[FRR announce] New Releases of FRR
sharpd at cumulusnetworks.com
Thu Jan 10 17:55:52 EST 2019
We have been assigned CVE-2019-5892 for this issue.
On Wed, Jan 9, 2019 at 8:34 PM Donald Sharp <sharpd at cumulusnetworks.com> wrote:
> All -
> On Monday a research group installed into the global BGP routing table
> a prefix with a attribute type of 0xFF, which is designated as
> experimental by BGP RFC's. FRR had a developmental escape that read
> this attribute incorrectly and caused the bgp peering session to flap.
> If you have compiled FRR with the `--enable-bgp-vnc` option and run
> BGP as a peer on the global routing table you are vulnerable to this
> issue. This issue has been fixed in FRR with this commit:
> We have applied this fix to the stable/3.0(3.0.4), stable/4.0(4.0.1),
> stable/5.0(5.0.2) and stable/6.0(6.0.2) branches. New releases can be
> found here:
> Snap packaging and the FreeBSD ports have been updated as well. We
> recommend you update your installation of FRR immediately.
> At this point we are applying for a CVE and will announce that
> information when we have it.
> In the near future we plan to implement RFC-7606 to handle this
> situation better in BGP, if you have any questions please feel free to
> email me, or to open up discussions on the frog alias.
More information about the announce