 https://github.com/FRRouting/frr/pull/14245
I think the issue was introduced with this commit: https://github.com/opensourcerouting/frr/commit/f1aa49293a4a8302b70989aaa9ceb715385c3a7e Since the introducing commit is there since frr version 8.4, I will track this as affected: - SUSE:SLE-15-SP5:Update/frr 8.4 Not affected: - SUSE:SLE-11-SP1:Update/quagga 0.99.15 - SUSE:SLE-12-SP2:Update/quagga 1.1.1 - SUSE:SLE-15-SP3:Update/frr 7.4 - SUSE:SLE-15-SP4:Update/quagga 1.1.1 - SUSE:SLE-15:Update/quagga 1.1.1 Please let me know if you have any concerns, thanks :)
SUSE-SU-2023:3709-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1213284, 1213434, 1214735, 1214739, 1215065 CVE References: CVE-2023-3748, CVE-2023-38802, CVE-2023-41358, CVE-2023-41360, CVE-2023-41909 Sources used: openSUSE Leap 15.5 (src): frr-8.4-150500.4.8.1 Server Applications Module 15-SP5 (src): frr-8.4-150500.4.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
closed