- zebra: Make netlink buffer reads resizeable when needed

CVE-2023-38406 CVE-2023-38407 CVE-2023-47234 CVE-2023-47235
Sync with c8-beta
2024-02-21 12:42:55 +03:00 · 2024-01-12 13:50:00 +00:00 · 2024-01-12 13:40:50 +00:00 · 2023-09-20 16:12:26 +03:00
10 changed files with 18 additions and 402 deletions
--- a/.frr.metadata
+++ b/.frr.metadata
@ -0,0 +1 @@
+dfc756dfd123360d1e1a760d66821e47f9a6afed SOURCES/frr-7.5.1.tar.gz
--- a/SOURCES/0015-CVE-2023-38802.patch
+++ b/SOURCES/0015-CVE-2023-38802.patch
@ -1,4 +1,4 @@
-From 46817adab03802355c3cce7b753c7a735bdcc5ae Mon Sep 17 00:00:00 2001
+From bcb6b58d9530173df41d3a3cbc4c600ee0b4b186 Mon Sep 17 00:00:00 2001
 From: Donatas Abraitis <donatas@opensourcerouting.org>
 Date: Thu, 13 Jul 2023 22:32:03 +0300
 Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation
@ -9,13 +9,12 @@ Before this path we used session reset method, which is discouraged by rfc7606.
 Handle this as rfc requires.

 Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
-(cherry picked from commit bcb6b58d9530173df41d3a3cbc4c600ee0b4b186)
 ---
 bgpd/bgp_attr.c | 61 ++++++++++++++++++++-----------------------------
 1 file changed, 25 insertions(+), 36 deletions(-)

 diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
-index 058fae23cbd..1c0803cfd8e 100644
+index dcf0f4d47cfb..8c53191d680f 100644
 --- a/bgpd/bgp_attr.c
 +++ b/bgpd/bgp_attr.c
@@ -1301,6 +1301,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
--- a/SOURCES/0016-max-ttl-reload.patch
+++ b/SOURCES/0016-max-ttl-reload.patch
--- a/SOURCES/0022-dynamic-netlink-buffer.patch
+++ b/SOURCES/0022-dynamic-netlink-buffer.patch
--- a/SOURCES/0022-route-map-event.patch
+++ b/SOURCES/0022-route-map-event.patch
@ -1,47 +0,0 @@
-From 4fc5dafd1c8167a98e3a5f51efc1ea5092513364 Mon Sep 17 00:00:00 2001
-From: rgirada <rgirada@vmware.com>
-Date: Thu, 18 Feb 2021 20:15:40 -0800
-Subject: [PATCH] lib: Routemap is not getting applied upon changing the
- routemap action
-
-Description:
-	This looks broken after NB changes in routemap. When routemap
-	action modified from permit to deny, it is expected to apply
-	the new action on the filtered routes before the action in the
-	routemap data structure has been changed. But currently this is
-	not handled by the corresponding northbound API.
-
-Signed-off-by: Rajesh Girada <rgirada@vmware.com>
---
- lib/routemap_northbound.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/lib/routemap_northbound.c b/lib/routemap_northbound.c
-index db06e9caac75..3473ca2aea8c 100644
--- a/lib/routemap_northbound.c
-+++ b/lib/routemap_northbound.c
-@@ -271,6 +271,7 @@ lib_route_map_entry_description_destroy(struct nb_cb_destroy_args *args)
- static int lib_route_map_entry_action_modify(struct nb_cb_modify_args *args)
- {
- 	struct route_map_index *rmi;
-+	struct route_map *map;
- 
- 	switch (args->event) {
- 	case NB_EV_VALIDATE:
-@@ -281,7 +282,15 @@ static int lib_route_map_entry_action_modify(struct nb_cb_modify_args *args)
- 	case NB_EV_APPLY:
- 		rmi = nb_running_get_entry(args->dnode, NULL, true);
- 		rmi->type = yang_dnode_get_enum(args->dnode, NULL);
-		/* TODO: notify? */
-+		map = rmi->map;
-+
-+		/* Execute event hook. */
-+		if (route_map_master.event_hook) {
-+			(*route_map_master.event_hook)(map->name);
-+			route_map_notify_dependencies(map->name,
-+						      RMAP_EVENT_CALL_ADDED);
-+		}
-+
- 		break;
- 	}
- 
--- a/SOURCES/0023-CVE-2023-46752.patch
+++ b/SOURCES/0023-CVE-2023-46752.patch
@ -1,76 +0,0 @@
-From b08afc81c60607a4f736f418f2e3eb06087f1a35 Mon Sep 17 00:00:00 2001
-From: Donatas Abraitis <donatas@opensourcerouting.org>
-Date: Fri, 20 Oct 2023 17:49:18 +0300
-Subject: [PATCH] bgpd: Handle MP_REACH_NLRI malformed packets with session
- reset
-
-Avoid crashing bgpd.
-
-Reported-by: Iggy Frankovic <iggyfran@amazon.com>
-Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
---
- bgpd/bgp_attr.c   | 6 +-----
- bgpd/bgp_attr.h   | 1 -
- bgpd/bgp_packet.c | 6 +-----
- 3 files changed, 2 insertions(+), 11 deletions(-)
-
-diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
-index 6925aff727e2..e7bb42a5d989 100644
--- a/bgpd/bgp_attr.c
-+++ b/bgpd/bgp_attr.c
-@@ -2421,7 +2421,7 @@ int bgp_mp_reach_parse(struct bgp_attr_parser_args *args,
- 
- 		mp_update->afi = afi;
- 		mp_update->safi = safi;
-		return BGP_ATTR_PARSE_EOR;
-+		return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_MAL_ATTR, 0);
- 	}
- 
- 	mp_update->afi = afi;
-@@ -3759,10 +3759,6 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
- 			goto done;
- 		}
- 
-		if (ret == BGP_ATTR_PARSE_EOR) {
-			goto done;
-		}
-
- 		if (ret == BGP_ATTR_PARSE_ERROR) {
- 			flog_warn(EC_BGP_ATTRIBUTE_PARSE_ERROR,
- 				  "%s: Attribute %s, parse error", peer->host,
-diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
-index 961e5f122470..fc347e7a1b4b 100644
--- a/bgpd/bgp_attr.h
-+++ b/bgpd/bgp_attr.h
-@@ -364,7 +364,6 @@ enum bgp_attr_parse_ret {
- 	/* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR
- 	   */
- 	BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
-	BGP_ATTR_PARSE_EOR = -4,
- 	BGP_ATTR_PARSE_MISSING_MANDATORY = -4,
- } bgp_attr_parse_ret_t;
- 
-diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
-index b585591e2f69..5ecf343b6657 100644
--- a/bgpd/bgp_packet.c
-+++ b/bgpd/bgp_packet.c
-@@ -2397,8 +2397,7 @@ static int bgp_update_receive(struct peer_connection *connection,
- 	 * Non-MP IPv4/Unicast EoR is a completely empty UPDATE
- 	 * and MP EoR should have only an empty MP_UNREACH
- 	 */
-	if ((!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0)
-	    || (attr_parse_ret == BGP_ATTR_PARSE_EOR)) {
-+	if (!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) {
- 		afi_t afi = 0;
- 		safi_t safi;
- 		struct graceful_restart_info *gr_info;
-@@ -2419,9 +2418,6 @@ static int bgp_update_receive(struct peer_connection *connection,
- 			   && nlris[NLRI_MP_WITHDRAW].length == 0) {
- 			afi = nlris[NLRI_MP_WITHDRAW].afi;
- 			safi = nlris[NLRI_MP_WITHDRAW].safi;
-		} else if (attr_parse_ret == BGP_ATTR_PARSE_EOR) {
-			afi = nlris[NLRI_MP_UPDATE].afi;
-			safi = nlris[NLRI_MP_UPDATE].safi;
- 		}
- 
- 		if (afi && peer->afc[afi][safi]) {
--- a/SOURCES/0024-CVE-2023-46753.patch
+++ b/SOURCES/0024-CVE-2023-46753.patch
@ -1,60 +0,0 @@
-From d8482bf011cb2b173e85b65b4bf3d5061250cdb9 Mon Sep 17 00:00:00 2001
-From: Donatas Abraitis <donatas@opensourcerouting.org>
-Date: Mon, 23 Oct 2023 23:34:10 +0300
-Subject: [PATCH] bgpd: Check mandatory attributes more carefully for UPDATE
- message
-
-If we send a crafted BGP UPDATE message without mandatory attributes, we do
-not check if the length of the path attributes is zero or not. We only check
-if attr->flag is at least set or not. Imagine we send only unknown transit
-attribute, then attr->flag is always 0. Also, this is true only if graceful-restart
-capability is received.
-
-Reported-by: Iggy Frankovic <iggyfran@amazon.com>
-Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
---
- bgpd/bgp_attr.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
-index 26fd3de..bcc4424 100644
--- a/bgpd/bgp_attr.c
-+++ b/bgpd/bgp_attr.c
-@@ -3400,7 +3400,8 @@ bgp_attr_unknown(struct bgp_attr_parser_args *args)
- }
- 
- /* Well-known attribute check. */
-static int bgp_attr_check(struct peer *peer, struct attr *attr)
-+static int bgp_attr_check(struct peer *peer, struct attr *attr,
-+           bgp_size_t length)
- {
- 	uint8_t type = 0;
- 
-@@ -3409,7 +3410,8 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
- 	 * we will pass it to be processed as a normal UPDATE without mandatory
- 	 * attributes, that could lead to harmful behavior.
- 	 */
-	if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
-+	if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag &&
-+      !length)
- 		return BGP_ATTR_PARSE_WITHDRAW;
- 
- 	if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
-@@ -3462,7 +3464,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
- 	bgp_attr_parse_ret_t ret;
- 	uint8_t flag = 0;
- 	uint8_t type = 0;
-	bgp_size_t length;
-+	bgp_size_t length = 0;
- 	uint8_t *startp, *endp;
- 	uint8_t *attr_endp;
- 	uint8_t seen[BGP_ATTR_BITMAP_SIZE];
-@@ -3216,7 +3218,7 @@ bgp_attr_parse_ret_t bgp_attr_parse(struct peer *peer, struct attr *attr,
- 	}
- 
- 	/* Check all mandatory well-known attributes are present */
-	if ((ret = bgp_attr_check(peer, attr)) < 0)
-+	if ((ret = bgp_attr_check(peer, attr, length)) < 0)
- 		goto done;
- 
- 	/*
--- a/SOURCES/0025-CVE-2023-31490.patch
+++ b/SOURCES/0025-CVE-2023-31490.patch
@ -1,150 +0,0 @@
-From 06431bfa7570f169637ebb5898f0b0cc3b010802 Mon Sep 17 00:00:00 2001
-From: Donald Sharp <sharpd@nvidia.com>
-Date: Tue, 6 Dec 2022 10:23:11 -0500
-Subject: [PATCH] bgpd: Ensure stream received has enough data
-
-BGP_PREFIX_SID_SRV6_L3_SERVICE attributes must not
-fully trust the length value specified in the nlri.
-Always ensure that the amount of data we need to read
-can be fullfilled.
-
-Reported-by: Iggy Frankovic <iggyfran@amazon.com>
-Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
- bgpd/bgp_attr.c | 79 ++++++++++++++++---------------------------------
- 1 file changed, 25 insertions(+), 54 deletions(-)
-
-diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
-index c35e45275c9b..5b06bc391375 100644
--- a/bgpd/bgp_attr.c
-+++ b/bgpd/bgp_attr.c
-@@ -2927,9 +2927,21 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
- 	uint16_t endpoint_behavior;
- 	char buf[BUFSIZ];
- 
-+	/*
-+	 * Check that we actually have at least as much data as
-+	 * specified by the length field
-+	 */
-+	if (STREAM_READABLE(peer->curr) < length) {
-+		flog_err(
-+			EC_BGP_ATTR_LEN,
-+			"Prefix SID specifies length %hu, but only %zu bytes remain",
-+			length, STREAM_READABLE(peer->curr));
-+		return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
-+					  args->total);
-+	}
-+
- 	if (type == BGP_PREFIX_SID_LABEL_INDEX) {
-		if (STREAM_READABLE(peer->curr) < length
-		    || length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) {
-+		if (length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) {
- 			flog_err(EC_BGP_ATTR_LEN,
- 				 "Prefix SID label index length is %hu instead of %u",
- 				 length, BGP_PREFIX_SID_LABEL_INDEX_LENGTH);
-@@ -2951,12 +2963,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
- 		/* Store label index; subsequently, we'll check on
- 		 * address-family */
- 		attr->label_index = label_index;
-	}
-
-	/* Placeholder code for the IPv6 SID type */
-	else if (type == BGP_PREFIX_SID_IPV6) {
-		if (STREAM_READABLE(peer->curr) < length
-		    || length != BGP_PREFIX_SID_IPV6_LENGTH) {
-+	} else if (type == BGP_PREFIX_SID_IPV6) {
-+		if (length != BGP_PREFIX_SID_IPV6_LENGTH) {
- 			flog_err(EC_BGP_ATTR_LEN,
- 				 "Prefix SID IPv6 length is %hu instead of %u",
- 				 length, BGP_PREFIX_SID_IPV6_LENGTH);
-@@ -2970,10 +2978,7 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
- 		stream_getw(peer->curr);
- 
- 		stream_get(&ipv6_sid, peer->curr, 16);
-	}
-
-	/* Placeholder code for the Originator SRGB type */
-	else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) {
-+	} else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) {
- 		/*
- 		 * ietf-idr-bgp-prefix-sid-05:
- 		 *     Length is the total length of the value portion of the
-@@ -2998,19 +3003,6 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
- 				args->total);
- 		}
- 
-		/*
-		 * Check that we actually have at least as much data as
-		 * specified by the length field
-		 */
-		if (STREAM_READABLE(peer->curr) < length) {
-			flog_err(EC_BGP_ATTR_LEN,
-				 "Prefix SID Originator SRGB specifies length %hu, but only %zu bytes remain",
-				 length, STREAM_READABLE(peer->curr));
-			return bgp_attr_malformed(
-				args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
-				args->total);
-		}
-
- 		/*
- 		 * Check that the portion of the TLV containing the sequence of
- 		 * SRGBs corresponds to a multiple of the SRGB size; to get
-@@ -3034,12 +3026,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
- 			stream_get(&srgb_base, peer->curr, 3);
- 			stream_get(&srgb_range, peer->curr, 3);
- 		}
-	}
-
-	/* Placeholder code for the VPN-SID Service type */
-	else if (type == BGP_PREFIX_SID_VPN_SID) {
-		if (STREAM_READABLE(peer->curr) < length
-		    || length != BGP_PREFIX_SID_VPN_SID_LENGTH) {
-+	} else if (type == BGP_PREFIX_SID_VPN_SID) {
-+		if (length != BGP_PREFIX_SID_VPN_SID_LENGTH) {
- 			flog_err(EC_BGP_ATTR_LEN,
- 				 "Prefix SID VPN SID length is %hu instead of %u",
- 				 length, BGP_PREFIX_SID_VPN_SID_LENGTH);
-@@ -2601,18 +2589,13 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length,
- 					 sizeof(struct bgp_attr_srv6_vpn));
- 		attr->srv6_vpn->sid_flags = sid_flags;
- 		sid_copy(&attr->srv6_vpn->sid, &ipv6_sid);
-	}
-
-	/* Placeholder code for the SRv6 L3 Service type */
-	else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
-		if (STREAM_READABLE(peer->curr) < length
-		    || length != BGP_PREFIX_SID_SRV6_L3_SERVICE_LENGTH) {
-			flog_err(EC_BGP_ATTR_LEN,
-				 "Prefix SID SRv6 L3-Service length is %hu instead of %u",
-				 length, BGP_PREFIX_SID_SRV6_L3_SERVICE_LENGTH);
-			return bgp_attr_malformed(args,
-				 BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
-				 args->total);
-+		} else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
-+			if (STREAM_READABLE(peer->curr) < 1) {
-+				flog_err(EC_BGP_ATTR_LEN,
-+				"Prefix SID SRV6 L3 Service not enough data left, it must be at least 1 byte");
-+			return bgp_attr_malformed(
-+				args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
-+				args->total);
- 		}
- 
- 		/* Parse L3-SERVICE Sub-TLV */
-@@ -2647,17 +2630,6 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length,
- 
- 	/* Placeholder code for Unsupported TLV */
- 	else {
-
-		if (STREAM_READABLE(peer->curr) < length) {
-			flog_err(
-				EC_BGP_ATTR_LEN,
-				"Prefix SID SRv6 length is %hu - too long, only %zu remaining in this UPDATE",
-				length, STREAM_READABLE(peer->curr));
-			return bgp_attr_malformed(
-				args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
-				args->total);
-		}
-
- 		if (bgp_debug_update(peer, NULL, NULL, 1))
- 			zlog_debug(
- 				"%s attr Prefix-SID sub-type=%u is not supported, skipped",
--- a/SOURCES/0026-CVE-2023-41909.patch
+++ b/SOURCES/0026-CVE-2023-41909.patch
@ -1,34 +0,0 @@
-From cfd04dcb3e689754a72507d086ba3b9709fc5ed8 Mon Sep 17 00:00:00 2001
-From: Donald Sharp <sharpd@nvidia.com>
-Date: Wed, 5 Apr 2023 14:57:05 -0400
-Subject: [PATCH] bgpd: Limit flowspec to no attribute means a implicit
- withdrawal
-
-All other parsing functions done from bgp_nlri_parse() assume
-no attributes == an implicit withdrawal.  Let's move
-bgp_nlri_parse_flowspec() into the same alignment.
-
-Reported-by: Matteo Memelli <mmemelli@amazon.it>
-Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
- bgpd/bgp_flowspec.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c
-index f9debe43cd45..5e1be21402dc 100644
--- a/bgpd/bgp_flowspec.c
-+++ b/bgpd/bgp_flowspec.c
-@@ -98,6 +98,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
- 	afi = packet->afi;
- 	safi = packet->safi;
- 
-+	/*
-+	 * All other AFI/SAFI's treat no attribute as a implicit
-+	 * withdraw.  Flowspec should as well.
-+	 */
-+	if (!attr)
-+		withdraw = 1;
-+
- 	if (packet->length >= FLOWSPEC_NLRI_SIZELIMIT_EXTENDED) {
- 		flog_err(EC_BGP_FLOWSPEC_PACKET,
- 			 "BGP flowspec nlri length maximum reached (%u)",
--- a/SPECS/frr.spec
+++ b/SPECS/frr.spec
@ -7,7 +7,7 @@

 Name: frr
 Version: 7.5.1
-Release: 22%{?checkout}%{?dist}
+Release: 13%{?checkout}%{?dist}.4.alma.1
 Summary: Routing daemon
 License: GPLv2+
 URL: http://www.frrouting.org
@ -54,19 +54,22 @@ Patch0011: 0011-reload-bfd-profile.patch
 Patch0012: 0012-graceful-restart.patch
 Patch0013: 0013-CVE-2022-37032.patch
 Patch0014: 0014-bfd-profile-crash.patch
-Patch0015: 0015-max-ttl-reload.patch
-Patch0016: 0016-CVE-2023-38802.patch
+# https://git.almalinux.org/rpms/frr/raw/commit/7599d0ae96d0c1d1f42ae62e1f885ee58ed5b0cd/SOURCES/0010-CVE-2023-38802.patch
+Patch0015: 0015-CVE-2023-38802.patch
+# # https://gitlab.com/redhat/centos-stream/rpms/frr/-/blob/2dfcf2f37454302c56d8713db9d9d16e7d4d36d3/0015-max-ttl-reload.patch
+Patch0016: 0016-max-ttl-reload.patch
+# https://gitlab.com/redhat/centos-stream/rpms/frr/-/blob/2dfcf2f37454302c56d8713db9d9d16e7d4d36d3/0017-fix-crash-in-plist-update.patch
 Patch0017: 0017-fix-crash-in-plist-update.patch
+# https://gitlab.com/redhat/centos-stream/rpms/frr/-/blob/2dfcf2f37454302c56d8713db9d9d16e7d4d36d3/0018-CVE-2023-38406.patch
 Patch0018: 0018-CVE-2023-38406.patch
+# https://gitlab.com/redhat/centos-stream/rpms/frr/-/blob/2dfcf2f37454302c56d8713db9d9d16e7d4d36d3/0019-CVE-2023-38407.patch
 Patch0019: 0019-CVE-2023-38407.patch
+# https://gitlab.com/redhat/centos-stream/rpms/frr/-/blob/2dfcf2f37454302c56d8713db9d9d16e7d4d36d3/0020-CVE-2023-47234.patch
 Patch0020: 0020-CVE-2023-47234.patch
+# https://gitlab.com/redhat/centos-stream/rpms/frr/-/blob/2dfcf2f37454302c56d8713db9d9d16e7d4d36d3/0021-CVE-2023-47235.patch
 Patch0021: 0021-CVE-2023-47235.patch
-Patch0022: 0022-route-map-event.patch
-Patch0023: 0023-CVE-2023-46752.patch
-Patch0024: 0024-CVE-2023-46753.patch
-Patch0025: 0025-CVE-2023-31490.patch
-Patch0026: 0026-CVE-2023-41909.patch
-Patch0027: 0027-dynamic-netlink-buffer.patch
+# https://gitlab.com/redhat/centos-stream/rpms/frr/-/commit/45e41b61fde135e3f5efd5e6d6bb434a1230a45d
