-
Notifications
You must be signed in to change notification settings - Fork 277
/
git-vuln-finder-quagga.json
1493 lines (1493 loc) · 96.5 KB
/
git-vuln-finder-quagga.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
"cbffa53cc0454bcc4ab95d9363b13fb8c68301d4": {
"message": "doc/security: Security announcements for 4 issues\n\n* doc/security/Quagga-2018-0543.txt: attr_endp used for NOTIFY data\n* doc/security/Quagga-2018-1114.txt: bgpd double free\n* doc/security/Quagga-2018-1550.txt: debug overrun in notify lookup tables\n* doc/security/Quagga-2018-1975.txt: BGP capability inf. loop\n",
"language": "en",
"commit-id": "cbffa53cc0454bcc4ab95d9363b13fb8c68301d4",
"summary": "doc/security: Security announcements for 4 issues",
"stats": {
"insertions": 257,
"deletions": 0,
"lines": 257,
"files": 5
},
"author": "Paul Jakma",
"author-email": "paul@jakma.org",
"authored_date": 1516554152,
"committed_date": 1517758950,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"security"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/cbffa53cc0454bcc4ab95d9363b13fb8c68301d4",
"tags": [],
"state": "under-review"
},
"f080b436bbddf8d28dd991c967dcac5288272522": {
"message": "doc/security: Add a doc/security folder and template for announcements\n\n* doc/security: New folder to store Quagga security announcements,\n where they can be revision controlled.\n* doc/security/template.txt: Template for announcements\n",
"language": "en",
"commit-id": "f080b436bbddf8d28dd991c967dcac5288272522",
"summary": "doc/security: Add a doc/security folder and template for announcements",
"stats": {
"insertions": 39,
"deletions": 0,
"lines": 39,
"files": 1
},
"author": "Paul Jakma",
"author-email": "paul@jakma.org",
"authored_date": 1516554078,
"committed_date": 1517758950,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"security"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/f080b436bbddf8d28dd991c967dcac5288272522",
"tags": [],
"state": "under-review"
},
"9e5251151894aefdf8e9392a2371615222119ad8": {
"message": "bgpd/security: debug print of received NOTIFY data can over-read msg array\n\nSecurity issue: Quagga-2018-1550\nSee: https://www.quagga.net/security/Quagga-2018-1550.txt\n\n* bgpd/bgp_debug.c: (struct message) Nearly every one of the NOTIFY\n code/subcode message arrays has their corresponding size variables off\n by one, as most have 1 as first index.\n\n This means (bgp_notify_print) can cause mes_lookup to overread the (struct\n message) by 1 pointer value if given an unknown index.\n\n Fix the bgp_notify_..._msg_max variables to use the compiler to calculate\n the correct sizes.\n",
"language": "en",
"commit-id": "9e5251151894aefdf8e9392a2371615222119ad8",
"summary": "bgpd/security: debug print of received NOTIFY data can over-read msg array",
"stats": {
"insertions": 12,
"deletions": 9,
"lines": 21,
"files": 1
},
"author": "Paul Jakma",
"author-email": "paul@jakma.org",
"authored_date": 1515277912,
"committed_date": 1517742933,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"security"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/9e5251151894aefdf8e9392a2371615222119ad8",
"tags": [],
"state": "under-review"
},
"ce07207c50a3d1f05d6dd49b5294282e59749787": {
"message": "bgpd/security: fix infinite loop on certain invalid OPEN messages\n\nSecurity issue: Quagga-2018-1975\nSee: https://www.quagga.net/security/Quagga-2018-1975.txt\n\n* bgpd/bgp_packet.c: (bgp_capability_msg_parse) capability parser can infinite\n loop due to checks that issue 'continue' without bumping the input\n pointer.\n",
"language": "en",
"commit-id": "ce07207c50a3d1f05d6dd49b5294282e59749787",
"summary": "bgpd/security: fix infinite loop on certain invalid OPEN messages",
"stats": {
"insertions": 2,
"deletions": 2,
"lines": 4,
"files": 1
},
"author": "Paul Jakma",
"author-email": "paul@jakma.org",
"authored_date": 1515273651,
"committed_date": 1517742928,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"security"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/ce07207c50a3d1f05d6dd49b5294282e59749787",
"tags": [],
"state": "under-review"
},
"e69b535f92eafb599329bf725d9b4c6fd5d7fded": {
"message": "bgpd/security: Fix double free of unknown attribute\n\nSecurity issue: Quagga-2018-1114\nSee: https://www.quagga.net/security/Quagga-2018-1114.txt\n\nIt is possible for bgpd to double-free an unknown attribute. This can happen\nvia bgp_update_receive receiving an UPDATE with an invalid unknown attribute.\nbgp_update_receive then will call bgp_attr_unintern_sub and bgp_attr_flush,\nand the latter may try free an already freed unknown attr.\n\n* bgpd/bgp_attr.c: (transit_unintern) Take a pointer to the caller's storage\n for the (struct transit *), so that transit_unintern can NULL out the\n caller's reference if the (struct transit) is freed.\n (cluster_unintern) By inspection, appears to have a similar issue.\n (bgp_attr_unintern_sub) adjust for above.\n",
"language": "en",
"commit-id": "e69b535f92eafb599329bf725d9b4c6fd5d7fded",
"summary": "bgpd/security: Fix double free of unknown attribute",
"stats": {
"insertions": 21,
"deletions": 16,
"lines": 37,
"files": 2
},
"author": "Paul Jakma",
"author-email": "paul@jakma.org",
"authored_date": 1515268330,
"committed_date": 1517742615,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"security"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/e69b535f92eafb599329bf725d9b4c6fd5d7fded",
"tags": [],
"state": "under-review"
},
"cc2e6770697e343f4af534114ab7e633d5beabec": {
