[FRR announce] New Releases of FRR

Donald Sharp sharpd at cumulusnetworks.com
Thu Jan 10 17:55:52 EST 2019

All -

We have been assigned CVE-2019-5892 for this issue.



On Wed, Jan 9, 2019 at 8:34 PM Donald Sharp <sharpd at cumulusnetworks.com> wrote:
> All -
> On Monday a research group installed into the global BGP routing table
> a prefix with a attribute type of 0xFF, which is designated as
> experimental by BGP RFC's.  FRR had a developmental escape that read
> this attribute incorrectly and caused the bgp peering session to flap.
> If you have compiled FRR with the `--enable-bgp-vnc` option and run
> BGP as a peer on the global routing table you are vulnerable to this
> issue.  This issue has been fixed in FRR with this commit:
> https://github.com/FRRouting/frr/commit/943d595a018e69b550db08cccba1d0778a86705a
> We have applied this fix to the stable/3.0(3.0.4), stable/4.0(4.0.1),
> stable/5.0(5.0.2) and stable/6.0(6.0.2) branches.  New releases can be
> found here:
> https://github.com/FRRouting/frr/releases/tag/frr-3.0.4
> https://github.com/FRRouting/frr/releases/tag/frr-4.0.1
> https://github.com/FRRouting/frr/releases/tag/frr-5.0.2
> https://github.com/FRRouting/frr/releases/tag/frr-6.0.2
> Snap packaging and the FreeBSD ports have been updated as well.  We
> recommend you update your installation of FRR immediately.
> At this point we are applying for a CVE and will announce that
> information when we have it.
> In the near future we plan to implement RFC-7606 to handle this
> situation better in BGP, if you have any questions please feel free to
> email me, or to open up discussions on the frog alias.
> thanks!
> donald

More information about the announce mailing list