CVE-2023-38406 CVE-2023-38407 CVE-2023-47234 CVE-2023-47235

2024-01-12 13:50:00 +00:00 · 2024-01-12 13:50:00 +00:00 · 029438c4c6
commit 029438c4c6
parent 742d4de4d8
8 changed files with 480 additions and 2 deletions
--- a/SOURCES/0015-CVE-2023-38802.patch
+++ b/SOURCES/0015-CVE-2023-38802.patch
@ -0,0 +1,128 @@
 From bcb6b58d9530173df41d3a3cbc4c600ee0b4b186 Mon Sep 17 00:00:00 2001
 From: Donatas Abraitis <donatas@opensourcerouting.org>
 Date: Thu, 13 Jul 2023 22:32:03 +0300
 Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation
 attribute
 Before this path we used session reset method, which is discouraged by rfc7606.
 Handle this as rfc requires.
 Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
 ---
 bgpd/bgp_attr.c | 61 ++++++++++++++++++++-----------------------------
 1 file changed, 25 insertions(+), 36 deletions(-)
 diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
 index dcf0f4d47cfb..8c53191d680f 100644
 --- a/bgpd/bgp_attr.c
 +++ b/bgpd/bgp_attr.c
@@ -1301,6 +1301,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
 	case BGP_ATTR_LARGE_COMMUNITIES:
 	case BGP_ATTR_ORIGINATOR_ID:
 	case BGP_ATTR_CLUSTER_LIST:
 +	case BGP_ATTR_ENCAP:
 		return BGP_ATTR_PARSE_WITHDRAW;
 	case BGP_ATTR_MP_REACH_NLRI:
 	case BGP_ATTR_MP_UNREACH_NLRI:
@@ -2434,26 +2435,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args)
 }
 /* Parse Tunnel Encap attribute in an UPDATE */
 -static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
 -			  bgp_size_t length, /* IN: attr's length field */
 -			  struct attr *attr, /* IN: caller already allocated */
 -			  uint8_t flag,      /* IN: attr's flags field */
 -			  uint8_t *startp)
 +static int bgp_attr_encap(struct bgp_attr_parser_args *args)
 {
 -	bgp_size_t total;
 	uint16_t tunneltype = 0;
 -
 -	total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);
 +	struct peer *const peer = args->peer;
 +	struct attr *const attr = args->attr;
 +	bgp_size_t length = args->length;
 +	uint8_t type = args->type;
 +	uint8_t flag = args->flags;
 	if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS)
 	    || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) {
 -		zlog_info(
 -			"Tunnel Encap attribute flag isn't optional and transitive %d",
 -			flag);
 -		bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
 -					  BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR,
 -					  startp, total);
 -		return -1;
 +		zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d",
 +			 flag);
 +		return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
 +					  args->total);
 	}
 	if (BGP_ATTR_ENCAP == type) {
@@ -2461,12 +2457,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
 		uint16_t tlv_length;
 		if (length < 4) {
 -			zlog_info(
 +			zlog_err(
 				"Tunnel Encap attribute not long enough to contain outer T,L");
 -			bgp_notify_send_with_data(
 -				peer, BGP_NOTIFY_UPDATE_ERR,
 -				BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
 -			return -1;
 +			return bgp_attr_malformed(args,
 +						  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
 +						  args->total);
 		}
 		tunneltype = stream_getw(BGP_INPUT(peer));
 		tlv_length = stream_getw(BGP_INPUT(peer));
@@ -2496,13 +2491,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
 		}
 		if (sublength > length) {
 -			zlog_info(
 -				"Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
 -				sublength, length);
 -			bgp_notify_send_with_data(
 -				peer, BGP_NOTIFY_UPDATE_ERR,
 -				BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
 -			return -1;
 +			zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
 +				 sublength, length);
 +			return bgp_attr_malformed(args,
 +						  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
 +						  args->total);
 		}
 		/* alloc and copy sub-tlv */
@@ -2550,13 +2543,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
 	if (length) {
 		/* spurious leftover data */
 -		zlog_info(
 -			"Tunnel Encap attribute length is bad: %d leftover octets",
 -			length);
 -		bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
 -					  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
 -					  startp, total);
 -		return -1;
 +		zlog_err("Tunnel Encap attribute length is bad: %d leftover octets",
 +			 length);
 +		return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
 +					  args->total);
 	}
 	return 0;
@@ -3396,8 +3386,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
 		case BGP_ATTR_VNC:
 #endif
 		case BGP_ATTR_ENCAP:
 -			ret = bgp_attr_encap(type, peer, length, attr, flag,
 -					     startp);
 +			ret = bgp_attr_encap(&attr_args);
 			break;
 		case BGP_ATTR_PREFIX_SID:
 			ret = bgp_attr_prefix_sid(&attr_args);
--- a/SOURCES/0016-max-ttl-reload.patch
+++ b/SOURCES/0016-max-ttl-reload.patch
--- a/SOURCES/0017-fix-crash-in-plist-update.patch
+++ b/SOURCES/0017-fix-crash-in-plist-update.patch
@ -0,0 +1,48 @@
 From 0f9e4c4a36cf2b0dd585a7ef97acccb8eebdf7bd Mon Sep 17 00:00:00 2001
 From: Chirag Shah <chirag@nvidia.com>
 Date: Mon, 25 Jan 2021 11:44:56 -0800
 Subject: [PATCH] lib: fix a crash in plist update
 Problem:
 Prefix-list with mulitiple rules, an update to
 a rule/sequence with different prefix/prefixlen
 reset prefix-list next-base pointer to avoid
 having stale value.