"message": "bgpd/security: invalid attr length sends NOTIFY with data overrun\n\nSecurity issue: Quagga-2018-0543\n\nSee: https://www.quagga.net/security/Quagga-2018-0543.txt\n\n* bgpd/bgp_attr.c: (bgp_attr_parse) An invalid attribute length is correctly\n checked, and a NOTIFY prepared. The NOTIFY can include the incorrect\n received data with the NOTIFY, for debug purposes. Commit\n c69698704806a9ac5 modified the code to do that just, and also send the\n malformed attr with the NOTIFY. However, the invalid attribute length was\n used as the length of the data to send back.\n\n The result is a read past the end of data, which is then written to the\n NOTIFY message and sent to the peer.\n\n A configured BGP peer can use this bug to read up to 64 KiB of memory from\n the bgpd process, or crash the process if the invalid read is caught by\n some means (unmapped page and SEGV, or other mechanism) resulting in a DoS.\n\n This bug _ought_ /not/ be exploitable by anything other than the connected\n BGP peer, assuming the underlying TCP transport is secure. For no BGP\n peer should send on an UPDATE with this attribute. Quagga will not, as\n Quagga always validates the attr header length, regardless of type.\n\n However, it is possible that there are BGP implementations that do not\n check lengths on some attributes (e.g. optional/transitive ones of a type\n they do not recognise), and might pass such malformed attrs on. If such\n implementations exists and are common, then this bug might be triggerable\n by BGP speakers further hops away. Those peers will not receive the\n NOTIFY (unless they sit on a shared medium), however they might then be\n able to trigger a DoS.\n\n Fix: use the valid bound to calculate the length.\n",
"language": "en",
"commit-id": "cc2e6770697e343f4af534114ab7e633d5beabec",
"summary": "bgpd/security: invalid attr length sends NOTIFY with data overrun",
"stats": {
"insertions": 3,
"deletions": 1,
"lines": 4,
"files": 1
},
"author": "Paul Jakma",
"author-email": "paul@jakma.org",
"authored_date": 1515023853,
"committed_date": 1517742611,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"security"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/cc2e6770697e343f4af534114ab7e633d5beabec",
"tags": [],
"state": "under-review"
},
"69f8d5df72b6bd9c39c3a262ae0ed07f2cd566e9": {
"message": "configure: Add commonly used GCC security flags\n",
"language": "en",
"commit-id": "69f8d5df72b6bd9c39c3a262ae0ed07f2cd566e9",
"summary": "configure: Add commonly used GCC security flags",
"stats": {
"insertions": 4,
"deletions": 0,
"lines": 4,
"files": 1
},
"author": "Paul Jakma",
"author-email": "paul@jakma.org",
"authored_date": 1488993358,
"committed_date": 1489082635,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"security"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/69f8d5df72b6bd9c39c3a262ae0ed07f2cd566e9",
"tags": [],
"state": "under-review"
},
"e3443a21552b6a3cd6ebdbb98336eede217a478f": {
"message": "bgpd: simplify ebgp-multihop and ttl-security handling\n\nChange to track configured value in ->ttl and ->gtsm_hops;\nnot the value set to sockopt. Instead, setting of socket's ttl\nand minttl options are now merged to one function which calculates\nit on demand. This greatly simplifies the code.\n",
"language": "en",
"commit-id": "e3443a21552b6a3cd6ebdbb98336eede217a478f",
"summary": "bgpd: simplify ebgp-multihop and ttl-security handling",
"stats": {
"insertions": 95,
"deletions": 253,
"lines": 348,
"files": 8
},
"author": "Timo Teräs",
"author-email": "timo.teras@iki.fi",
"authored_date": 1476882154,
"committed_date": 1485197511,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"security"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/e3443a21552b6a3cd6ebdbb98336eede217a478f",
"tags": [],
"state": "under-review"
},
"f5a4488a0dda521f19e96f2615f4a8b134c5878b": {
"message": "vtysh: Fix, guard against NULL pointer dereference\n\ngetpwuid() may fail returning a null value leaving subsequent\ncode vulnerable to a null pointer dereference.\n\nTested-by: NetDEF CI System <cisystem@netdef.org>\n",
"language": "en",
"commit-id": "f5a4488a0dda521f19e96f2615f4a8b134c5878b",
"summary": "vtysh: Fix, guard against NULL pointer dereference",
"stats": {
"insertions": 5,
"deletions": 1,
"lines": 6,
"files": 1
},
"author": "Jafar Al-Gharaibeh",
"author-email": "jafar@atcorp.com",
"authored_date": 1470093278,
"committed_date": 1485192051,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"vuln"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/f5a4488a0dda521f19e96f2615f4a8b134c5878b",
"tags": [],
"state": "under-review"
},
"cfb1fae25f8c092e0d17073eaf7bd428ce1cd546": {
"message": "zebra: stack overrun in IPv6 RA receive code (CVE-2016-1245)\n\nThe IPv6 RA code also receives ICMPv6 RS and RA messages.\nUnfortunately, by bad coding practice, the buffer size specified on\nreceiving such messages mixed up 2 constants that in fact have\ndifferent values.\n\nThe code itself has:\n #define RTADV_MSG_SIZE 4096\nWhile BUFSIZ is system-dependent, in my case (x86_64 glibc):\n /usr/include/_G_config.h:#define _G_BUFSIZ 8192\n /usr/include/libio.h:#define _IO_BUFSIZ _G_BUFSIZ\n /usr/include/stdio.h:# define BUFSIZ _IO_BUFSIZ\n\nFreeBSD, OpenBSD, NetBSD and Illumos are not affected, since all of them\nhave BUFSIZ == 1024.\n\nAs the latter is passed to the kernel on recvmsg(), it's possible to\noverwrite 4kB of stack -- with ICMPv6 packets that can be globally sent\nto any of the system's addresses (using fragmentation to get to 8k).\n\n(The socket has filters installed limiting this to RS and RA packets,\nbut does not have a filter for source address or TTL.)\n\nIssue discovered by trying to test other stuff, which randomly caused\nthe stack to be smaller than 8kB in that code location, which then\ncauses the kernel to report EFAULT (Bad address).\n\nSigned-off-by: David Lamparter <equinox@opensourcerouting.org>\nReviewed-by: Donald Sharp <sharpd@cumulusnetworks.com>\n",
"language": "en",
"commit-id": "cfb1fae25f8c092e0d17073eaf7bd428ce1cd546",
"summary": "zebra: stack overrun in IPv6 RA receive code (CVE-2016-1245)",
"stats": {
"insertions": 1,
"deletions": 1,
"lines": 2,
"files": 1
},
"author": "David Lamparter",
"author-email": "equinox@opensourcerouting.org",
