Details of VAR-201009-0230

ID

VAR-201009-0230

CVE

CVE-2010-2949

TITLE

Quagga of bgpd Service disruption in (DoS) Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2010-002551

DESCRIPTION

bgpd in Quagga before 0.99.17 does not properly parse AS paths, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unknown AS type in an AS path attribute in a BGP UPDATE message. Quagga is a routing software suite that implements multiple routing protocols on Unix platforms. Quagga's bgpd daemon has a null pointer reference vulnerability when parsing the AS path. The configured BGP peer can send a BGP update request with an unknown AS type causing the daemon to crash. Quagga is prone to a remote denial-of-service vulnerability caused by a NULL-pointer dereference in the Border Gateway Protocol daemon (bgpd). Versions prior to Quagga 0.99.17 are vulnerable. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201202-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Quagga: Multiple vulnerabilities Date: February 21, 2012 Bugs: #334303, #359903, #384651 ID: 201202-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities were found in Quagga, the worst of which leading to remote execution of arbitrary code. Background ========== Quagga is a free routing daemon replacing Zebra supporting RIP, OSPF and BGP. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/quagga < 0.99.20 >= 0.99.20 Description =========== Multiple vulnerabilities have been discovered in Quagga. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Quagga users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/quagga-0.99.20 " References ========== [ 1 ] CVE-2010-1674 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1674 [ 2 ] CVE-2010-1675 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1675 [ 3 ] CVE-2010-2948 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2948 [ 4 ] CVE-2010-2949 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2949 [ 5 ] CVE-2011-3323 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3323 [ 6 ] CVE-2011-3324 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3324 [ 7 ] CVE-2011-3325 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3325 [ 8 ] CVE-2011-3326 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3326 [ 9 ] CVE-2011-3327 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3327 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201202-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-2104-1 security@debian.org http://www.debian.org/security/ Florian Weimer September 06, 2010 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : quagga Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2010-2948 CVE-2010-2949 Debian Bug : 594262 Several remote vulnerabilities have been discovered in the BGP implementation of Quagga, a routing daemon. In some configurations, such crafted AS paths could be relayed by intermediate BGP routers. In addition, this update contains a reliability fix: Quagga will no longer advertise confederation-related AS paths to non-confederation peers, and reject unexpected confederation-related AS paths by resetting the session with the BGP peer which is advertising them. (Previously, such AS paths would trigger resets of unrelated BGP sessions.) For the stable distribution (lenny), these problems have been fixed in version 0.99.10-1lenny3. For the unstable distribution (sid) and the testing distribution (squeeze), these problems have been fixed in version 0.99.17-1. We recommend that you upgrade your quagga package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10.orig.tar.gz Size/MD5 checksum: 2424191 c7a2d92e1c42214afef9b2e1cd4b5d06 http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3.diff.gz Size/MD5 checksum: 42826 100dbb936b3b0f0d4fb4947bf384d369 http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3.dsc Size/MD5 checksum: 1651 f5b9c26538e9d32008ad0256fe4ad0ed Architecture independent packages: http://security.debian.org/pool/updates/main/q/quagga/quagga-doc_0.99.10-1lenny3_all.deb Size/MD5 checksum: 661354 f843c6f765a48f7e071a52d3c7834d2f alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_alpha.deb Size/MD5 checksum: 1902990 0f85c30d5f719f9c104f5a8977a5d1a0 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_amd64.deb Size/MD5 checksum: 1749952 89a53689c4daf3f0695ea2c21aa93254 arm architecture (ARM) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_arm.deb Size/MD5 checksum: 1449792 3c53e06e4d27ef8cf391533824668b19 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_armel.deb Size/MD5 checksum: 1457202 e52ae364e20ff137c5e0e5f75bfc1ec1 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_hppa.deb Size/MD5 checksum: 1683924 c8172ed22b010569949977f407c282b6 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_i386.deb Size/MD5 checksum: 1608678 e7b5fbd36e4466cdecaca46f1f96642b ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_ia64.deb Size/MD5 checksum: 2256144 75ebe4e12a3e22ef79e5e3dab2d457bf mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_mips.deb Size/MD5 checksum: 1605990 f33ef3d9b31f0da900aba6a20bdd188d mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_mipsel.deb Size/MD5 checksum: 1601240 68ff751ff9c022cc06db8d0d66895a6e powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_powerpc.deb Size/MD5 checksum: 1717802 931505a31bdcc1a7732a9a2e9f295a01 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_s390.deb Size/MD5 checksum: 1794990 7d52667f3f37553256e87b77450dc309 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_sparc.deb Size/MD5 checksum: 1671232 3706818c39b51bb45c58a0cf8fdba202 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJMhUEPAAoJEL97/wQC1SS+dwMH/2tsjv3eQBHu3jvm+jMB7Dr1 6uRIi/1/DgaaRmVSD41quWSYoww374pkwZ5xjUVZqOQY1N6Y34avnwjN7FsSg8no H0Os4uioep8/IKzhse0EyeDZcmm2j8E41j3UZ+aANqWOssGa0MNddj846K3NDw2j dRuKUUy4JK8iRSwBLUaXqydAPI2ZjdXVH0Yy/3l51f2Aerm7N565f1ifUh38C6Y0 IR5BdiA1C6jzV+826VrZaj10cKAPg/Qm31mrNiZMBcVpi2sBJ+zQ8P/G3j7CpEdr sITi5UiULGAp+3cGvtPzZDtBxfkLLpVIpNgRPiSHhA+PTjG60HHvPK43OZkPdSY= =HP/T -----END PGP SIGNATURE----- . Updated packages are available that bring Quagga to version 0.99.17 which provides numerous bugfixes over the previous 0.99.12 version, and also corrects these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2948 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2949 _______________________________________________________________________ Updated Packages: Corporate 4.0: 982061c8bac57d5878a2dbd9747234f4 corporate/4.0/i586/libquagga0-0.99.17-0.1.20060mlcs4.i586.rpm 53b1e909e046539dcfd55f9b1f62e7ea corporate/4.0/i586/libquagga0-devel-0.99.17-0.1.20060mlcs4.i586.rpm 796ef3f10f793f6546ce6a0525082fa5 corporate/4.0/i586/quagga-0.99.17-0.1.20060mlcs4.i586.rpm 423c4032225687b252ddb3887db1f226 corporate/4.0/i586/quagga-contrib-0.99.17-0.1.20060mlcs4.i586.rpm 9f63365fc185a7bdf930a80cb6615c7d corporate/4.0/SRPMS/quagga-0.99.17-0.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 9b36814efd0751aa81e38baec0d2bae6 corporate/4.0/x86_64/lib64quagga0-0.99.17-0.1.20060mlcs4.x86_64.rpm 64ab6ba845a97236ffd2898e0aef892d corporate/4.0/x86_64/lib64quagga0-devel-0.99.17-0.1.20060mlcs4.x86_64.rpm 7d259ae75e30e1d172e340cc232d1ff2 corporate/4.0/x86_64/quagga-0.99.17-0.1.20060mlcs4.x86_64.rpm 2f3390db2bae0e0d505ec759e0a15232 corporate/4.0/x86_64/quagga-contrib-0.99.17-0.1.20060mlcs4.x86_64.rpm 9f63365fc185a7bdf930a80cb6615c7d corporate/4.0/SRPMS/quagga-0.99.17-0.1.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFMi592mqjQ0CJFipgRAoHFAJ0XDJVqB+SJmOHZ0hrPlMgjTMYeNgCgwxRw AMo+uyGwHeG+uyLmOzKKMOs= =ahfH -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . =========================================================== Ubuntu Security Notice USN-1027-1 December 07, 2010 quagga vulnerabilities CVE-2010-2948, CVE-2010-2949 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: quagga 0.99.2-1ubuntu3.7 Ubuntu 8.04 LTS: quagga 0.99.9-2ubuntu1.4 Ubuntu 9.10: quagga 0.99.13-1ubuntu0.1 Ubuntu 10.04 LTS: quagga 0.99.15-1ubuntu0.1 In general, a standard system update will make all the necessary changes. Details follow: It was discovered that Quagga incorrectly handled certain Outbound Route Filtering (ORF) records. The default compiler options for Ubuntu 8.04 LTS and later should reduce the vulnerability to a denial of service. (CVE-2010-2948) It was discovered that Quagga incorrectly parsed certain AS paths

