Security Advisory quagga security update

Advisory: RHSA-2003:315-08
Type: Security Advisory
Severity: Low
Issued on: 2003-11-12
Last updated on: 2003-11-12
Affected Products: Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
OVAL: N/A
CVEs (cve.mitre.org): CVE-2003-0858

Details

Updated Quagga packages that close a locally-exploitable denial of service
vulnerability are now available.

Quagga is an open source implementation of TCP/IP routing software.

Herbert Xu reported that Quagga can accept spoofed messages sent on the
kernel netlink interface by other users on the local machine. This could
lead to a local denial of service attack. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0858 to
this issue.

Users of Quagga should upgrade to these erratum packages, which contain a
patch that checks that netlink messages actually came from the kernel.
This erratum also includes quagga-devel and quagga-contrib packages which
were not originally shipped with Red Hat Enterprise Linux 3.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL
Certificate Errors, you need to install a version of the
up2date client with an updated certificate. The latest version of
up2date is available from the Red Hat FTP site and may also be
downloaded directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

Updated packages

Red Hat Enterprise Linux AS (v. 3)
SRPMS:
quagga-0.96.2-8.3E.src.rpm
File outdated by:  RHSA-2007:0389		     7b6d7f1e620a945f3ad2cc9d0272c2e5
 
IA-32:
quagga-0.96.2-8.3E.i386.rpm
File outdated by:  RHSA-2007:0389		     29fbab71e8be4d1f12828a3f09d3079a
quagga-contrib-0.96.2-8.3E.i386.rpm     e1850ff3c426c5adbee7b9daed05fa7d
quagga-devel-0.96.2-8.3E.i386.rpm     29f6979400740fc676313b5a7ff2f528
 
IA-64:
quagga-0.96.2-8.3E.ia64.rpm
File outdated by:  RHSA-2007:0389		     a5a38b71b7369a64c620b662856ed233
quagga-contrib-0.96.2-8.3E.ia64.rpm     54b463229d9dc19654a64e6fca39dd0e
quagga-devel-0.96.2-8.3E.ia64.rpm     de01073379e50fcffe14fca6be8107ae
 
PPC:
quagga-0.96.2-8.3E.ppc.rpm
File outdated by:  RHSA-2007:0389		     3795a1a570f61963f95804f8ba89cad2
quagga-0.96.2-8.3E.ppc64.rpm     abd86a8c13d84deb4ba88d90528239fa
quagga-contrib-0.96.2-8.3E.ppc.rpm     41a680b4c7aee2055d077695051afae7
quagga-contrib-0.96.2-8.3E.ppc64.rpm     0985d15ecb7484cc307fe0b9f9395615
quagga-devel-0.96.2-8.3E.ppc.rpm     24df06dcdef6b87eda26b9a3db30a200
quagga-devel-0.96.2-8.3E.ppc64.rpm     efc168b6761fc5014d8ba29db160d17a
 
s390:
quagga-0.96.2-8.3E.s390.rpm
File outdated by:  RHSA-2007:0389		     2dda9c6fdc0fe959d0821507263c970f
quagga-contrib-0.96.2-8.3E.s390.rpm     d93a6b749c77d1a1db40a700ae383992
quagga-devel-0.96.2-8.3E.s390.rpm     7edfe6c78c128a05bf090c280dc310db
 
s390x:
quagga-0.96.2-8.3E.s390x.rpm
File outdated by:  RHSA-2007:0389		     9f4e3535bc22000340d7ba454569ab6f
quagga-contrib-0.96.2-8.3E.s390x.rpm     81f10f7576ae226817a70741f3d74b5f
quagga-devel-0.96.2-8.3E.s390x.rpm     6ae089c74f01cf8b19d8263221f2c776
 
x86_64:
quagga-0.96.2-8.3E.x86_64.rpm
File outdated by:  RHSA-2007:0389		     069c38a1b4909773ed3484159bef7be9
quagga-contrib-0.96.2-8.3E.x86_64.rpm     52886c92bf6fa892cedb8020f0bb55be
quagga-devel-0.96.2-8.3E.x86_64.rpm     47aea8546e07f8b6ddb00b8451bca386
 
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
quagga-0.96.2-8.3E.src.rpm
File outdated by:  RHSA-2007:0389		     7b6d7f1e620a945f3ad2cc9d0272c2e5
 
IA-32:
quagga-0.96.2-8.3E.i386.rpm
File outdated by:  RHSA-2007:0389		     29fbab71e8be4d1f12828a3f09d3079a
quagga-contrib-0.96.2-8.3E.i386.rpm     e1850ff3c426c5adbee7b9daed05fa7d
quagga-devel-0.96.2-8.3E.i386.rpm     29f6979400740fc676313b5a7ff2f528
 
IA-64:
quagga-0.96.2-8.3E.ia64.rpm
File outdated by:  RHSA-2007:0389		     a5a38b71b7369a64c620b662856ed233
quagga-contrib-0.96.2-8.3E.ia64.rpm     54b463229d9dc19654a64e6fca39dd0e
quagga-devel-0.96.2-8.3E.ia64.rpm     de01073379e50fcffe14fca6be8107ae
 
x86_64:
quagga-0.96.2-8.3E.x86_64.rpm
File outdated by:  RHSA-2007:0389		     069c38a1b4909773ed3484159bef7be9
quagga-contrib-0.96.2-8.3E.x86_64.rpm     52886c92bf6fa892cedb8020f0bb55be
quagga-devel-0.96.2-8.3E.x86_64.rpm     47aea8546e07f8b6ddb00b8451bca386
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

108575 - CAN-2003-0858 Netlink local DoS: quagga


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0858

Keywords

DoS

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/