"authored_date": 1472643076,
"committed_date": 1476722496,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"CVE"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546",
"tags": [],
"cve": [
"CVE-2016-1245"
],
"state": "cve-assigned"
},
"2db962760426ddb9e266f9a4bc0b274584c819cc": {
"message": "lib: zclient can overflow (struct interface) hw_addr if zebra is evil\n\n* lib/zclient.c: (zebra_interface_if_set_value) The hw_addr_len field\n is used as trusted input to read off the hw_addr and write to the\n INTERFACE_HWADDR_MAX sized hw_addr field. The read from the stream is\n bounds-checked by the stream abstraction, however the write out to the\n heap can not be.\n\n Tighten the supplied length to stream_get used to do the write.\n\n Impact: a malicious zebra can overflow the heap of clients using the ZServ\n IPC. Note that zebra is already fairly trusted within Quagga.\n\nReported-by: Kostya Kortchinsky <kostyak@google.com>\n",
"language": "en",
"commit-id": "2db962760426ddb9e266f9a4bc0b274584c819cc",
"summary": "lib: zclient can overflow (struct interface) hw_addr if zebra is evil",
"stats": {
"insertions": 1,
"deletions": 1,
"lines": 2,
"files": 1
},
"author": "Paul Jakma",
"author-email": "paul.jakma@hpe.com",
"authored_date": 1454942788,
"committed_date": 1457459602,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"malicious"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/2db962760426ddb9e266f9a4bc0b274584c819cc",
"tags": [],
"state": "under-review"
},
"a3bc7e9400b214a0f078fdb19596ba54214a1442": {
"message": "bgpd: Fix VU#270232, VPNv4 NLRI parser memcpys to stack on unchecked length\n\nAddress CERT vulnerability report VU#270232, memcpy to stack data structure\nbased on length field from packet data whose length field upper-bound was\nnot properly checked.\n\nThis likely allows BGP peers that are enabled to send Labeled-VPN SAFI\nroutes to Quagga bgpd to remotely exploit Quagga bgpd.\n\nMitigation: Do not enable Labeled-VPN SAFI with untrusted neighbours.\n\nImpact: Labeled-VPN SAFI is not enabled by default.\n\n* bgp_mplsvpn.c: (bgp_nlri_parse_vpnv4) The prefixlen is checked for\n lower-bound, but not for upper-bound against received data length.\n The packet data is then memcpy'd to the stack based on the prefixlen.\n\n Extend the prefixlen check to ensure it is within the bound of the NLRI\n packet data AND the on-stack prefix structure AND the maximum size for the\n address family.\n\nReported-by: Kostya Kortchinsky <kostyak@google.com>\n\nThis commit a joint effort between:\n\nLou Berger <lberger@labn.net>\nDonald Sharp <sharpd@cumulusnetworks.com>\nPaul Jakma <paul.jakma@hpe.com> / <paul@jakma.org>\n",
"language": "en",
"commit-id": "a3bc7e9400b214a0f078fdb19596ba54214a1442",
"summary": "bgpd: Fix VU#270232, VPNv4 NLRI parser memcpys to stack on unchecked length",
"stats": {
"insertions": 36,
"deletions": 16,
"lines": 52,
"files": 1
},
"author": "Donald Sharp",
"author-email": "sharpd@cumulusnetworks.com",
"authored_date": 1453913685,
"committed_date": 1455116527,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"vuln"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/a3bc7e9400b214a0f078fdb19596ba54214a1442",
"tags": [],
"state": "under-review"
},
"75a3cf6cf69f6ab940f8421b0f79b2b1f689b904": {
"message": "solaris: fix SMF manifest dependency model and start method\n\nResolves an issue where quagga daemons restart in an infinite loop.\nQuagga daemons declare a dependency on zebra that requires a restart\nof the daemon when zebra restarts and they explicitly restart zebra,\nwhich again triggers their own restart.\n\nRestarting zebra when other daemons are started is explicitly removed,\nleaving dependency management up to SMF rather than handling it in the\nstart method.\n\nsolaris/quagga.init.in: Remove calls to routeadm_zebra_enable, and the\n routeadm_zebra_enable function.\nsolaris/quagga.xml.in: Set dependency zebra grouping to require_all.\n\nFixes: #818\nSigned-off-by: Greg Troxel <gdt@ir.bbn.com>\nSigned-off-by: David Lamparter <equinox@opensourcerouting.org>\n",
"language": "en",
"commit-id": "75a3cf6cf69f6ab940f8421b0f79b2b1f689b904",
"summary": "solaris: fix SMF manifest dependency model and start method",
"stats": {
"insertions": 7,
"deletions": 31,
"lines": 38,
"files": 2
},
"author": "Brian Bennett",
"author-email": "brian.bennett@joyent.com",
"authored_date": 1424215572,
"committed_date": 1425276045,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"infinite loop"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/75a3cf6cf69f6ab940f8421b0f79b2b1f689b904",
"tags": [],
"state": "under-review"
},
"5d804b439a4138c77f81de30c64f923e2b5c1340": {
"message": "bgpd: support TTL-security with iBGP\n\nTraditionally, ttl-security feature has been associated with EBGP\nsessions as those identify directly connected external peers. The\nGTSM RFC (rfc 5082) does not make any restrictions on type of\npeering. In fact, it is beneficial to support ttl-security for both\nEBGP and IBGP sessions. Specifically, in data centers, there are\ndirectly connected IBGP peerings that will benefit from the protection\nttl-security provides.\n\nSigned-off-by: Dinesh G Dutt <ddutt@cumulusnetworks.com>\nReviewed-by: Pradosh Mohapatra <pmohapat@cumulusnetworks.com>\n[DL: function refactoring split out into previous 2 patches. changes:\n - bgp_set_socket_ttl(): ret type int -> void\n - is_ebgp_multihop_configured(): stripped peer == NULL check\n - comments/whitespace]\nSigned-off-by: David Lamparter <equinox@opensourcerouting.org>\n",
"language": "en",
"commit-id": "5d804b439a4138c77f81de30c64f923e2b5c1340",
"summary": "bgpd: support TTL-security with iBGP",
"stats": {
"insertions": 62,
"deletions": 26,
"lines": 88,
"files": 4
},
"author": "Pradosh Mohapatra",
"author-email": "pmohapat@cumulusnetworks.com",
"authored_date": 1378957027,
"committed_date": 1400534746,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"security"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/5d804b439a4138c77f81de30c64f923e2b5c1340",
"tags": [],
"state": "under-review"
},
"8da8689d91a6436c17aca5000b1426aaea47e23c": {
"message": "bgpd: fix fast external fallover behavior\n\nISSUES\n\n1. When an interface goes down, the zclient callbacks are invoked\n in the following order: (a) address_delete() that removes the\n connected address list: ifp->connected, (b) interface_down()\n that performs \"fast external fallover\" operation. The operation\n relies on ifp->connected to look for peers that should be brought\n down. That's a cyclic dependency.\n\n2. 'ttl-security' configuration handler sets peer->ttl to\n MAXTTL (so that BGP packets are sent with TTL=255, as per the\n requirement of ttl-security). This, however, is incompatible\n with 'fast external fallover' as the fallover operation checks\n for (ttl == 1) to determine directly connected peers.\n\n3. The current fallover operation does not work for IPv6 address family.\n\nPATCH\n\n1. The patch removes the dependency on 'ifp->connected' list for fast\n fallover. The peer already contains a nexthop structure that reflects\n the peering address. The nexthop structure has a pointer to the\n interface (ifp) that peering address resolves to. Everytime the TCP\n connection succeeds, the ifp is updated. The patch uses this ifp in\n the interface_down() callback for a match for the peers that should be\n brought down.\n\n2. The evaluation for directly connected peering is enhanced as\n 'peer->ttl == 1' OR 'peer->gtsm_hops == 1'. Thus a ttl-security\n configuration on the peer with one hop is directly connected and\n should be brought down under 'fast external fallover'.\n\n3. Because of fix (1), IPv6 address family works automatically.\n\nSigned-off-by: Pradosh Mohapatra <pmohapat@cumulusnetworks.com>\nReviewed-by: Dinesh G Dutt <ddutt@cumulusnetworks.com>\nSigned-off-by: David Lamparter <equinox@opensourcerouting.org>\n",
"language": "en",
"commit-id": "8da8689d91a6436c17aca5000b1426aaea47e23c",
"summary": "bgpd: fix fast external fallover behavior",
"stats": {
"insertions": 3,
"deletions": 9,
"lines": 12,
"files": 1
},
"author": "Pradosh Mohapatra",
"author-email": "pmohapat@cumulusnetworks.com",
"authored_date": 1378870435,
"committed_date": 1400534739,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"security"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/8da8689d91a6436c17aca5000b1426aaea47e23c",
"tags": [],
"state": "under-review"
},
"a11e012e8661629d665e992e765741a5eaa7d017": {
"message": "security: Fix some typos and potential NULL-deref\n\nThis patch against the git tree fixes minor typos, some of them possibily\nleading to NULL-pointer dereference in rare conditions.\n\nSigned-off-by: Remi Gacogne <rgacogne-github@coredump.fr>\nSigned-off-by: Joachim Nilsson <troglobit@gmail.com>\nAcked-by: Feng Lu <lu.feng@6wind.com>\n",
"language": "en",
"commit-id": "a11e012e8661629d665e992e765741a5eaa7d017",
"summary": "security: Fix some typos and potential NULL-deref",
"stats": {
"insertions": 8,
"deletions": 4,
"lines": 12,
"files": 5
},
"author": "Remi Gacogne",
"author-email": "rgacogne-github@coredump.fr",
"authored_date": 1378648114,
"committed_date": 1392110883,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"security"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/a11e012e8661629d665e992e765741a5eaa7d017",
"tags": [],
"state": "under-review"
},
"23cd8fb7133befdb84b3a918f7b2f6147161ac6e": {
"message": "ospfd: protect vs. VU#229804 (malformed Router-LSA)\n\nVU#229804 reports that, by injecting Router LSAs with the Advertising\nRouter ID different from the Link State ID, OSPF implementations can be\ntricked into retaining and using invalid information.\n\nQuagga is not vulnerable to this because it looks up Router LSAs by\n(Router-ID, LS-ID) pair. The relevant code is in ospf_lsa.c l.3140.\nNote the double \"id\" parameter at the end.\n\nStill, we can provide an improvement here by discarding such malformed\nLSAs and providing a warning to the administrator. While we cannot\nprevent such malformed LSAs from entering the OSPF domain, we can\ncertainly try to limit their distribution.\n\ncf. http://www.kb.cert.org/vuls/id/229804 for the vulnerability report.\nThis issue is a specification issue in the OSPF protocol that was\ndiscovered by Dr. Gabi Nakibly.\n\nReported-by: CERT Coordination Center <cert@cert.org>\nSigned-off-by: David Lamparter <equinox@opensourcerouting.org>\n",
"language": "en",
"commit-id": "23cd8fb7133befdb84b3a918f7b2f6147161ac6e",
"summary": "ospfd: protect vs. VU#229804 (malformed Router-LSA)",
"stats": {
"insertions": 21,
"deletions": 0,
"lines": 21,
"files": 1
},
"author": "David Lamparter",
"author-email": "equinox@diac24.net",
"authored_date": 1375428473,
"committed_date": 1375785706,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"vuln"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/23cd8fb7133befdb84b3a918f7b2f6147161ac6e",
"tags": [],
"state": "under-review"
},
"c423d413e464913ee88c1ee700e2c4037e6bdb24": {
"message": "lib: unconditionally include stddef.h\n\nI've used offsetof() in the previous commit to paper over the security\nproblems in ospf_api.c. This blows the build on FreeBSD 7.0, missing\noffsetof(). Let's add that to zebra's generally used includes.\n\nstddef.h (and offsetof) is defined in C89 section 4.1.5 (and not\ndeprecated/removed by any later standard). If this causes problems, the\nbug report should go against the host OS/compiler...\n\nSigned-off-by: David Lamparter <equinox@opensourcerouting.org>\n",
"language": "en",
"commit-id": "c423d413e464913ee88c1ee700e2c4037e6bdb24",
"summary": "lib: unconditionally include stddef.h",
"stats": {
"insertions": 1,
"deletions": 1,
"lines": 2,
"files": 1
},
"author": "David Lamparter",
"author-email": "equinox@opensourcerouting.org",