 In some case the old next-bast's reference leads
 to an assert in tri (trie_install_fn ) add.
 bt:
 (object=0x55576a4c8a00, updptr=0x55576a4b97e0) at lib/plist.c:560
 (plist=0x55576a4a1770, pentry=0x55576a4c8a00) at lib/plist.c:585
 (ple=0x55576a4c8a00) at lib/plist.c:745
 (args=0x7fffe04beb50) at lib/filter_nb.c:1181
 Solution:
 Reset prefix-list next-base pointer whenver a
 sequence/rule is updated.
 Ticket:CM-33109
 Testing Done:
 Signed-off-by: Chirag Shah <chirag@nvidia.com>
 Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
 (cherry picked from commit f7f101156eb0e225f375f12cf4f863ebbe3fed03)
 ---
 lib/plist.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/lib/plist.c b/lib/plist.c
 index 981e86e2a..c746d1946 100644
 --- a/lib/plist.c
 +++ b/lib/plist.c
@@ -684,6 +684,7 @@ void prefix_list_entry_update_start(struct prefix_list_entry *ple)
 	if (pl->head || pl->tail || pl->desc)
 		pl->master->recent = pl;
 +	ple->next_best = NULL;
 	ple->installed = false;
 }
 -- 
 2.41.0
--- a/SOURCES/0018-CVE-2023-38406.patch
+++ b/SOURCES/0018-CVE-2023-38406.patch
@ -0,0 +1,34 @@
 From 0b999c886e241c52bd1f7ef0066700e4b618ebb3 Mon Sep 17 00:00:00 2001
 From: Donald Sharp <sharpd@nvidia.com>
 Date: Thu, 23 Feb 2023 13:29:32 -0500
 Subject: [PATCH] bgpd: Flowspec overflow issue
 According to the flowspec RFC 8955 a flowspec nlri is <length, <nlri data>>
 Specifying 0 as a length makes BGP get all warm on the inside.  Which
 in this case is not a good thing at all.  Prevent warmth, stay cold
 on the inside.
 Reported-by: Iggy Frankovic <iggyfran@amazon.com>
 Signed-off-by: Donald Sharp <sharpd@nvidia.com>
 ---
 bgpd/bgp_flowspec.c | 7 +++++++
 1 file changed, 7 insertions(+)
 diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c
 index 8d5ca5e77779..f9debe43cd45 100644
 --- a/bgpd/bgp_flowspec.c
 +++ b/bgpd/bgp_flowspec.c
@@ -127,6 +127,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
 				psize);
 			return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
 		}
 +
 +		if (psize == 0) {
 +			flog_err(EC_BGP_FLOWSPEC_PACKET,
 +				 "Flowspec NLRI length 0 which makes no sense");
 +			return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
 +		}
 +
 		if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) {
 			flog_err(
 				EC_BGP_FLOWSPEC_PACKET,
--- a/SOURCES/0019-CVE-2023-38407.patch
+++ b/SOURCES/0019-CVE-2023-38407.patch
@ -0,0 +1,54 @@
 From 7404a914b0cafe046703c8381903a80d3def8f8b Mon Sep 17 00:00:00 2001
 From: Donald Sharp <sharpd@nvidia.com>
 Date: Fri, 3 Mar 2023 21:58:33 -0500
 Subject: [PATCH] bgpd: Fix use beyond end of stream of labeled unicast parsing
 Fixes a couple crashes associated with attempting to read
 beyond the end of the stream.
