scenario due to RIB revalidation (CVE-2024-55553,bsc#1235237) and
other fixes, see https://frrouting.org/release/10.2.1/
The 10.2 version provides new features and many enhancements, see
https://frrouting.org/release/10.2/
- Add new fpm_listener daemon binary to rpm file lists.
- Remove --localstatedir configure parameter causing to use /run/lib
instead of /var/lib prefix for the northbound databases and added
the /var/lib/frr directory to the rpm file list.
- Adjust to set permissions in rpm attr macros (rpmlint suggestion)
and use frr_group instead of frr_user in group parameter.
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=81
a check of the actual remaining stream length before taking the
TLV value (CVE-2024-44070,bsc#1229438,gh#FRRouting/frr#16502):
+ 0002-bgpd-Check-the-actual-remaining-stream-length-before.patch
- Re-added 0001-disable-zmq-test.patch to avoid (sporadic or arch
specific, e.g. aarch64) "make check" test failures (bsc#1180217).
+ 0001-disable-zmq-test.patch
- Re-added hardening patch for systemd service(s) (bsc#1181400):
+ harden_frr.service.patch
- Cleanup unknown --enable-systemd and correct the --sysconfdir
and --localstatedir configure options to not end in …/frr.
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=72
- Apply upstream fix solving ospfd denial of service via get_edge()
function returning a NULL pointer (CVE-2024-34088,bsc#1223786,
gh#FRRouting/frr#16088).
[+ 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch]
- Apply upstream fix solving ospfd buffer overflow and daemon crash
in ospf_te_parse_ext_link for OSPF LSA packets during an attempt
to read Segment Routing Adjacency SID subTLVs (CVE-2024-31951,
bsc#1222528,gh#FRRouting/frr#16088).
[+ 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch]
- Apply upstream fix solving ospfd buffer overflow and daemon crash
in RI parsing with OSPF TE (CVE-2024-31950,bsc#1222526,
gh#FRRouting/frr#16088).
[+ 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch]
OBS-URL: https://build.opensuse.org/request/show/1178686
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=67
- Apply upstream fix for a crash on malformed BGP UPDATE message
with an EOR, because the presence of EOR does not lead to a
treat-as-withdraw outcome (CVE-2023-47235,1216896,6814f2e013)
[+ 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch]
- Apply upstream fix for a crash on crafted BGP UPDATE message with
a MP_UNREACH_NLRI attribute and additional NLRI data (CVE-2023-47234,
bsc#1216897,ttps://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf)
[+ 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch]
- Apply upstream fix for attempts to read beyond the end of the
stream during labeled unicast parsing (CVE-2023-38407,bsc#1216899,ab362eae68)
[+ 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch]
- Apply upstream fix for an nlri length of zero mishandling, aka
"flowspec overflow" (CVE-2023-38406,bsc#1216900,0b999c886e)
[+ 0018-bgpd-Flowspec-overflow-issue.patch]
OBS-URL: https://build.opensuse.org/request/show/1130736
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=57
- Apply upstream fix for denial of service via the bgp_capability_llgr()
function (bsc#1211248,CVE-2023-31489,gh#FRRouting/frr#13098).
[+ 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch]
- Apply upstream fix for denial of service via the bgp_attr_psid_sub()
function (bsc#1211249,CVE-2023-31490,gh#FRRouting/frr#13099).
[+ 0007-bgpd-Ensure-stream-received-has-enough-data.patch]
OBS-URL: https://build.opensuse.org/request/show/1088895
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=49
- Migration to /usr/etc: Conditionally moved /etc/logrotate.d/frr
file to vendor specific directory /usr/etc/logrotate.d and added
saving of user changed configuration files in /etc and restoring
them while an RPM update.
- Declare root as sufficient also in the pam account verification;
without vtysh use causes to log a pam frr:account warnings
(https://github.com/FRRouting/frr/pull/12308)
[+ 0005-root-ok-in-account-frr.pam.patch]
- Applied fix removing a not needed backslash causing to log a warning
(https://github.com/FRRouting/frr/pull/12307)
[+ 0004-tools-remove-backslash-from-declare-check-regex.patch]
- Applied upstream fixes for frrinit.sh to avoid a privilege escalation
from frr to root in frr config creation (bsc#1204124,CVE-2022-42917,
https://github.com/FRRouting/frr/pull/12157).
[+ 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch]
- Removed obsolete patches provided in the 8.4 source archive:
[- 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch,
- 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch,
- 0005-isisd-fix-router-capability-TLV-parsing-issues.patch,
- 0006-isisd-fix-10505-using-base64-encoding.patch,
- 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch,
- 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch]
- Update to version 8.4, see https://frrouting.org/release/8.4/
* New BGP command (neighbor PEER soo) to configure SoO to prevent
routing loops and suboptimal routing on dual-homed sites.
* Command debug bgp allow-martian replaced to bgp allow-martian-nexthop
because previously we allowed using martian next-hops when debug is
turned on.
* Implement BGP Prefix Origin Validation State Extended Community rfc8097
* Implement Route Leak Prevention and Detection Using Roles in UPDATE
OBS-URL: https://build.opensuse.org/request/show/1035289
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=43
- Apply upstream fix for out-of-bounds read in the BGP daemon
that may lead to information disclosure or denial of service
(bsc#1202023,CVE-2022-37032)
[+ 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch]
- Apply upstream fix for a memory leak in the IS-IS daemon that
may lead to server memory exhaustion (bsc#1202023,CVE-2019-25074)
[+ 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch]
OBS-URL: https://build.opensuse.org/request/show/1001418
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=40
- Apply fix for a buffer overflow in isisd due to the use of strdup
with a non-zero-terminated binary string (bsc#1196506,CVE-2022-26126)
[+ 0006-isisd-fix-10505-using-base64-encoding.patch]
- Apply fix for a buffer overflow in isisd due to wrong checks on
the input packet length (bsc#1196505,CVE-2022-26125) with workaround
for the GIT binary patch to tests/isisd/test_fuzz_isis_tlv_tests.h.gz
[+ 0005-isisd-fix-router-capability-TLV-parsing-issues.patch]
- Apply fix for a buffer overflow in babeld due to wrong checks on
the input packet length in the packet_examin and subtlv parsing
(bsc#1196504,bsc#1196507,CVE-2022-26128,CVE-2022-26129)
[+ 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch]
- Apply fix for a heap buffer overflow in babeld due to missing check
on the input packet length (bsc#1196503,CVE-2022-26127)
[+ 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch]
OBS-URL: https://build.opensuse.org/request/show/958040
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=37