"authored_date": 1375191386,
"committed_date": 1375200853,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"security"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/c423d413e464913ee88c1ee700e2c4037e6bdb24",
"tags": [],
"state": "under-review"
},
"c51443f4aa6b7f0b0d6ad5409ad7d4b215092443": {
"message": "ospfd: CVE-2013-2236, stack overrun in apiserver\n\nthe OSPF API-server (exporting the LSDB and allowing announcement of\nOpaque-LSAs) writes past the end of fixed on-stack buffers. This leads\nto an exploitable stack overflow.\n\nFor this condition to occur, the following two conditions must be true:\n- Quagga is configured with --enable-opaque-lsa\n- ospfd is started with the \"-a\" command line option\n\nIf either of these does not hold, the relevant code is not executed and\nthe issue does not get triggered.\n\nSince the issue occurs on receiving large LSAs (larger than 1488 bytes),\nit is possible for this to happen during normal operation of a network.\nIn particular, if there is an OSPF router with a large number of\ninterfaces, the Router-LSA of that router may exceed 1488 bytes and\ntrigger this, leading to an ospfd crash.\n\nFor an attacker to exploit this, s/he must be able to inject valid LSAs\ninto the OSPF domain. Any best-practice protection measure (using\ncrypto authentication, restricting OSPF to internal interfaces, packet\nfiltering protocol 89, etc.) will prevent exploitation. On top of that,\nremote (not on an OSPF-speaking network segment) attackers will have\ndifficulties bringing up the adjacency needed to inject a LSA.\n\nThis patch only performs minimal changes to remove the possibility of a\nstack overrun. The OSPF API in general is quite ugly and needs a\nrewrite.\n\nReported-by: Ricky Charlet <ricky.charlet@hp.com>\nCc: Florian Weimer <fweimer@redhat.com>\nSigned-off-by: David Lamparter <equinox@opensourcerouting.org>\n",
"language": "en",
"commit-id": "c51443f4aa6b7f0b0d6ad5409ad7d4b215092443",
"summary": "ospfd: CVE-2013-2236, stack overrun in apiserver",
"stats": {
"insertions": 18,
"deletions": 7,
"lines": 25,
"files": 1
},
"author": "David Lamparter",
"author-email": "equinox@opensourcerouting.org",
"authored_date": 1373317528,
"committed_date": 1375020790,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"CVE"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/c51443f4aa6b7f0b0d6ad5409ad7d4b215092443",
"tags": [],
"cve": [
"CVE-2013-2236"
],
"state": "cve-assigned"
},
"5e728e929942d39ce5a4ab3d01c33f7b688c4e3f": {
"message": "bgpd: relax ORF capability length handling\n\ncommit fe9bb64... \"bgpd: CVE-2012-1820, DoS in bgp_capability_orf()\"\nmade the length test in bgp_capability_orf_entry() stricter and is now\ncausing us to refuse (with CEASE) ORF capabilites carrying any excess\ndata. This does not conform to the robustness principle as laid out by\nRFC1122 (\"be liberal in what you accept\").\n\nEven worse, RFC5291 is quite unclear on how to use the ORF capability\nwith multiple AFI/SAFIs. It can be interpreted as either \"use one\ninstance, stuff everything in\" but also as \"use multiple instances\".\nSo, if not for applying robustness, we end up clearing sessions from\nimplementations going by the former interpretation. (or if anyone dares\nadd a byte of padding...)\n\nCc: Denis Ovsienko <infrastation@yandex.ru>\nSigned-off-by: David Lamparter <equinox@opensourcerouting.org>\n",
"language": "en",
"commit-id": "5e728e929942d39ce5a4ab3d01c33f7b688c4e3f",
"summary": "bgpd: relax ORF capability length handling",
"stats": {
"insertions": 1,
"deletions": 1,
"lines": 2,
"files": 1
},
"author": "David Lamparter",
"author-email": "equinox@opensourcerouting.org",
"authored_date": 1358916624,
"committed_date": 1359737704,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"CVE"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/5e728e929942d39ce5a4ab3d01c33f7b688c4e3f",
"tags": [],
"cve": [
"CVE-2012-1820"
],
"state": "cve-assigned"
},
"e8aca32f312cbef1cb0b0dd9e87b7e59dc9fa251": {
"message": "isisd: address Coverity warnings\n\nthis fixes a bunch of issues found by Coverity SCAN and flagged as\n\"high\" impact -- although, they're all rather minute issues.\n\n* isisd/isis_adjacency.c: one superfluous check, one possible NULL deref\n* isisd/isis_circuit.c: two prefix memory leaks\n* isisd/isis_csm.c: one missing break\n* isisd/isis_lsp.c: one possible NULL deref\n* isisd/isis_pfpacket.c: one error-case fd leak\n* isisd/isis_route.c: one isis_route_info memory leak\n* isisd/isis_routemap.c: one... fnord\n* isisd/isis_tlv.c: one infinite loop\n\nReported-by: Coverity SCAN\nSigned-off-by: David Lamparter <equinox@opensourcerouting.org>\n",
"language": "en",
"commit-id": "e8aca32f312cbef1cb0b0dd9e87b7e59dc9fa251",
"summary": "isisd: address Coverity warnings",
"stats": {
"insertions": 19,
"deletions": 7,
"lines": 26,
"files": 9
},
"author": "David Lamparter",
"author-email": "equinox@opensourcerouting.org",
"authored_date": 1353978630,
"committed_date": 1355323088,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"infinite loop"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/e8aca32f312cbef1cb0b0dd9e87b7e59dc9fa251",
"tags": [],
"state": "under-review"
},
"fe9bb6459afe0d55e56619cdc5061d8407cd1f15": {