Trust: 2.79

sources: NVD: CVE-2010-2949 // JVNDB: JVNDB-2010-002551 // CNVD: CNVD-2010-1779 // BID: 42642 // PACKETSTORM: 110033 // PACKETSTORM: 93585 // PACKETSTORM: 93746 // PACKETSTORM: 96482

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2010-1779

AFFECTED PRODUCTS

vendor:	quagga	model:	quagga	scope:	eq	version:	0.99.5	Trust: 1.6
vendor:	quagga	model:	quagga	scope:	eq	version:	0.99.7	Trust: 1.6
vendor:	quagga	model:	quagga	scope:	eq	version:	0.99.10	Trust: 1.6
vendor:	quagga	model:	quagga	scope:	eq	version:	0.99.9	Trust: 1.6
vendor:	quagga	model:	quagga	scope:	eq	version:	0.99.11	Trust: 1.6
vendor:	quagga	model:	quagga	scope:	eq	version:	0.99.6	Trust: 1.6
vendor:	quagga	model:	quagga	scope:	eq	version:	0.99.2	Trust: 1.6
vendor:	quagga	model:	quagga	scope:	eq	version:	0.99.3	Trust: 1.6
vendor:	quagga	model:	quagga	scope:	eq	version:	0.99.4	Trust: 1.6
vendor:	quagga	model:	quagga	scope:	eq	version:	0.99.8	Trust: 1.6
vendor:	quagga	model:	quagga	scope:	eq	version:	0.96.1	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.98.2	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.98.6	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.96.4	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.98.0	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.98.1	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.97.0	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.97.4	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.99.12	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.97.1	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	lte	version:	0.99.16	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.95	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.96.5	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.97.2	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.99.13	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.99.14	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.99.15	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.96.3	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.97.3	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.98.3	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.96.2	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.98.4	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.98.5	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.97.5	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.96	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	eq	version:	0.99.1	Trust: 1.0
vendor:	quagga	model:	quagga	scope:	lt	version:	0.99.17	Trust: 0.8
vendor:	red hat	model:	enterprise linux server	scope:	eq	version:	6	Trust: 0.8
vendor:	red hat	model:	enterprise linux workstation	scope:	eq	version:	6	Trust: 0.8
vendor:	quagga	model:	routing software suite	scope:	lt	version:	0.99.17	Trust: 0.6
vendor:	ubuntu	model:	linux sparc	scope:	eq	version:	9.10	Trust: 0.3
vendor:	ubuntu	model:	linux powerpc	scope:	eq	version:	9.10	Trust: 0.3
vendor:	ubuntu	model:	linux lpia	scope:	eq	version:	9.10	Trust: 0.3
vendor:	ubuntu	model:	linux i386	scope:	eq	version:	9.10	Trust: 0.3
vendor:	ubuntu	model:	linux arm	scope:	eq	version:	9.10	Trust: 0.3
vendor:	ubuntu	model:	linux amd64	scope:	eq	version:	9.10	Trust: 0.3
vendor:	ubuntu	model:	linux lts sparc	scope:	eq	version:	8.04	Trust: 0.3
vendor:	ubuntu	model:	linux lts powerpc	scope:	eq	version:	8.04	Trust: 0.3
vendor:	ubuntu	model:	linux lts lpia	scope:	eq	version:	8.04	Trust: 0.3
vendor:	ubuntu	model:	linux lts i386	scope:	eq	version:	8.04	Trust: 0.3
vendor:	ubuntu	model:	linux lts amd64	scope:	eq	version:	8.04	Trust: 0.3
vendor:	ubuntu	model:	linux lts sparc	scope:	eq	version:	6.06	Trust: 0.3
vendor:	ubuntu	model:	linux lts powerpc	scope:	eq	version:	6.06	Trust: 0.3
vendor:	ubuntu	model:	linux lts i386	scope:	eq	version:	6.06	Trust: 0.3
vendor:	ubuntu	model:	linux lts amd64	scope:	eq	version:	6.06	Trust: 0.3
vendor:	ubuntu	model:	linux sparc	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux powerpc	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux i386	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux arm	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux amd64	scope:	eq	version:	10.04	Trust: 0.3
vendor:	suse	model:	linux enterprise server sp2	scope:	eq	version:	10	Trust: 0.3
vendor:	suse	model:	linux enterprise sp1	scope:	eq	version:	11	Trust: 0.3
vendor:	suse	model:	linux enterprise	scope:	eq	version:	11	Trust: 0.3
vendor:	suse	model:	linux enterprise sp3	scope:	eq	version:	10	Trust: 0.3
vendor:	suse	model:	opensuse	scope:	eq	version:	11.3	Trust: 0.3
vendor:	s u s e	model:	opensuse	scope:	eq	version:	11.2	Trust: 0.3
vendor:	s u s e	model:	opensuse	scope:	eq	version:	11.1	Trust: 0.3
vendor:	red	model:	hat enterprise linux workstation optional	scope:	eq	version:	6	Trust: 0.3
vendor:	red	model:	hat enterprise linux workstation	scope:	eq	version:	6	Trust: 0.3
vendor:	red	model:	hat enterprise linux server optional	scope:	eq	version:	6	Trust: 0.3
vendor:	red	model:	hat enterprise linux server	scope:	eq	version:	6	Trust: 0.3
vendor:	quagga	model:	routing software suite	scope:	eq	version:	0.99.16	Trust: 0.3
vendor:	quagga	model:	routing software suite	scope:	eq	version:	0.99.15	Trust: 0.3
vendor:	oracle	model:	enterprise linux	scope:	eq	version:	6.2	Trust: 0.3
vendor:	oracle	model:	enterprise linux	scope:	eq	version:	6	Trust: 0.3
vendor:	mandrakesoft	model:	corporate server x86 64	scope:	eq	version:	4.0	Trust: 0.3
vendor:	mandrakesoft	model:	corporate server	scope:	eq	version:	4.0	Trust: 0.3
vendor:	debian	model:	linux sparc	scope:	eq	version:	5.0	Trust: 0.3
vendor:	debian	model:	linux s/390	scope:	eq	version:	5.0	Trust: 0.3
vendor:	debian	model:	linux powerpc	scope:	eq	version:	5.0	Trust: 0.3
vendor:	debian	model:	linux mipsel	scope:	eq	version:	5.0	Trust: 0.3
vendor:	debian	model:	linux mips	scope:	eq	version:	5.0	Trust: 0.3
vendor:	debian	model:	linux m68k	scope:	eq	version:	5.0	Trust: 0.3
vendor:	debian	model:	linux ia-64	scope:	eq	version:	5.0	Trust: 0.3
vendor:	debian	model:	linux ia-32	scope:	eq	version:	5.0	Trust: 0.3
vendor:	debian	model:	linux hppa	scope:	eq	version:	5.0	Trust: 0.3
vendor:	debian	model:	linux armel	scope:	eq	version:	5.0	Trust: 0.3
vendor:	debian	model:	linux arm	scope:	eq	version:	5.0	Trust: 0.3
vendor:	debian	model:	linux amd64	scope:	eq	version:	5.0	Trust: 0.3
vendor:	debian	model:	linux alpha	scope:	eq	version:	5.0	Trust: 0.3
vendor:	debian	model:	linux	scope:	eq	version:	5.0	Trust: 0.3
vendor:	quagga	model:	routing software suite	scope:	ne	version:	0.99.17	Trust: 0.3

