rpms/frr
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import frr-7.0-10.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-11-03 06:51:58 -05:00 committed by Andrew Lukoshko
parent 7db87818ed
commit ab60136027
4 changed files with 89 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
SOURCES/0005-igmp-trusted-query.patch Normal file
View File

@ -0,0 +1,36 @@
From ff4516227cc48b3175106a419f43b8fc9eee3710 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@cumulusnetworks.com>
Date: Tue, 25 Jun 2019 00:30:11 -0400
Subject: [PATCH] pimd: Dissallow query to be received from a non-connected
source
When we receive an igmp query on a interface, ensure that the
source address of the packet is connected to the incoming
interface. This will prevent a meanie from crafting a igmp
packet with a source address less than ours and causing
us to suspend query activities.
Fixes: #1692
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
---
pimd/pim_igmp.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/pimd/pim_igmp.c b/pimd/pim_igmp.c
index 270f1e3f27..5beabbd8df 100644
--- a/pimd/pim_igmp.c
+++ b/pimd/pim_igmp.c
@@ -305,6 +305,13 @@ static int igmp_recv_query(struct igmp_sock *igmp, int query_version,
return -1;
}
+ if (!pim_if_connected_to_source(ifp, from)) {
+ if (PIM_DEBUG_IGMP_PACKETS)
+ zlog_debug("Recv IGMP query on interface: %s from a non-connected source: %s",
+ ifp->name, from_str);
+ return 0;
+ }
+
/* Collecting IGMP Rx stats */
switch (query_version) {
case 1:

17
SOURCES/0006-CVE-2020-12831.patch Normal file
View File

@ -0,0 +1,17 @@
diff --git a/redhat/frr.init b/redhat/frr.init
index b59656a..4cf3fd4 100755
--- a/redhat/frr.init
+++ b/redhat/frr.init
@@ -94,10 +94,12 @@ check_daemon()
if [ ! -r "$C_PATH/$1-$2.conf" ]; then
touch "$C_PATH/$1-$2.conf"
chown frr:frr "$C_PATH/$1-$2.conf"
+ chmod 0600 "$C_PATH/$1-$2.conf"
fi
elif [ ! -r "$C_PATH/$1.conf" ]; then
touch "$C_PATH/$1.conf"
chown frr:frr "$C_PATH/$1.conf"
+ chmod 0600 "$C_PATH/$1.conf"
fi
fi
return 0

15
SOURCES/0007-bfd-port-range.patch Normal file
View File

@ -0,0 +1,15 @@
diff --git a/bfdd/bfd.h b/bfdd/bfd.h
index 3a58a8d..0970333 100644
--- a/bfdd/bfd.h
+++ b/bfdd/bfd.h
@@ -315,8 +315,8 @@ struct bfd_iface {
#define BFD_PKT_INFO_VAL 1
#define BFD_IPV6_PKT_INFO_VAL 1
#define BFD_IPV6_ONLY_VAL 1
-#define BFD_SRCPORTINIT 49142
-#define BFD_SRCPORTMAX 65536
+#define BFD_SRCPORTINIT 49152
+#define BFD_SRCPORTMAX 65535
#define BFD_DEFDESTPORT 3784
#define BFD_DEF_ECHO_PORT 3785
#define BFD_DEF_MHOP_DEST_PORT 4784

22
SPECS/frr.spec
View File

@ -9,7 +9,7 @@
Name: frr Name: frr
Version: 7.0 Version: 7.0
Release: 5%{?checkout}%{?dist} Release: 10%{?checkout}%{?dist}
Summary: Routing daemon Summary: Routing daemon
License: GPLv2+ License: GPLv2+
URL: http://www.frrouting.org URL: http://www.frrouting.org
@ -29,6 +29,8 @@ Requires: net-snmp ncurses
Requires(post): systemd /sbin/install-info Requires(post): systemd /sbin/install-info
Requires(preun): systemd /sbin/install-info Requires(preun): systemd /sbin/install-info
Requires(postun): systemd Requires(postun): systemd
Requires: iproute
Requires: initscripts
Provides: routingdaemon = %{version}-%{release} Provides: routingdaemon = %{version}-%{release}
Obsoletes: frr-sysvinit quagga Obsoletes: frr-sysvinit quagga
@ -37,6 +39,9 @@ Patch0001: 0001-use-python3.patch
Patch0002: 0002-enable-openssl.patch Patch0002: 0002-enable-openssl.patch
Patch0003: 0003-disable-eigrp-crypto.patch Patch0003: 0003-disable-eigrp-crypto.patch
Patch0004: 0004-fips-mode.patch Patch0004: 0004-fips-mode.patch
Patch0005: 0005-igmp-trusted-query.patch
Patch0006: 0006-CVE-2020-12831.patch
Patch0007: 0007-bfd-port-range.patch
%description %description
FRRouting is free software that manages TCP/IP based routing protocols. It takes FRRouting is free software that manages TCP/IP based routing protocols. It takes
@ -214,6 +219,21 @@ make check PYTHON=%{__python3}
%{_includedir}/frr/eigrpd/*.h %{_includedir}/frr/eigrpd/*.h
%changelog %changelog
* Thu Aug 20 2020 Michal Ruprich <mruprich@redhat.com> - 7.0-10
- Resolves: #1867793 - FRR does not conform to the source port range specified in RFC5881
* Thu Aug 20 2020 Michal Ruprich <mruprich@redhat.com> - 7.0-9
- Resolves: #1852476 - default permission issue eases information leaks
* Tue May 05 2020 Michal Ruprich <mruprich@redhat.com> - 7.0-8
- Resolves: #1819319 - frr fails to start start if the initscripts package is missing
* Mon May 04 2020 Michal Ruprich <mruprich@redhat.com> - 7.0-7
- Resolves: #1758544 - IGMPv3 queries may lead to DoS
* Tue Mar 10 2020 Michal Ruprich <mruprich@redhat.com> - 7.0-6
- Resolves: #1776342 - frr has missing dependency on iproute
* Tue Sep 03 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-5 * Tue Sep 03 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-5
- Resolves: #1719465 - Removal of component Frr or its crypto - Resolves: #1719465 - Removal of component Frr or its crypto