"message": "bgpd: CVE-2012-1820, DoS in bgp_capability_orf()\n\nAn ORF (code 3) capability TLV is defined to contain exactly one\nAFI/SAFI block. Function bgp_capability_orf(), which parses ORF\ncapability TLV, uses do-while cycle to call its helper function\nbgp_capability_orf_entry(), which actually processes the AFI/SAFI data\nblock. The call is made at least once and repeated as long as the input\nbuffer has enough data for the next call.\n\nThe helper function, bgp_capability_orf_entry(), uses \"Number of ORFs\"\nfield of the provided AFI/SAFI block to verify, if it fits the input\nbuffer. However, the check is made based on the total length of the ORF\nTLV regardless of the data already consumed by the previous helper\nfunction call(s). This way, the check condition is only valid for the\nfirst AFI/SAFI block inside an ORF capability TLV.\n\nFor the subsequent calls of the helper function, if any are made, the\ncheck condition may erroneously tell, that the current \"Number of ORFs\"\nfield fits the buffer boundary, where in fact it does not. This makes it\npossible to trigger an assertion by feeding an OPEN message with a\nspecially-crafted malformed ORF capability TLV.\n\nThis commit fixes the vulnerability by making the implementation follow\nthe spec.\n",
"language": "en",
"commit-id": "fe9bb6459afe0d55e56619cdc5061d8407cd1f15",
"summary": "bgpd: CVE-2012-1820, DoS in bgp_capability_orf()",
"stats": {
"insertions": 2,
"deletions": 24,
"lines": 26,
"files": 1
},
"author": "Denis Ovsienko",
"author-email": "infrastation@yandex.ru",
"authored_date": 1334853253,
"committed_date": 1351836435,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"CVE"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/fe9bb6459afe0d55e56619cdc5061d8407cd1f15",
"tags": [],
"cve": [
"CVE-2012-1820"
],
"state": "cve-assigned"
},
"5861739f8c38bc36ea9955e5cb2be2bf2f482d70": {
"message": "bgpd: Open option parse errors don't NOTIFY, resulting in abort & DoS\n\n* bgp_packet.c: (bgp_open_receive) Errors from bgp_open_option_parse are\n detected, and the code will stop processing the OPEN and return. However\n it does so without calling bgp_notify_send to send a NOTIFY - which means\n the peer FSM doesn't get stopped, and bgp_read will be called again later.\n Because it returns, it doesn't go through the code near the end of the\n function that removes the current message from the peer input streaam.\n Thus the next call to bgp_read will try to parse a half-parsed stream as\n if it were a new BGP message, leading to an assert later in the code when\n it tries to read stuff that isn't there. Add the required call to\n bgp_notify_send before returning.\n* bgp_open.c: (bgp_capability_as4) Be a bit stricter, check the length field\n corresponds to the only value it can be, which is the amount we're going to\n read off the stream. And make sure the capability flag gets set, so\n callers can know this capability was read, regardless.\n (peek_for_as4_capability) Let bgp_capability_as4 do the length check.\n",
"language": "en",
"commit-id": "5861739f8c38bc36ea9955e5cb2be2bf2f482d70",
"summary": "bgpd: Open option parse errors don't NOTIFY, resulting in abort & DoS",
"stats": {
"insertions": 16,
"deletions": 8,
"lines": 24,
"files": 2
},
"author": "Paul Jakma",
"author-email": "paul@quagga.net",
"authored_date": 1326142766,
"committed_date": 1330905302,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"DoS"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/5861739f8c38bc36ea9955e5cb2be2bf2f482d70",
"tags": [],
"state": "under-review"
},
"70e3ca2ccedca2cae58bd91c968714cad0f9d5d6": {
"message": "ospfd: improve fix to CVE-2011-3326 (BZ#586)\n\nMake ospf_flood() propagate error returned by ospf_lsa_install() further\nto properly discard the malformed LSA, not just prevent the immediate\ncrash.\n",
"language": "en",
"commit-id": "70e3ca2ccedca2cae58bd91c968714cad0f9d5d6",
"summary": "ospfd: improve fix to CVE-2011-3326 (BZ#586)",
"stats": {
"insertions": 1,
"deletions": 1,
"lines": 2,
"files": 1
},
"author": "Thomas Ries",
"author-email": "tries@gmx.net",
"authored_date": 1319723018,
"committed_date": 1321377770,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"CVE"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/70e3ca2ccedca2cae58bd91c968714cad0f9d5d6",
"tags": [],
"cve": [
"CVE-2011-3326"
],
"state": "cve-assigned"
},
"4de148e5d6f6f7885b2c0952a236a3bc3ec36250": {
"message": "ospfd: improve fix to CVE-2011-3326 (BZ#586)\n\nMake ospf_flood() propagate error returned by ospf_lsa_install() further\nto properly discard the malformed LSA, not just prevent the immediate\ncrash.\n",
"language": "en",
"commit-id": "4de148e5d6f6f7885b2c0952a236a3bc3ec36250",
"summary": "ospfd: improve fix to CVE-2011-3326 (BZ#586)",
"stats": {
"insertions": 1,
"deletions": 1,
"lines": 2,
"files": 1
},
"author": "Thomas Ries",
"author-email": "tries@gmx.net",
"authored_date": 1319723018,
"committed_date": 1321375848,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"CVE"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/4de148e5d6f6f7885b2c0952a236a3bc3ec36250",
"tags": [],
"cve": [
"CVE-2011-3326"
],
"state": "cve-assigned"
},
"abc7ef44ca05493500865ce81f7b84f5c4eb6594": {
"message": "ospf6d: CVE-2011-3323 (fortify packet reception)\n\nThis vulnerability (CERT-FI #514840) was reported by CROSS project.\n\nospf6d processes IPv6 prefix structures in incoming packets without\nverifying that the declared prefix length is valid. This leads to a\ncrash\ncaused by out of bounds memory access.\n\n* ospf6_abr.h: new macros for size/alignment validation\n* ospf6_asbr.h: idem\n* ospf6_intra.h: idem\n* ospf6_lsa.h: idem\n* ospf6_message.h: idem\n* ospf6_proto.h: idem\n* ospf6_message.c\n * ospf6_packet_minlen: helper array for ospf6_packet_examin()\n * ospf6_lsa_minlen: helper array for ospf6_lsa_examin()\n * ospf6_hello_recv(): do not call ospf6_header_examin(), let upper\n layer verify the input data\n * ospf6_dbdesc_recv(): idem\n * ospf6_lsreq_recv(): idem\n * ospf6_lsupdate_recv(): idem\n * ospf6_lsack_recv(): idem\n * ospf6_prefixes_examin(): new function, implements A.4.1\n * ospf6_lsa_examin(): new function, implements A.4\n * ospf6_lsaseq_examin(): new function, an interface to above\n * ospf6_packet_examin(): new function, implements A.3\n * ospf6_rxpacket_examin(): new function, replaces\n ospf6_header_examin()\n * ospf6_header_examin(): sayonara\n * ospf6_receive(): perform passive interface check earliest possible,\n employ ospf6_rxpacket_examin()\n",
"language": "en",
"commit-id": "abc7ef44ca05493500865ce81f7b84f5c4eb6594",
"summary": "ospf6d: CVE-2011-3323 (fortify packet reception)",
"stats": {
"insertions": 492,
"deletions": 73,
"lines": 565,
"files": 7
},
"author": "Denis Ovsienko",
"author-email": "infrastation@yandex.ru",
"authored_date": 1317028731,
"committed_date": 1317048436,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"CVE"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/abc7ef44ca05493500865ce81f7b84f5c4eb6594",
"tags": [],
"cve": [
"CVE-2011-3323"
],
"state": "cve-assigned"
},
"09395e2a0e93b2cf4258cb1de91887948796bb68": {
"message": "ospf6d: CVE-2011-3324 (DD LSA assertion)\n\nThis vulnerability (CERT-FI #514839) was reported by CROSS project.\n\nWhen Database Description LSA header list contains trailing zero octets,\nospf6d tries to process this data as an LSA header. This triggers an\nassertion in the code and ospf6d shuts down.\n\n* ospf6_lsa.c\n * ospf6_lsa_is_changed(): handle header-only argument(s)\n appropriately, do not treat LSA length underrun as a fatal error.\n",
"language": "en",
"commit-id": "09395e2a0e93b2cf4258cb1de91887948796bb68",
"summary": "ospf6d: CVE-2011-3324 (DD LSA assertion)",
"stats": {
"insertions": 11,
"deletions": 1,
"lines": 12,
"files": 1
},
"author": "Denis Ovsienko",
"author-email": "infrastation@yandex.ru",
"authored_date": 1317028716,
"committed_date": 1317048426,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"CVE"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/09395e2a0e93b2cf4258cb1de91887948796bb68",
"tags": [],
"cve": [
"CVE-2011-3324"
],
"state": "cve-assigned"
},
"717750433839762d23a5f8d88fe0b4d57c8d490a": {
"message": "ospfd: CVE-2011-3325 part 2 (OSPF pkt type segv)\n\nThis vulnerability (CERT-FI #514838) was reported by CROSS project.\n\nThe error is reproducible only when ospfd debugging is enabled:\n * debug ospf packet all\n * debug ospf zebra\nWhen incoming packet header type field is set to 0x0a, ospfd will crash.\n\n* ospf_packet.c\n * ospf_verify_header(): add type field check\n * ospf_read(): perform input checks early\n",
"language": "en",
"commit-id": "717750433839762d23a5f8d88fe0b4d57c8d490a",
"summary": "ospfd: CVE-2011-3325 part 2 (OSPF pkt type segv)",
"stats": {
"insertions": 18,
"deletions": 14,
"lines": 32,
"files": 1
},
"author": "Denis Ovsienko",
"author-email": "infrastation@yandex.ru",
"authored_date": 1317028682,
"committed_date": 1317048414,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"CVE"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/717750433839762d23a5f8d88fe0b4d57c8d490a",
"tags": [],
"cve": [
"CVE-2011-3325"
],
"state": "cve-assigned"
},
"61ab0301606053192f45c188bc48afc837518770": {
"message": "ospfd: CVE-2011-3325 part 1 (OSPF header underrun)\n\nThis vulnerability (CERT-FI #514838) was reported by CROSS project.\n\nWhen only 14 first bytes of a Hello packet is delivered, ospfd crashes.\n\n* ospf_packet.c\n * ospf_read(): add size check\n",
"language": "en",
"commit-id": "61ab0301606053192f45c188bc48afc837518770",
"summary": "ospfd: CVE-2011-3325 part 1 (OSPF header underrun)",
"stats": {
"insertions": 12,
"deletions": 3,
"lines": 15,
"files": 1
},
"author": "Denis Ovsienko",
"author-email": "infrastation@yandex.ru",
"authored_date": 1317028672,
"committed_date": 1317048402,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"CVE"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/61ab0301606053192f45c188bc48afc837518770",
"tags": [],
"cve": [
"CVE-2011-3325"
],
"state": "cve-assigned"
},
"6b161fc12a15aba8824c84d1eb38e529aaf70769": {
"message": "ospfd: CVE-2011-3326 (uknown LSA type segfault)\n\nThis vulnerability (CERT-FI #514837) was reported by CROSS project.\nThey have also suggested a fix to the problem, which was found\nacceptable.\n\nQuagga ospfd does not seem to handle unknown LSA types in a Link State\nUpdate message correctly. If LSA type is something else than one\nsupported\nby Quagga, the default handling of unknown types leads to an error.\n\n* ospf_flood.c\n * ospf_flood(): check return value of ospf_lsa_install()\n",
"language": "en",
"commit-id": "6b161fc12a15aba8824c84d1eb38e529aaf70769",
"summary": "ospfd: CVE-2011-3326 (uknown LSA type segfault)",
"stats": {
"insertions": 2,
"deletions": 1,
"lines": 3,
"files": 1
},
"author": "CROSS",
"author-email": "info@codenomicon.com",
"authored_date": 1317028641,
"committed_date": 1317048388,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"CVE"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/6b161fc12a15aba8824c84d1eb38e529aaf70769",
"tags": [],
"cve": [
"CVE-2011-3326"
],
"state": "cve-assigned"
},
"94431dbc753171b48b5c6806af97fd690813b00a": {
"message": "bgpd: CVE-2011-3327 (ext. comm. buffer overflow)\n\nThis vulnerability (CERT-FI #513254) was reported by CROSS project.\nThey have also suggested a fix to the problem, which was found\nacceptable.\n\nThe problem occurs when bgpd receives an UPDATE message containing\n255 unknown AS_PATH attributes in Path Attribute Extended Communities.\nThis causes a buffer overlow in bgpd.\n\n* bgp_ecommunity.c\n * ecommunity_ecom2str(): perform size check earlier\n",
"language": "en",
"commit-id": "94431dbc753171b48b5c6806af97fd690813b00a",
"summary": "bgpd: CVE-2011-3327 (ext. comm. buffer overflow)",
"stats": {
"insertions": 7,
"deletions": 7,
"lines": 14,
"files": 1
},
"author": "CROSS",
"author-email": "info@codenomicon.com",
"authored_date": 1317028625,
"committed_date": 1317048376,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"CVE"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/94431dbc753171b48b5c6806af97fd690813b00a",
"tags": [],
"cve": [
"CVE-2011-3327"
],
"state": "cve-assigned"
},
"552563a1c443ec876edd92bf79f29ff3afe2c01e": {