sources: CNVD: CNVD-2010-1779 // BID: 42642 // JVNDB: JVNDB-2010-002551 // CNNVD: CNNVD-201009-094 // NVD: CVE-2010-2949

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2010-2949
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2010-2949
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201009-094
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2010-2949
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

sources: JVNDB: JVNDB-2010-002551 // CNNVD: CNNVD-201009-094 // NVD: CVE-2010-2949

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-Other	Trust: 0.8

sources: JVNDB: JVNDB-2010-002551 // NVD: CVE-2010-2949

THREAT TYPE

remote

Trust: 1.0

sources: PACKETSTORM: 110033 // PACKETSTORM: 93585 // PACKETSTORM: 93746 // PACKETSTORM: 96482 // CNNVD: CNNVD-201009-094

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201009-094

CONFIGURATIONS

sources: JVNDB: JVNDB-2010-002551

PATCH

title:	bgpd: fix handling of AS path data	url:	http://code.quagga.net/?p=quagga.git;a=commit;h=cddb8112b80fa9867156c637d63e6e79eeac67bb	Trust: 0.8
title:	Index of /releases/quagga	url:	http://download.savannah.gnu.org/releases/quagga/	Trust: 0.8
title:	RHSA-2010:0945	url:	https://rhn.redhat.com/errata/RHSA-2010-0945.html	Trust: 0.8
title:	Multiple Denial of Service vulnerabilities in Quagga	url:	https://blogs.oracle.com/sunsecurity/entry/multiple_denial_of_service_vulnerabilities4	Trust: 0.8
title:	Quagga bgpd null pointer reference denial of service patch	url:	https://www.cnvd.org.cn/patchInfo/show/919	Trust: 0.6
title:	quagga-0.99.17.tar	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=34542	Trust: 0.6

sources: CNVD: CNVD-2010-1779 // JVNDB: JVNDB-2010-002551 // CNNVD: CNNVD-201009-094

EXTERNAL IDS

db:	NVD	id:	CVE-2010-2949	Trust: 3.7
db:	SECUNIA	id:	41038	Trust: 3.0
db:	BID	id:	42642	Trust: 2.7
db:	SECUNIA	id:	42446	Trust: 2.4
db:	VUPEN	id:	ADV-2010-3124	Trust: 2.4
db:	VUPEN	id:	ADV-2010-2304	Trust: 1.6
db:	VUPEN	id:	ADV-2010-3097	Trust: 1.6
db:	SECUNIA	id:	48106	Trust: 1.6
db:	SECUNIA	id:	42397	Trust: 1.6
db:	SECUNIA	id:	41238	Trust: 1.6
db:	SECUNIA	id:	42498	Trust: 1.6
db:	OPENWALL	id:	OSS-SECURITY/2010/08/25/4	Trust: 1.6
db:	OPENWALL	id:	OSS-SECURITY/2010/08/24/3	Trust: 1.6
db:	JVNDB	id:	JVNDB-2010-002551	Trust: 0.8
db:	CNVD	id:	CNVD-2010-1779	Trust: 0.6
db:	CNNVD	id:	CNNVD-201009-094	Trust: 0.6
db:	PACKETSTORM	id:	110033	Trust: 0.1
db:	PACKETSTORM	id:	93585	Trust: 0.1
db:	PACKETSTORM	id:	93746	Trust: 0.1
db:	PACKETSTORM	id:	96482	Trust: 0.1

sources: CNVD: CNVD-2010-1779 // BID: 42642 // JVNDB: JVNDB-2010-002551 // PACKETSTORM: 110033 // PACKETSTORM: 93585 // PACKETSTORM: 93746 // PACKETSTORM: 96482 // CNNVD: CNNVD-201009-094 // NVD: CVE-2010-2949

