Your submission was sent successfully! Close

CVE-2017-16227

Published: 29 October 2017

The aspath_put function in bgpd/bgp_aspath.c in Quagga before 1.2.2 allows remote attackers to cause a denial of service (session drop) via BGP UPDATE messages, because AS_PATH size calculation for long paths counts certain bytes twice and consequently constructs an invalid message.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
quagga
Launchpad, Ubuntu, Debian
artful
Released (1.1.1-3ubuntu0.1)
precise Does not exist

trusty Does not exist
(trusty was released [0.99.22.4-3ubuntu1.4])
upstream Needs triage

xenial
Released (0.99.24.1-2ubuntu1.3)
zesty
Released (1.1.1-1ubuntu0.1)
Patches:
upstream: https://git.savannah.gnu.org/cgit/quagga.git/commit/?id=7a42b78be9a4108d98833069a88e6fddb9285008