commit 15fe4b715c93db2cd1ad1f4a1cab7da91ba48eb0 Author: David Lamparter Date: Mon Sep 2 14:58:10 2013 +0200 release: 0.99.22.4 This is a maintenance release, containing a set of regression fixes plus some protective LSA validation in OSPF. * configure.ac: Bump to 0.99.22.3 commit 05b3325b49cdf3ad862da92415e305282a7b9d2a Author: Greg Troxel Date: Wed Aug 7 10:11:46 2013 -0400 doc: Update NEWS for pending 0.99.22.4 release. commit 0fb1102198d151532fb65d2271bf8246a21389b1 Author: David Lamparter Date: Fri Aug 2 07:27:53 2013 +0000 ospfd: protect vs. VU#229804 (malformed Router-LSA) VU#229804 reports that, by injecting Router LSAs with the Advertising Router ID different from the Link State ID, OSPF implementations can be tricked into retaining and using invalid information. Quagga is not vulnerable to this because it looks up Router LSAs by (Router-ID, LS-ID) pair. The relevant code is in ospf_lsa.c l.3140. Note the double "id" parameter at the end. Still, we can provide an improvement here by discarding such malformed LSAs and providing a warning to the administrator. While we cannot prevent such malformed LSAs from entering the OSPF domain, we can certainly try to limit their distribution. cf. http://www.kb.cert.org/vuls/id/229804 for the vulnerability report. This issue is a specification issue in the OSPF protocol that was discovered by Dr. Gabi Nakibly. Reported-by: CERT Coordination Center Signed-off-by: David Lamparter commit 7921ecd3a8430bab25a578a218d69e1a79771397 Author: Christian Franke Date: Sat May 25 14:01:36 2013 +0000 bgpd, zebra: support NEXTHOP_IPV4_IFINDEX in bgp import check Signed-off-by: Christian Franke Signed-off-by: David Lamparter commit d533f88e4b149cdbfcae5537109d8f7d8b7d2280 Author: Christian Franke Date: Sat May 25 14:01:35 2013 +0000 bgpd, zebra: Support NEXTHOP_IPV4_IFINDEX in nexthop_lookup api Since commit ba281d3d040, ospfd uses NEXTHOP_IPV4_IFINDEX routes. The API between zebra and bgpd which is used to query nexthops for recursive routes did not support this nexthop type and therefore, ospf changes (or any other IGP changes which use NEXTHOP_IPV4_IFINDEX) would never trigger any recursive route update. Signed-off-by: Christian Franke Signed-off-by: David Lamparter commit 018f4d8dcb28b475b1d1c46ebe0ea3bbf6421f8a Author: Christian Franke Date: Sat May 25 14:01:34 2013 +0000 zebra: improve display of NEXTHOP_IPV4_IFINDEX in show ip route Signed-off-by: Christian Franke Signed-off-by: David Lamparter