Friday September 07, 2007 Random ramblings
Friday September 07, 2007
Quagga 0.99.9 has been released, and is available, along with a full
changelog, in the usual places, such as:
http://www.quagga.net/download/
Thanks to everyone who helped by reporting bugs and testing fixes.
Release notes:
-------------
bgpd: Low impact DoS (Mu Security)
----------------------------------
This release fixes two potential DoS conditions in bgpd, reported by Mu
Security, where a bgpd could be crashed if a peer sent a malformed OPEN
message or a malformed COMMUNITY attribute. Only configured peers can do
this, hence we consider these issues to be very low impact.
bgpd: crash with outbound route-maps
------------------------------------
This release fixes a serious regression in bgpd in Quagga 0.99.8, where use
of outbound route-maps would cause a crash.
bgpd: severe performance problems with regexes
----------------------------------------------
Operators should be aware that allowing untrusted access to the bgpd vty are
vulnerable to such untrusted users running regex commands that may cause
bgpd to block for many minutes.
To try alleviate this, bgpd now passes the 'REG_NOSUB' flag to regcomp().
This may help good regex implementations to avoid doing a lot of work when
users specify substitutions (which we will never use). Unfortunately, this
doesn't appear to have much of an effect on the platforms I have tested
(Solaris libc and GNU libc).
The 'PCRE' regex implementation however appears to be better behaved, and
does not introduce huge slow-downs when regexes with substitutions are
applied. Operators who continue to offer untrusted vty access may wish to
preload the 'libpcreposix' library (e.g. using LD_PRELOAD). Be aware however
that PCRE is not fully compatible with POSIX extended regexes, and this
workaround may adversely impact existing configurations.
bgpd: AS-Pathlimit TTL attribute support added
----------------------------------------------
This attribute allows for routes to be announced with a limited scope,
specified in terms of numbers of AS-hopcount. See the TeXinfo documentation
for further details.
isisd: Now supports Solaris
-
A short-form list of code related changes:
bgpd:
- [bgpd] low-impact DoS: crash on malformed community with debug set
- [bgpd] bug #398 Bogus free on out route-map, and assert() with rsclients
- [bgpd] Add support for AS_PATHLIMIT / draft-ietf-idr-as-pathlimit
- [bgpd] cleanup, compact and consolidate capability parsing code
- [bgpd] Dont schedule dumps multiple times for same command
- [bgpd] Pass NOSUB to regexec
ospfd:
- [ospfd] Bug #331, NSSA ASBR regression - failure to set E-bit in NSSA
areas
- Bug #362 is fixed now.
- [ospfd] Fix bad SPF calculation on some topologies - incorrect sorting
zebra:
- + fixed bug #400: adjusted rtread_sysctl.c:route_read()
- Looks like bug #320 is finally fixed now.
- Fixed ioctl_solaris.c:if_get_mtu() for IPv6'less operation
- Fixed bug #394 "RTF_DONE is ignored in rtm_read()"
- Merged own patch for bug #390 (rewrite
zebra/zebra_rib.c:nexthop_active_update())
- Use the proper field length for the peer's address
(netlink_interface_addr)
- Bugzilla #384.
isisd:
- [isisd] Add support for Solaris DLPI
( Sep 07 2007, 07:45:44 PM IST )
Permalink
Comments [0]
Trackback URL: http://blogs.sun.com/paulj/entry/quagga_0_99_9_released
Comments:
Post a Comment:
