From 71517717f7654380d7e442e1dfe8bc0a7f7190cb Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 03 2020 11:51:58 +0000 Subject: import frr-7.0-10.el8 --- diff --git a/SOURCES/0005-igmp-trusted-query.patch b/SOURCES/0005-igmp-trusted-query.patch new file mode 100644 index 0000000..6d6795d --- /dev/null +++ b/SOURCES/0005-igmp-trusted-query.patch @@ -0,0 +1,36 @@ +From ff4516227cc48b3175106a419f43b8fc9eee3710 Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Tue, 25 Jun 2019 00:30:11 -0400 +Subject: [PATCH] pimd: Dissallow query to be received from a non-connected + source + +When we receive an igmp query on a interface, ensure that the +source address of the packet is connected to the incoming +interface. This will prevent a meanie from crafting a igmp +packet with a source address less than ours and causing +us to suspend query activities. + +Fixes: #1692 +Signed-off-by: Donald Sharp +--- + pimd/pim_igmp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/pimd/pim_igmp.c b/pimd/pim_igmp.c +index 270f1e3f27..5beabbd8df 100644 +--- a/pimd/pim_igmp.c ++++ b/pimd/pim_igmp.c +@@ -305,6 +305,13 @@ static int igmp_recv_query(struct igmp_sock *igmp, int query_version, + return -1; + } + ++ if (!pim_if_connected_to_source(ifp, from)) { ++ if (PIM_DEBUG_IGMP_PACKETS) ++ zlog_debug("Recv IGMP query on interface: %s from a non-connected source: %s", ++ ifp->name, from_str); ++ return 0; ++ } ++ + /* Collecting IGMP Rx stats */ + switch (query_version) { + case 1: diff --git a/SOURCES/0006-CVE-2020-12831.patch b/SOURCES/0006-CVE-2020-12831.patch new file mode 100644 index 0000000..35df767 --- /dev/null +++ b/SOURCES/0006-CVE-2020-12831.patch @@ -0,0 +1,17 @@ +diff --git a/redhat/frr.init b/redhat/frr.init +index b59656a..4cf3fd4 100755 +--- a/redhat/frr.init ++++ b/redhat/frr.init +@@ -94,10 +94,12 @@ check_daemon() + if [ ! -r "$C_PATH/$1-$2.conf" ]; then + touch "$C_PATH/$1-$2.conf" + chown frr:frr "$C_PATH/$1-$2.conf" ++ chmod 0600 "$C_PATH/$1-$2.conf" + fi + elif [ ! -r "$C_PATH/$1.conf" ]; then + touch "$C_PATH/$1.conf" + chown frr:frr "$C_PATH/$1.conf" ++ chmod 0600 "$C_PATH/$1.conf" + fi + fi + return 0 diff --git a/SOURCES/0007-bfd-port-range.patch b/SOURCES/0007-bfd-port-range.patch new file mode 100644 index 0000000..d687f0e --- /dev/null +++ b/SOURCES/0007-bfd-port-range.patch @@ -0,0 +1,15 @@ +diff --git a/bfdd/bfd.h b/bfdd/bfd.h +index 3a58a8d..0970333 100644 +--- a/bfdd/bfd.h ++++ b/bfdd/bfd.h +@@ -315,8 +315,8 @@ struct bfd_iface { + #define BFD_PKT_INFO_VAL 1 + #define BFD_IPV6_PKT_INFO_VAL 1 + #define BFD_IPV6_ONLY_VAL 1 +-#define BFD_SRCPORTINIT 49142 +-#define BFD_SRCPORTMAX 65536 ++#define BFD_SRCPORTINIT 49152 ++#define BFD_SRCPORTMAX 65535 + #define BFD_DEFDESTPORT 3784 + #define BFD_DEF_ECHO_PORT 3785 + #define BFD_DEF_MHOP_DEST_PORT 4784 diff --git a/SPECS/frr.spec b/SPECS/frr.spec index 4d2929b..9a0f0c8 100644 --- a/SPECS/frr.spec +++ b/SPECS/frr.spec @@ -9,7 +9,7 @@ Name: frr Version: 7.0 -Release: 5%{?checkout}%{?dist} +Release: 10%{?checkout}%{?dist} Summary: Routing daemon License: GPLv2+ URL: http://www.frrouting.org @@ -29,6 +29,8 @@ Requires: net-snmp ncurses Requires(post): systemd /sbin/install-info Requires(preun): systemd /sbin/install-info Requires(postun): systemd +Requires: iproute +Requires: initscripts Provides: routingdaemon = %{version}-%{release} Obsoletes: frr-sysvinit quagga @@ -37,6 +39,9 @@ Patch0001: 0001-use-python3.patch Patch0002: 0002-enable-openssl.patch Patch0003: 0003-disable-eigrp-crypto.patch Patch0004: 0004-fips-mode.patch +Patch0005: 0005-igmp-trusted-query.patch +Patch0006: 0006-CVE-2020-12831.patch +Patch0007: 0007-bfd-port-range.patch %description FRRouting is free software that manages TCP/IP based routing protocols. It takes @@ -214,6 +219,21 @@ make check PYTHON=%{__python3} %{_includedir}/frr/eigrpd/*.h %changelog +* Thu Aug 20 2020 Michal Ruprich - 7.0-10 +- Resolves: #1867793 - FRR does not conform to the source port range specified in RFC5881 + +* Thu Aug 20 2020 Michal Ruprich - 7.0-9 +- Resolves: #1852476 - default permission issue eases information leaks + +* Tue May 05 2020 Michal Ruprich - 7.0-8 +- Resolves: #1819319 - frr fails to start start if the initscripts package is missing + +* Mon May 04 2020 Michal Ruprich - 7.0-7 +- Resolves: #1758544 - IGMPv3 queries may lead to DoS + +* Tue Mar 10 2020 Michal Ruprich - 7.0-6 +- Resolves: #1776342 - frr has missing dependency on iproute + * Tue Sep 03 2019 Michal Ruprich - 7.0-5 - Resolves: #1719465 - Removal of component Frr or its crypto