CVE-2023-38406
Description
Moderate: frr security update
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: alma — https://errata.almalinux.org/9/ALSA-2024-0477.html
Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2024-0130.html
Vendor advisory: alma — https://bugzilla.redhat.com/2248528
Vendor advisory: alma — https://bugzilla.redhat.com/2248526
Vendor advisory: alma — https://bugzilla.redhat.com/2248208
Vendor advisory: alma — https://bugzilla.redhat.com/2248207
Vendor advisory: alma — https://access.redhat.com/errata/RHSA-2024:0130
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2023-38406.html
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2023-38406
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2024:0130
Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2024:0477
Mitigation details
Description ffr: Flowspec overflow in bgpd/bgp_flowspec.c Red Hat statement Red Hat OpenStack Platform does not ship its own version of the frr package, instead using the version from the underlying Red Hat Enterprise Linux. RHOSP is marked as Not Affected as no changes need to be made by the OpenStack engineering team. System administrators of OpenStack deployments should apply updates once…
Description
ffr: Flowspec overflow in bgpd/bgp_flowspec.c
Red Hat statement
Red Hat OpenStack Platform does not ship its own version of the frr package, instead using the version from the underlying Red Hat Enterprise Linux. RHOSP is marked as Not Affected as no changes need to be made by the OpenStack engineering team. System administrators of OpenStack deployments should apply updates once available in RHEL.
CVSS v3: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 8 | frr-0:7.5.1-13.el8_9.3 | RHSA-2024:0130 | 2024-01-10T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Extended Update Support | frr-0:7.5-11.el8_6.7 | RHSA-2024:1113 | 2024-03-05T00:00:00Z |
| Red Hat Enterprise Linux 8.8 Extended Update Support | frr-0:7.5.1-7.el8_8.5 | RHSA-2024:0574 | 2024-01-30T00:00:00Z |
| Red Hat Enterprise Linux 9 | frr-0:8.3.1-11.el9_3.2 | RHSA-2024:0477 | 2024-01-25T00:00:00Z |
| Red Hat Enterprise Linux 9.0 Extended Update Support | frr-0:8.0-5.el9_0.3 | RHSA-2024:1152 | 2024-03-05T00:00:00Z |
| Red Hat Enterprise Linux 9.2 Extended Update Support | frr-0:8.3.1-5.el9_2.4 | RHSA-2024:1093 | 2024-03-05T00:00:00Z |
Apply commands
yum update -y frr
# or:
dnf upgrade -y frrOS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| rhel | 9 | fixed | |
| rocky | 8 | fixed | |
| debian | bookworm | fixed | 8.4.4-1.1~deb12u1 |
| debian | bullseye | fixed | 7.5.1-1.1+deb11u3 |
| debian | forky | fixed | 8.4.4-1 |
| debian | sid | fixed | 8.4.4-1 |
| debian | trixie | fixed | 8.4.4-1 |
| sles | affected | |
References
- https://access.redhat.com/errata/RHSA-2024:0477
- https://errata.rockylinux.org/RLSA-2024:0130
- https://security-tracker.debian.org/tracker/CVE-2023-38406
- https://www.suse.com/security/cve/CVE-2023-38406.html
- https://access.redhat.com/errata/RHSA-2024:0130
- https://bugzilla.redhat.com/2248207
- https://bugzilla.redhat.com/2248208
- https://bugzilla.redhat.com/2248526
- https://bugzilla.redhat.com/2248528
- https://errata.almalinux.org/8/ALSA-2024-0130.html
- https://errata.almalinux.org/9/ALSA-2024-0477.html
Verify integrity in audit chain (admin only). AS-IS.