 Reported-by: Iggy Frankovic <iggyfran@amazon.com>
 Signed-off-by: Donald Sharp <sharpd@nvidia.com>
 ---
 bgpd/bgp_label.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 diff --git a/bgpd/bgp_label.c b/bgpd/bgp_label.c
 index 0cad119af101..c4a5277553ba 100644
 --- a/bgpd/bgp_label.c
 +++ b/bgpd/bgp_label.c
@@ -297,6 +297,9 @@ static int bgp_nlri_get_labels(struct peer *peer, uint8_t *pnt, uint8_t plen,
 	uint8_t llen = 0;
 	uint8_t label_depth = 0;
 +	if (plen < BGP_LABEL_BYTES)
 +		return 0;
 +
 	for (; data < lim; data += BGP_LABEL_BYTES) {
 		memcpy(label, data, BGP_LABEL_BYTES);
 		llen += BGP_LABEL_BYTES;
@@ -359,6 +362,9 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr,
 			memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN);
 			addpath_id = ntohl(addpath_id);
 			pnt += BGP_ADDPATH_ID_LEN;
 +
 +			if (pnt >= lim)
 +				return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
 		}
 		/* Fetch prefix length. */
@@ -377,6 +383,15 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr,
 		/* Fill in the labels */
 		llen = bgp_nlri_get_labels(peer, pnt, psize, &label);
 +		if (llen == 0) {
 +			flog_err(
 +				EC_BGP_UPDATE_RCV,
 +				"%s [Error] Update packet error (wrong label length 0)",
 +				peer->host);
 +			bgp_notify_send(peer, BGP_NOTIFY_UPDATE_ERR,
 +					BGP_NOTIFY_UPDATE_INVAL_NETWORK);
 +			return BGP_NLRI_PARSE_ERROR_LABEL_LENGTH;
 +		}
 		p.prefixlen = prefixlen - BSIZE(llen);
 		/* There needs to be at least one label */
--- a/SOURCES/0020-CVE-2023-47234.patch
+++ b/SOURCES/0020-CVE-2023-47234.patch
@ -0,0 +1,89 @@
 From c37119df45bbf4ef713bc10475af2ee06e12f3bf Mon Sep 17 00:00:00 2001
 From: Donatas Abraitis <donatas@opensourcerouting.org>
 Date: Sun, 29 Oct 2023 22:44:45 +0200
 Subject: [PATCH] bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI
 If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if
 no mandatory path attributes received.
 In other words, if MP_UNREACH_NLRI received, the remaining NLRIs should be handled
 as a new data, but without mandatory attributes, it's a malformed packet.
 In normal case, this MUST not happen at all, but to avoid crashing bgpd, we MUST
 handle that.
 Reported-by: Iggy Frankovic <iggyfran@amazon.com>
 Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
 ---
 bgpd/bgp_attr.c   | 19 ++++++++++---------
 bgpd/bgp_attr.h   |  1 +
 bgpd/bgp_packet.c |  7 ++++++-
 3 files changed, 17 insertions(+), 10 deletions(-)
 diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
 index 1473dc772502..75aa2ac7cce6 100644
 --- a/bgpd/bgp_attr.c
 +++ b/bgpd/bgp_attr.c
@@ -3399,15 +3399,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr,
 	if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
 		return BGP_ATTR_PARSE_PROCEED;
 -	/* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
 -	   to carry any other path attributes.", though if MP_REACH_NLRI or NLRI
 -	   are present, it should.  Check for any other attribute being present
 -	   instead.
 -	 */
 -	if ((!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
 -	     CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI))))
 -		return BGP_ATTR_PARSE_PROCEED;
 -
 	if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
 		type = BGP_ATTR_ORIGIN;
@@ -3426,6 +3417,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr,
 	    && !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF)))
 		type = BGP_ATTR_LOCAL_PREF;
 +	/* An UPDATE message that contains the MP_UNREACH_NLRI is not required
 +	 * to carry any other path attributes. Though if MP_REACH_NLRI or NLRI
 +	 * are present, it should. Check for any other attribute being present
 +	 * instead.
 +	 */
 +	if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
 +	    CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI)))
 +		return type ? BGP_ATTR_PARSE_MISSING_MANDATORY
 +			    : BGP_ATTR_PARSE_PROCEED;
 +
 	/* If any of the well-known mandatory attributes are not present
 	 * in an UPDATE message, then "treat-as-withdraw" MUST be used.
 	 */
 diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
 index fc347e7a1b4b..d30155e6dba0 100644
 --- a/bgpd/bgp_attr.h
 +++ b/bgpd/bgp_attr.h
@@ -364,6 +364,7 @@ enum bgp_attr_parse_ret {
 	   */
 	BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
 	BGP_ATTR_PARSE_EOR = -4,
 +	BGP_ATTR_PARSE_MISSING_MANDATORY = -4,
 } bgp_attr_parse_ret_t;
 struct bpacket_attr_vec_arr;
 diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
 index a7514a26aa64..5dc35157ebf6 100644
 --- a/bgpd/bgp_packet.c
 +++ b/bgpd/bgp_packet.c
@@ -2359,7 +2359,12 @@ static int bgp_update_receive(struct peer_connection *connection,
 	/* Network Layer Reachability Information. */
 	update_len = end - stream_pnt(s);
 -	if (update_len) {
 +	/* If we received MP_UNREACH_NLRI attribute, but also NLRIs, then
 +	 * NLRIs should be handled as a new data. Though, if we received
 +	 * NLRIs without mandatory attributes, they should be ignored.
 +	 */
 +	if (update_len && attribute_len &&
 +	    attr_parse_ret != BGP_ATTR_PARSE_MISSING_MANDATORY) {
 		/* Set NLRI portion to structure. */
 		nlris[NLRI_UPDATE].afi = AFI_IP;
 		nlris[NLRI_UPDATE].safi = SAFI_UNICAST;
--- a/SOURCES/0021-CVE-2023-47235.patch
+++ b/SOURCES/0021-CVE-2023-47235.patch
@ -0,0 +1,105 @@
 From 6814f2e0138a6ea5e1f83bdd9085d9a77999900b Mon Sep 17 00:00:00 2001
 From: Donatas Abraitis <donatas@opensourcerouting.org>
 Date: Fri, 27 Oct 2023 11:56:45 +0300
 Subject: [PATCH] bgpd: Treat EOR as withdrawn to avoid unwanted handling of
 malformed attrs
 Treat-as-withdraw, otherwise if we just ignore it, we will pass it to be
 processed as a normal UPDATE without mandatory attributes, that could lead
 to harmful behavior. In this case, a crash for route-maps with the configuration
 such as:
 ```
 router bgp 65001
 no bgp ebgp-requires-policy
 neighbor 127.0.0.1 remote-as external
 neighbor 127.0.0.1 passive
 neighbor 127.0.0.1 ebgp-multihop
 neighbor 127.0.0.1 disable-connected-check
 neighbor 127.0.0.1 update-source 127.0.0.2
 neighbor 127.0.0.1 timers 3 90
 neighbor 127.0.0.1 timers connect 1
 !
 address-family ipv4 unicast
  neighbor 127.0.0.1 addpath-tx-all-paths
  neighbor 127.0.0.1 default-originate
  neighbor 127.0.0.1 route-map RM_IN in
 exit-address-family
 exit
 !
 route-map RM_IN permit 10
 set as-path prepend 200
 exit
 ```
 Send a malformed optional transitive attribute:
 ```
 import socket
 import time
 OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
 b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02"
 b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02"
 b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00"
 b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d"
 b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01"
 b"\x80\x00\x00\x00")
 KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
 b"\xff\xff\xff\xff\xff\xff\x00\x13\x04")
 UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff002b0200000003c0ff00010100eb00ac100b0b001ad908ac100b0b")
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.connect(('127.0.0.2', 179))
 s.send(OPEN)
 data = s.recv(1024)
 s.send(KEEPALIVE)
 data = s.recv(1024)
 s.send(UPDATE)
 data = s.recv(1024)
 time.sleep(100)
 s.close()
 ```
 Reported-by: Iggy Frankovic <iggyfran@amazon.com>
 Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
 ---
 bgpd/bgp_attr.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)
 diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
 index cf2dbe65b805..1473dc772502 100644
 --- a/bgpd/bgp_attr.c
 +++ b/bgpd/bgp_attr.c
@@ -3391,9 +3391,12 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr,
 	uint8_t type = 0;
 	/* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an
 -	 * empty UPDATE.  */
 +	 * empty UPDATE. Treat-as-withdraw, otherwise if we just ignore it,
 +	 * we will pass it to be processed as a normal UPDATE without mandatory
 +	 * attributes, that could lead to harmful behavior.