+Patch0022: 0022-dynamic-netlink-buffer.patch

 %description
 FRRouting is free software that manages TCP/IP based routing protocols. It takes
@ -287,36 +290,16 @@ make check PYTHON=%{__python3}
 %endif

 %changelog
-* Wed Feb 07 2024 Michal Ruprich <mruprich@redhat.com> - 7.5.1-22
- Resolves: RHEL-22303 - Zebra not fetching host routes
+* Wed Feb 21 2024 Eduard Abdullin <eabdullin@almalinux.org> - 7.5.1-13.4.alma.1
+- zebra: Make netlink buffer reads resizeable when needed

-* Wed Feb 07 2024 Michal Ruprich <mruprich@redhat.com> - 7.5.1-21
- Resolves: RHEL-2216 - NULL pointer dereference
-
-* Wed Feb 07 2024 Michal Ruprich <mruprich@redhat.com> - 7.5.1-20
- Resolves: RHEL-4797 - missing length check in bgp_attr_psid_sub() can lead do DoS
-
-* Mon Feb 05 2024 Michal Ruprich <mruprich@redhat.com> - 7.5.1-19
- Resolves: RHEL-14824 - crafted BGP UPDATE message leading to a crash
-
-* Mon Feb 05 2024 Michal Ruprich <mruprich@redhat.com> - 7.5.1-18
- Resolves: RHEL-14821 - mishandled malformed data leading to a crash
-
-* Tue Dec 19 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-17
- Resolves: RHEL-6583 - Routes are not refreshed after changing the inbound route rules from deny to permit
-
-* Tue Dec 19 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-16
+* Fri Jan 12 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 7.5.1-13.3.alma.1
 - Resolves: RHEL-15916 - Flowspec overflow in bgpd/bgp_flowspec.c
 - Resolves: RHEL-15919 - Out of bounds read in bgpd/bgp_label.c
 - Resolves: RHEL-15869 - crash from specially crafted MP_UNREACH_NLRI-containing BGP UPDATE message
 - Resolves: RHEL-15868 - crash from malformed EOR-containing BGP UPDATE message
-
-* Thu Oct 19 2023 Andreas Karis <akaris@redhat.com> - 7.5.1-15
 - Resolves: RHEL-12039 - crash in plist update

-* Fri Oct 13 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-14
- Resolves: RHEL-6617 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router
-
 * Tue Oct 10 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-13
 - Resolves: RHEL-2263 - eBGP multihop peer flapping due to delta miscalculation of new configuration
Author	SHA1	Message	Date
eabdullin	5688bea70a	- zebra: Make netlink buffer reads resizeable when needed	2024-02-21 12:42:55 +03:00
Andrew Lukoshko	029438c4c6	CVE-2023-38406 CVE-2023-38407 CVE-2023-47234 CVE-2023-47235	2024-01-12 13:50:00 +00:00
Andrew Lukoshko	742d4de4d8	Sync with c8-beta	2024-01-12 13:40:50 +00:00
eabdullin	45da74035f	- Fix CVE-2023-38802 - bfdd: remove profiles when removing bfd node	2023-09-20 16:12:26 +03:00
				`@ -0,0 +1 @@`
				`dfc756dfd123360d1e1a760d66821e47f9a6afed SOURCES/frr-7.5.1.tar.gz`