Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/frr: security bump to version 8.5.4
@ 2024-01-27 22:56 Fabrice Fontaine
  2024-01-28 17:27 ` Yann E. MORIN
  2024-02-28 17:35 ` Peter Korsgaard
  0 siblings, 2 replies; 4+ messages in thread
From: Fabrice Fontaine @ 2024-01-27 22:56 UTC (permalink / raw)
  To: buildroot; +Cc: Vadim Kochan, Fabrice Fontaine

Fix CVE-2023-38802, CVE-2023-41360, CVE-2023-46752, CVE-2023-46753,
CVE-2023-47234 and CVE-2023-47235

https://frrouting.org/security/
https://frrouting.org/release/8.5.4/

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/frr/frr.hash | 2 +-
 package/frr/frr.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/frr/frr.hash b/package/frr/frr.hash
index 836f130b93..4a61084bae 100644
--- a/package/frr/frr.hash
+++ b/package/frr/frr.hash
@@ -1,3 +1,3 @@
 # Locally calculated
-sha256  8a6b0e0fa1e89493ba84cf176674e55c7a814821fd02a7188095b76c37c3935f  frr-8.4.2.tar.gz
+sha256  7ae9d8bafc65bb5d0f21061ac61dbc6cf93b2b05a5dae9e5eec72ed42388551e  frr-8.5.4.tar.gz
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
diff --git a/package/frr/frr.mk b/package/frr/frr.mk
index abae784c40..19f346fd7b 100644
--- a/package/frr/frr.mk
+++ b/package/frr/frr.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-FRR_VERSION = 8.4.2
+FRR_VERSION = 8.5.4
 FRR_SITE = $(call github,FRRouting,frr,frr-$(FRR_VERSION))
 FRR_LICENSE = GPL-2.0
 FRR_LICENSE_FILES = COPYING
-- 
2.43.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/frr: security bump to version 8.5.4
  2024-01-27 22:56 [Buildroot] [PATCH 1/1] package/frr: security bump to version 8.5.4 Fabrice Fontaine
@ 2024-01-28 17:27 ` Yann E. MORIN
  2024-01-30 22:09   ` Peter Korsgaard
  2024-02-28 17:35 ` Peter Korsgaard
  1 sibling, 1 reply; 4+ messages in thread
From: Yann E. MORIN @ 2024-01-28 17:27 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: Graham Rhodes, Vadim Kochan, buildroot

Fabrice, All,

+Graham, see below for input.

On 2024-01-27 23:56 +0100, Fabrice Fontaine spake thusly:
> Fix CVE-2023-38802, CVE-2023-41360, CVE-2023-46752, CVE-2023-46753,
> CVE-2023-47234 and CVE-2023-47235
> 
> https://frrouting.org/security/
> https://frrouting.org/release/8.5.4/
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Applied to master, thanks.

Since frr is a fork from quagga [0], it would not be too surprising that
some of the CVEs against frr were valid back in the quagga era. Also,
Quagga is no longer maintained (as their website is no longer
available). At least, there are three open CVEs:
    CVE-2016-4049
    CVE-2017-3224
    CVE-2021-44038

CVE-2021-44038 was reported after the last quagga release, and that the
two others were not fixed then, but are fixed in frr.

The sole package we have that uses quagga is olsr. Support for quagga
was added in 2013 with commit 9b48690efb59 (olsr: bump to version 0.6.4)
stating "Doesn't really need quagga but not very useful without it", yet
it is still really only optional.

The upstream olsr repository has not had a quagga-related commit since
2019 (commit 385321522335), and the actual last code commit was even
earlier, in 2016, to fix a warning (ac80336d56e5).

Finally, the olsr documentation still mentions old quagga versions that
need to be patched with patches bundled in olsr. Since the upstream
quagga has disapeared, it is not trivial to find whether those patches
were ever upstreamed.

And now that I wrote all the above, it turns out that quagga is not even
a build dependency of olsr at all, so propbably just an optional runtime
dependency.

Which leaves us with just our commit 1e3cd85e7a6d (package/quagga:
install quagga to staging) from Graham, but we have no such in-tree
user, so we can't really assess whether our quagga package is even
installing its dev files properly...

Would it make sense that we now drop Quagga altogether?

If quagga support in olsr is till required, or if third-party code needs
quagga dev files, can that be provided by frr instead?

[0] https://www.linux.com/news/welcoming-frrouting-linux-foundation/

Regards,
Yann E. MORIN.

> ---
>  package/frr/frr.hash | 2 +-
>  package/frr/frr.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/frr/frr.hash b/package/frr/frr.hash
> index 836f130b93..4a61084bae 100644
> --- a/package/frr/frr.hash
> +++ b/package/frr/frr.hash
> @@ -1,3 +1,3 @@
>  # Locally calculated
> -sha256  8a6b0e0fa1e89493ba84cf176674e55c7a814821fd02a7188095b76c37c3935f  frr-8.4.2.tar.gz
> +sha256  7ae9d8bafc65bb5d0f21061ac61dbc6cf93b2b05a5dae9e5eec72ed42388551e  frr-8.5.4.tar.gz
>  sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
> diff --git a/package/frr/frr.mk b/package/frr/frr.mk
> index abae784c40..19f346fd7b 100644
> --- a/package/frr/frr.mk
> +++ b/package/frr/frr.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -FRR_VERSION = 8.4.2
> +FRR_VERSION = 8.5.4
>  FRR_SITE = $(call github,FRRouting,frr,frr-$(FRR_VERSION))
>  FRR_LICENSE = GPL-2.0
>  FRR_LICENSE_FILES = COPYING
> -- 
> 2.43.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/frr: security bump to version 8.5.4
  2024-01-28 17:27 ` Yann E. MORIN
@ 2024-01-30 22:09   ` Peter Korsgaard
  0 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2024-01-30 22:09 UTC (permalink / raw)
  To: Yann E. MORIN; +Cc: Graham Rhodes, Vadim Kochan, Fabrice Fontaine, buildroot

>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:

Hi,

 > Would it make sense that we now drop Quagga altogether?

It sounds like it. Lets give it a few days and then perhaps drop it
during the upcoming dev meeting.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/frr: security bump to version 8.5.4
  2024-01-27 22:56 [Buildroot] [PATCH 1/1] package/frr: security bump to version 8.5.4 Fabrice Fontaine
  2024-01-28 17:27 ` Yann E. MORIN
@ 2024-02-28 17:35 ` Peter Korsgaard
  1 sibling, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2024-02-28 17:35 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: Vadim Kochan, buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Fix CVE-2023-38802, CVE-2023-41360, CVE-2023-46752, CVE-2023-46753,
 > CVE-2023-47234 and CVE-2023-47235

 > https://frrouting.org/security/
 > https://frrouting.org/release/8.5.4/

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2023.02.x and 2023.11.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-02-28 17:35 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-01-27 22:56 [Buildroot] [PATCH 1/1] package/frr: security bump to version 8.5.4 Fabrice Fontaine
2024-01-28 17:27 ` Yann E. MORIN
2024-01-30 22:09   ` Peter Korsgaard
2024-02-28 17:35 ` Peter Korsgaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox