[quagga-dev 467] Re: More information on the recent remote DoS in vty.c?

Christian Hammers ch at debian.org
Thu Nov 13 10:14:26 GMT 2003


Hello

On Thu, Nov 13, 2003 at 09:51:19AM +0000, Paul Jakma wrote:
> > (If someones backbone fails due to a DoS and in the NEWS on the
> > homepage is a big bold "Warning" for some compile issues but do no
> > mention about a remote DoS nor a bugtraq warning etc. we get a very
> > angry mail on bugtraq and you can forget Quagga for the next couple
> > of years in the big ISP league due to bad reputation...)
> 
> Indeed. This is the first security fix I've dealt with, so forgive me 
> if i havnt dealt with it correctly.
> 
> What would you advise?

- Under News or a "Security" section make an entry for this where the
  exact impact and workaround is describes (you know admins sometimes
  takes a quick look at the page and want to see as fast as possible if
  there were severy bugfixes (security or not) that require them to
  upgrade.

- For the same reasons put a note in the Downloads section that
  the use of versions prior to 0.96.4 is discouraged due to security
  bugs. (upgrade the "last stable version" there btw.)

- Write a short note to bugtraq so that all admins who use linux routers
  get aware of the bug.
  (even bad news have a good side, they make the project more known *g*)

Oh and check Zebra if it suffers from the same problem. 
Writing "The Quagga team found a long consisting bug in the Zebra 
routing suite from which its successor, the Quagga project also suffers" 
sounds better (only if it's true, of course) ;-)

bye,

-christian-




More information about the Quagga-dev mailing list