 +	 */
 	if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
 -		return BGP_ATTR_PARSE_PROCEED;
 +		return BGP_ATTR_PARSE_WITHDRAW;
 	if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
 		type = BGP_ATTR_ORIGIN;
@@ -3273,7 +3276,13 @@ done:
 		aspath_unintern(&as4_path);
 	}
 -	if (ret != BGP_ATTR_PARSE_ERROR) {
 +	/* If we received an UPDATE with mandatory attributes, then
 +	* the unrecognized transitive optional attribute of that
 +	* path MUST be passed. Otherwise, it's an error, and from
 +	* security perspective it might be very harmful if we continue
 +	* here with the unrecognized attributes.
 +	*/
 +	if (ret == BGP_ATTR_PARSE_PROCEED) {
 		/* Finally intern unknown attribute. */
 		if (attr->transit)
 			attr->transit = transit_intern(attr->transit);
--- a/SPECS/frr.spec
+++ b/SPECS/frr.spec
@ -7,7 +7,7 @@
 Name: frr
 Version: 7.5.1
-Release: 13%{?checkout}%{?dist}
+Release: 13%{?checkout}%{?dist}.3.alma.1
 Summary: Routing daemon
 License: GPLv2+
 URL: http://www.frrouting.org
@ -54,7 +54,20 @@ Patch0011: 0011-reload-bfd-profile.patch
 Patch0012: 0012-graceful-restart.patch
 Patch0013: 0013-CVE-2022-37032.patch
 Patch0014: 0014-bfd-profile-crash.patch
-Patch0015: 0015-max-ttl-reload.patch
+# https://git.almalinux.org/rpms/frr/raw/commit/7599d0ae96d0c1d1f42ae62e1f885ee58ed5b0cd/SOURCES/0010-CVE-2023-38802.patch
 Patch0015: 0015-CVE-2023-38802.patch
 # # https://gitlab.com/redhat/centos-stream/rpms/frr/-/blob/2dfcf2f37454302c56d8713db9d9d16e7d4d36d3/0015-max-ttl-reload.patch
 Patch0016: 0016-max-ttl-reload.patch
 # https://gitlab.com/redhat/centos-stream/rpms/frr/-/blob/2dfcf2f37454302c56d8713db9d9d16e7d4d36d3/0017-fix-crash-in-plist-update.patch
 Patch0017: 0017-fix-crash-in-plist-update.patch
 # https://gitlab.com/redhat/centos-stream/rpms/frr/-/blob/2dfcf2f37454302c56d8713db9d9d16e7d4d36d3/0018-CVE-2023-38406.patch
 Patch0018: 0018-CVE-2023-38406.patch
 # https://gitlab.com/redhat/centos-stream/rpms/frr/-/blob/2dfcf2f37454302c56d8713db9d9d16e7d4d36d3/0019-CVE-2023-38407.patch
 Patch0019: 0019-CVE-2023-38407.patch
 # https://gitlab.com/redhat/centos-stream/rpms/frr/-/blob/2dfcf2f37454302c56d8713db9d9d16e7d4d36d3/0020-CVE-2023-47234.patch
 Patch0020: 0020-CVE-2023-47234.patch
 # https://gitlab.com/redhat/centos-stream/rpms/frr/-/blob/2dfcf2f37454302c56d8713db9d9d16e7d4d36d3/0021-CVE-2023-47235.patch
 Patch0021: 0021-CVE-2023-47235.patch
 %description
 FRRouting is free software that manages TCP/IP based routing protocols. It takes
@ -275,6 +288,13 @@ make check PYTHON=%{__python3}
 %endif
 %changelog
 * Fri Jan 12 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 7.5.1-13.3.alma.1
 - Resolves: RHEL-15916 - Flowspec overflow in bgpd/bgp_flowspec.c
 - Resolves: RHEL-15919 - Out of bounds read in bgpd/bgp_label.c
 - Resolves: RHEL-15869 - crash from specially crafted MP_UNREACH_NLRI-containing BGP UPDATE message
 - Resolves: RHEL-15868 - crash from malformed EOR-containing BGP UPDATE message
 - Resolves: RHEL-12039 - crash in plist update
 * Tue Oct 10 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-13
 - Resolves: RHEL-2263 - eBGP multihop peer flapping due to delta miscalculation of new configuration