A NULL pointer dereference flaw was found in the way Quagga's bgpd daemon parsed paths of autonomous systems (AS). A configured BGP peer could send a BGP update AS path request with unknown AS type, which could lead to denial of service (bgpd daemon crash). Upstream changeset: [1] http://code.quagga.net/?p=quagga.git;a=commit;h=cddb8112b80fa9867156c637d63e6e79eeac67bb References: [2] http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100 CVE Request: [3] http://www.openwall.com/lists/oss-security/2010/08/24/3
This issue did NOT affect the versions of the quagga package, as shipped with Red Hat Enterprise Linux 3, 4, or 5. -- This issue affects the versions of the quagga package, as shipped with Fedora release of 12 and 13.
Created quagga tracking bugs for this issue Affects: fedora-all [bug 628981]
Statement: Not vulnerable. This issue did not affect the versions of quagga package as shipped with Red Hat Enterprise Linux 3, 4, or 5, as these versions do not support 4 byte AS numbers (AS4 support) yet.
Comment #13 => VERIFIED
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0945 https://rhn.redhat.com/errata/RHSA-2010-0945.html