"message": "ospf6d: CVE-2011-3323 (fortify packet reception)\n\nThis vulnerability (CERT-FI #514840) was reported by CROSS project.\n\nospf6d processes IPv6 prefix structures in incoming packets without\nverifying that the declared prefix length is valid. This leads to a\ncrash\ncaused by out of bounds memory access.\n\n* ospf6_abr.h: new macros for size/alignment validation\n* ospf6_asbr.h: idem\n* ospf6_intra.h: idem\n* ospf6_lsa.h: idem\n* ospf6_message.h: idem\n* ospf6_proto.h: idem\n* ospf6_message.c\n * ospf6_packet_minlen: helper array for ospf6_packet_examin()\n * ospf6_lsa_minlen: helper array for ospf6_lsa_examin()\n * ospf6_hello_recv(): do not call ospf6_header_examin(), let upper\n layer verify the input data\n * ospf6_dbdesc_recv(): idem\n * ospf6_lsreq_recv(): idem\n * ospf6_lsupdate_recv(): idem\n * ospf6_lsack_recv(): idem\n * ospf6_prefixes_examin(): new function, implements A.4.1\n * ospf6_lsa_examin(): new function, implements A.4\n * ospf6_lsaseq_examin(): new function, an interface to above\n * ospf6_packet_examin(): new function, implements A.3\n * ospf6_rxpacket_examin(): new function, replaces\n ospf6_header_examin()\n * ospf6_header_examin(): sayonara\n * ospf6_receive(): perform passive interface check earliest possible,\n employ ospf6_rxpacket_examin()\n",
"language": "en",
"commit-id": "552563a1c443ec876edd92bf79f29ff3afe2c01e",
"summary": "ospf6d: CVE-2011-3323 (fortify packet reception)",
"stats": {
"insertions": 492,
"deletions": 73,
"lines": 565,
"files": 7
},
"author": "Denis Ovsienko",
"author-email": "infrastation@yandex.ru",
"authored_date": 1317028731,
"committed_date": 1317048048,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"CVE"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/552563a1c443ec876edd92bf79f29ff3afe2c01e",
"tags": [],
"cve": [
"CVE-2011-3323"
],
"state": "cve-assigned"
},
"308687b7d73c5cacf927a3a33efbfaea627ccc09": {
"message": "ospf6d: CVE-2011-3324 (DD LSA assertion)\n\nThis vulnerability (CERT-FI #514839) was reported by CROSS project.\n\nWhen Database Description LSA header list contains trailing zero octets,\nospf6d tries to process this data as an LSA header. This triggers an\nassertion in the code and ospf6d shuts down.\n\n* ospf6_lsa.c\n * ospf6_lsa_is_changed(): handle header-only argument(s)\n appropriately, do not treat LSA length underrun as a fatal error.\n",
"language": "en",
"commit-id": "308687b7d73c5cacf927a3a33efbfaea627ccc09",
"summary": "ospf6d: CVE-2011-3324 (DD LSA assertion)",
"stats": {
"insertions": 11,
"deletions": 1,
"lines": 12,
"files": 1
},
"author": "Denis Ovsienko",
"author-email": "infrastation@yandex.ru",
"authored_date": 1317028716,
"committed_date": 1317048030,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"CVE"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/308687b7d73c5cacf927a3a33efbfaea627ccc09",
"tags": [],
"cve": [
"CVE-2011-3324"
],
"state": "cve-assigned"
},
"1f54cef38dab072f1054c6cfedd9ac32af14a120": {
"message": "ospfd: CVE-2011-3325 part 2 (OSPF pkt type segv)\n\nThis vulnerability (CERT-FI #514838) was reported by CROSS project.\n\nThe error is reproducible only when ospfd debugging is enabled:\n * debug ospf packet all\n * debug ospf zebra\nWhen incoming packet header type field is set to 0x0a, ospfd will crash.\n\n* ospf_packet.c\n * ospf_verify_header(): add type field check\n * ospf_read(): perform input checks early\n",
"language": "en",
"commit-id": "1f54cef38dab072f1054c6cfedd9ac32af14a120",
"summary": "ospfd: CVE-2011-3325 part 2 (OSPF pkt type segv)",
"stats": {
"insertions": 18,
"deletions": 14,
"lines": 32,
"files": 1
},
"author": "Denis Ovsienko",
"author-email": "infrastation@yandex.ru",
"authored_date": 1317028682,
"committed_date": 1317048019,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"CVE"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/1f54cef38dab072f1054c6cfedd9ac32af14a120",
"tags": [],
"cve": [
"CVE-2011-3325"
],
"state": "cve-assigned"
},
"3d3380d4fda43924171bc0866746c85634952c99": {
"message": "ospfd: CVE-2011-3325 part 1 (OSPF header underrun)\n\nThis vulnerability (CERT-FI #514838) was reported by CROSS project.\n\nWhen only 14 first bytes of a Hello packet is delivered, ospfd crashes.\n\n* ospf_packet.c\n * ospf_read(): add size check\n",
"language": "en",
"commit-id": "3d3380d4fda43924171bc0866746c85634952c99",
"summary": "ospfd: CVE-2011-3325 part 1 (OSPF header underrun)",
"stats": {
"insertions": 12,
"deletions": 3,
"lines": 15,
"files": 1
},
"author": "Denis Ovsienko",
"author-email": "infrastation@yandex.ru",
"authored_date": 1317028672,
"committed_date": 1317048007,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service|\\bXXE\\b|remote code execution|\\bopen redirect|OSVDB|\\bvuln|\\bCVE\\b|\\bXSS\\b|\\bReDoS\\b|\\bNVD\\b|malicious|x−frame−options|attack|cross site|exploit|malicious|directory traversal|\\bRCE\\b|\\bdos\\b|\\bXSRF \\b|\\bXSS\\b|clickjack|session.fixation|hijack|\\badvisory|\\binsecure|security|\\bcross−origin\\b|unauthori[z|s]ed|infinite loop)",
"pattern-matches": [
"CVE"
],
"origin": "https://git.savannah.nongnu.org/git/quagga.git",
"origin-github-api": "https://api.github.com/repos///git.savannah.nongnu.org/git/quagga/commits/3d3380d4fda43924171bc0866746c85634952c99",
"tags": [],
"cve": [
"CVE-2011-3325"
],
"state": "cve-assigned"
},
"af143a26ef96ba9be7b9c0b151b7605e1c2c74cd": {
"message": "ospfd: CVE-2011-3326 (uknown LSA type segfault)\n\nThis vulnerability (CERT-FI #514837) was reported by CROSS project.\nThey have also suggested a fix to the problem, which was found\nacceptable.\n\nQuagga ospfd does not seem to handle unknown LSA types in a Link State\nUpdate message correctly. If LSA type is something else than one\nsupported\nby Quagga, the default handling of unknown types leads to an error.\n\n* ospf_flood.c\n * ospf_flood(): check return value of ospf_lsa_install()\n",
"language": "en",
"commit-id": "af143a26ef96ba9be7b9c0b151b7605e1c2c74cd",
"summary": "ospfd: CVE-2011-3326 (uknown LSA type segfault)",
"stats": {