REFERENCES

url:	http://secunia.com/advisories/41038	Trust: 2.4
url:	http://secunia.com/advisories/42446	Trust: 2.4
url:	http://www.securityfocus.com/bid/42642	Trust: 2.4
url:	http://www.vupen.com/english/advisories/2010/3124	Trust: 2.4
url:	https://bugzilla.redhat.com/show_bug.cgi?id=626795	Trust: 1.9
url:	http://security.gentoo.org/glsa/glsa-201202-02.xml	Trust: 1.7
url:	http://www.debian.org/security/2010/dsa-2104	Trust: 1.6
url:	http://secunia.com/advisories/48106	Trust: 1.6
url:	http://www.openwall.com/lists/oss-security/2010/08/25/4	Trust: 1.6
url:	http://secunia.com/advisories/42397	Trust: 1.6
url:	http://www.vupen.com/english/advisories/2010/2304	Trust: 1.6
url:	http://secunia.com/advisories/42498	Trust: 1.6
url:	http://code.quagga.net/?p=quagga.git%3ba=commit%3bh=cddb8112b80fa9867156c637d63e6e79eeac67bb	Trust: 1.6
url:	http://www.vupen.com/english/advisories/2010/3097	Trust: 1.6
url:	http://www.openwall.com/lists/oss-security/2010/08/24/3	Trust: 1.6
url:	http://www.redhat.com/support/errata/rhsa-2010-0945.html	Trust: 1.6
url:	http://www.ubuntu.com/usn/usn-1027-1	Trust: 1.6
url:	http://lists.opensuse.org/opensuse-security-announce/2011-12/msg00009.html	Trust: 1.6
url:	http://secunia.com/advisories/41238	Trust: 1.6
url:	http://www.quagga.net/news2.php?y=2010&m=8&d=19	Trust: 1.6
url:	http://www.mandriva.com/security/advisories?name=mdvsa-2010:174	Trust: 1.6
url:	http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00006.html	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-2949	Trust: 0.9
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-2949	Trust: 0.8
url:	http://secunia.com/advisories/41038/	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2010-2948	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2010-2949	Trust: 0.4
url:	http://permalink.gmane.org/gmane.comp.security.oss.general/3347	Trust: 0.3
url:	http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100	Trust: 0.3
url:	http://www.quagga.net/	Trust: 0.3
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-1674	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2011-3323	Trust: 0.1
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-2949	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2011-3326	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2011-3325	Trust: 0.1
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-3325	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2011-3324	Trust: 0.1
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-3324	Trust: 0.1
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-1675	Trust: 0.1
url:	http://creativecommons.org/licenses/by-sa/2.5	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2011-3327	Trust: 0.1
url:	http://security.gentoo.org/	Trust: 0.1
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-3326	Trust: 0.1
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-3327	Trust: 0.1
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-3323	Trust: 0.1
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-2948	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2010-1675	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2010-1674	Trust: 0.1
url:	https://bugs.gentoo.org.	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_arm.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_s390.deb	Trust: 0.1
url:	http://www.debian.org/security/faq	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3.diff.gz	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_alpha.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_powerpc.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10.orig.tar.gz	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_ia64.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_armel.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/q/quagga/quagga-doc_0.99.10-1lenny3_all.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_hppa.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_amd64.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_mips.deb	Trust: 0.1
url:	http://packages.debian.org/<pkg>	Trust: 0.1
url:	http://security.debian.org/	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_mipsel.deb	Trust: 0.1
url:	http://www.debian.org/security/	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3.dsc	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_i386.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_sparc.deb	Trust: 0.1
url:	http://www.mandriva.com/security/	Trust: 0.1
url:	http://secunia.com/	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-2948	Trust: 0.1
url:	http://www.mandriva.com/security/advisories	Trust: 0.1
url:	http://lists.grok.org.uk/full-disclosure-charter.html	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.1_amd64.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.4_sparc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.1.diff.gz	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.1_powerpc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.15-1ubuntu0.1_amd64.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.13.orig.tar.gz	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.13-1ubuntu0.1_all.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.1_lpia.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.15-1ubuntu0.1_sparc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.7.diff.gz	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.7_sparc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.7_amd64.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.4_amd64.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.9-2ubuntu1.4_all.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.7_i386.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.1.dsc	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.15-1ubuntu0.1_i386.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.15-1ubuntu0.1_all.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.15-1ubuntu0.1.diff.gz	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.4_powerpc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.1_i386.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.4.dsc	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2.orig.tar.gz	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.7.dsc	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9.orig.tar.gz	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.2-1ubuntu3.7_all.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.15-1ubuntu0.1_armel.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.4_i386.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.15-1ubuntu0.1.dsc	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.1_sparc.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.1_armel.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.7_powerpc.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.15-1ubuntu0.1_powerpc.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.4_lpia.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.4.diff.gz	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.15.orig.tar.gz	Trust: 0.1

CREDITS

Chris Hall

Trust: 0.9

sources: BID: 42642 // CNNVD: CNNVD-201009-094

SOURCES

db:	CNVD	id:	CNVD-2010-1779
db:	BID	id:	42642
db:	JVNDB	id:	JVNDB-2010-002551
db:	PACKETSTORM	id:	110033
db:	PACKETSTORM	id:	93585
db:	PACKETSTORM	id:	93746
db:	PACKETSTORM	id:	96482
db:	CNNVD	id:	CNNVD-201009-094
db:	NVD	id:	CVE-2010-2949

LAST UPDATE DATE

2024-11-22T19:43:58.044000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2010-1779	date:	2010-09-03T00:00:00
db:	BID	id:	42642	date:	2013-07-18T18:23:00
db:	JVNDB	id:	JVNDB-2010-002551	date:	2012-04-17T00:00:00
db:	CNNVD	id:	CNNVD-201009-094	date:	2023-02-14T00:00:00
db:	NVD	id:	CVE-2010-2949	date:	2023-02-13T04:21:24.037

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2010-1779	date:	2010-09-03T00:00:00
db:	BID	id:	42642	date:	2010-08-24T00:00:00
db:	JVNDB	id:	JVNDB-2010-002551	date:	2010-12-24T00:00:00
db:	PACKETSTORM	id:	110033	date:	2012-02-22T02:10:03
db:	PACKETSTORM	id:	93585	date:	2010-09-08T03:57:17
db:	PACKETSTORM	id:	93746	date:	2010-09-11T19:28:36
db:	PACKETSTORM	id:	96482	date:	2010-12-08T19:17:16
db:	CNNVD	id:	CNNVD-201009-094	date:	2010-08-24T00:00:00
db:	NVD	id:	CVE-2010-2949	date:	2010-09-10T19:00:02.597