- Apply upstream fix solving ospfd denial of service via get_edge()
function returning a NULL pointer (CVE-2024-34088,bsc#1223786,
gh#FRRouting/frr#16088).
[+ 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch]
- Apply upstream fix solving ospfd buffer overflow and daemon crash
in ospf_te_parse_ext_link for OSPF LSA packets during an attempt
to read Segment Routing Adjacency SID subTLVs (CVE-2024-31951,
bsc#1222528,gh#FRRouting/frr#16088).
[+ 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch]
- Apply upstream fix solving ospfd buffer overflow and daemon crash
in RI parsing with OSPF TE (CVE-2024-31950,bsc#1222526,
gh#FRRouting/frr#16088).
[+ 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch]
OBS-URL: https://build.opensuse.org/request/show/1178686
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=67
- Apply upstream fix for a crash on malformed BGP UPDATE message
with an EOR, because the presence of EOR does not lead to a
treat-as-withdraw outcome (CVE-2023-47235,1216896,6814f2e013)
[+ 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch]
- Apply upstream fix for a crash on crafted BGP UPDATE message with
a MP_UNREACH_NLRI attribute and additional NLRI data (CVE-2023-47234,
bsc#1216897,ttps://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf)
[+ 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch]
- Apply upstream fix for attempts to read beyond the end of the
stream during labeled unicast parsing (CVE-2023-38407,bsc#1216899,ab362eae68)
[+ 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch]
- Apply upstream fix for an nlri length of zero mishandling, aka
"flowspec overflow" (CVE-2023-38406,bsc#1216900,0b999c886e)
[+ 0018-bgpd-Flowspec-overflow-issue.patch]
OBS-URL: https://build.opensuse.org/request/show/1130736
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=57
- Apply upstream fix for denial of service via the bgp_capability_llgr()
function (bsc#1211248,CVE-2023-31489,gh#FRRouting/frr#13098).
[+ 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch]
- Apply upstream fix for denial of service via the bgp_attr_psid_sub()
function (bsc#1211249,CVE-2023-31490,gh#FRRouting/frr#13099).
[+ 0007-bgpd-Ensure-stream-received-has-enough-data.patch]
OBS-URL: https://build.opensuse.org/request/show/1088895
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=49
- Migration to /usr/etc: Conditionally moved /etc/logrotate.d/frr
file to vendor specific directory /usr/etc/logrotate.d and added
saving of user changed configuration files in /etc and restoring
them while an RPM update.
- Declare root as sufficient also in the pam account verification;
without vtysh use causes to log a pam frr:account warnings
(https://github.com/FRRouting/frr/pull/12308)
[+ 0005-root-ok-in-account-frr.pam.patch]
- Applied fix removing a not needed backslash causing to log a warning
(https://github.com/FRRouting/frr/pull/12307)
[+ 0004-tools-remove-backslash-from-declare-check-regex.patch]
- Applied upstream fixes for frrinit.sh to avoid a privilege escalation
from frr to root in frr config creation (bsc#1204124,CVE-2022-42917,
https://github.com/FRRouting/frr/pull/12157).
[+ 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch]
- Removed obsolete patches provided in the 8.4 source archive:
[- 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch,
- 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch,
- 0005-isisd-fix-router-capability-TLV-parsing-issues.patch,
- 0006-isisd-fix-10505-using-base64-encoding.patch,
- 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch,
- 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch]
- Update to version 8.4, see https://frrouting.org/release/8.4/
* New BGP command (neighbor PEER soo) to configure SoO to prevent
routing loops and suboptimal routing on dual-homed sites.
* Command debug bgp allow-martian replaced to bgp allow-martian-nexthop
because previously we allowed using martian next-hops when debug is
turned on.
* Implement BGP Prefix Origin Validation State Extended Community rfc8097
* Implement Route Leak Prevention and Detection Using Roles in UPDATE
OBS-URL: https://build.opensuse.org/request/show/1035289
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=43
- Apply upstream fix for out-of-bounds read in the BGP daemon
that may lead to information disclosure or denial of service
(bsc#1202023,CVE-2022-37032)
[+ 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch]
- Apply upstream fix for a memory leak in the IS-IS daemon that
may lead to server memory exhaustion (bsc#1202023,CVE-2019-25074)
[+ 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch]
OBS-URL: https://build.opensuse.org/request/show/1001418
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=40
- Apply fix for a buffer overflow in isisd due to the use of strdup
with a non-zero-terminated binary string (bsc#1196506,CVE-2022-26126)
[+ 0006-isisd-fix-10505-using-base64-encoding.patch]
- Apply fix for a buffer overflow in isisd due to wrong checks on
the input packet length (bsc#1196505,CVE-2022-26125) with workaround
for the GIT binary patch to tests/isisd/test_fuzz_isis_tlv_tests.h.gz
[+ 0005-isisd-fix-router-capability-TLV-parsing-issues.patch]
- Apply fix for a buffer overflow in babeld due to wrong checks on
the input packet length in the packet_examin and subtlv parsing
(bsc#1196504,bsc#1196507,CVE-2022-26128,CVE-2022-26129)
[+ 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch]
- Apply fix for a heap buffer overflow in babeld due to missing check
on the input packet length (bsc#1196503,CVE-2022-26127)
[+ 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch]
OBS-URL: https://build.opensuse.org/request/show/958040
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=37
- enable verbose make rules
- enable grpc support. new subpackage libfrrgrpc_pb0, new BR:
pkgconfig(grpc)
- enable config rollbacks. new BR: pkgconfig(sqlite3)
- enable realms support
- enable shell access
- make sure we use system openssl
- fix shebang line of the frr-reload.py and
generate_support_bundle.py script so we dont pull python2
- do not delete users and groups.
- add Requires for libyang-extentions
OBS-URL: https://build.opensuse.org/request/show/792552
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=12
- Update to version 7.2.1:
BGPd
* Fix Addpath issue
* Do not apply eBGP policy for iBGP peers
* Show ip and fqdn in json output for show [ip] bgp <route> json
* Fix large route-distinguisher's format
* Fix no bgp listen range ... configuration command
* Autocomplete neighbor for clear bgp
* Reflect the distance in RIB when it is changed for an
arbitrary afi/safi
* Notify "Peer De-configured" after entering 'no neighbor cmd
* Fix per afi/safi addpath peer counting
* Rework BGP dampening to be per AFI/SAFI
* Do not send next-hop as :: in MP_REACH_NLRI if no link-local
exists
* Override peer's TTL only if peer-group is configured with TTL
* Remove error message for unkown afi/safi combination
* Keep the session down if maximum-prefix is reached
OSPFd
* Fix BFD down not tearing down OSPF adjacency for
point-to-point net
BFDd
* Fix multiple VRF handling
* VRF security improvement
PIMd
* Fix rp crash
NHRPd
* Make sure no ip nhrp map <something> works as expected
LDPd
* Add missing sanity check in the parsing of label messages
OBS-URL: https://build.opensuse.org/request/show/765491
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=7
