[quagga-dev 467] Re: More information on the recent remote DoS in vty.c?
ch at debian.org
Thu Nov 13 10:14:26 GMT 2003
On Thu, Nov 13, 2003 at 09:51:19AM +0000, Paul Jakma wrote:
> > (If someones backbone fails due to a DoS and in the NEWS on the
> > homepage is a big bold "Warning" for some compile issues but do no
> > mention about a remote DoS nor a bugtraq warning etc. we get a very
> > angry mail on bugtraq and you can forget Quagga for the next couple
> > of years in the big ISP league due to bad reputation...)
> Indeed. This is the first security fix I've dealt with, so forgive me
> if i havnt dealt with it correctly.
> What would you advise?
- Under News or a "Security" section make an entry for this where the
exact impact and workaround is describes (you know admins sometimes
takes a quick look at the page and want to see as fast as possible if
there were severy bugfixes (security or not) that require them to
- For the same reasons put a note in the Downloads section that
the use of versions prior to 0.96.4 is discouraged due to security
bugs. (upgrade the "last stable version" there btw.)
- Write a short note to bugtraq so that all admins who use linux routers
get aware of the bug.
(even bad news have a good side, they make the project more known *g*)
Oh and check Zebra if it suffers from the same problem.
Writing "The Quagga team found a long consisting bug in the Zebra
routing suite from which its successor, the Quagga project also suffers"
sounds better (only if it's true, of course) ;-)
More information about the Quagga-dev