diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:53:32 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:53:32 +0000 |
commit | 25b1166673c7fde5edb4dfa218005bf1a83eb25c (patch) | |
tree | 0eb5dc2c4eedabf82b7b531bbe0e5fcb75084e3e | |
parent | Adding upstream version 8.4.4. (diff) | |
download | frr-debian.tar.xz frr-debian.zip |
Adding debian version 8.4.4-1.1~deb12u1.debian/8.4.4-1.1_deb12u1debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
42 files changed, 3210 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..53fb6c9 --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,100 @@ +* SAFETY MEASURES: +================== + +Please consider setting this package "on hold" by typing + echo "frr hold" | dpkg --set-selections +and verifying this using + dpkg --get-selections | grep 'hold$' + +Setting a package "on hold" means that it will not automatically be upgraded. +Instead apt-get only displays a warning saying that a new version would be +available forcing you to explicitly type "apt-get install frr" to upgrade it. + + +* What is frr? +================= + +http://www.frrouting.org/ +FRR is a routing software suite, providing implementations of OSPFv2, +OSPFv3, RIP v1 and v2, RIPng, ISIS, PIM, BGP and LDP for Unix platforms, particularly +FreeBSD and Linux and also NetBSD, to mention a few. FRR is a fork of Quagga +which itself is a fork of Zebra. +Zebra was developed by Kunihiro Ishiguro. + + +* Build Profiles used in the upstream debian/ +============================================= + +The following Build Profiles have been added: + +- pkg.frr.nortrlib (pkg.frr.rtrlib) + controls whether the RPKI module is built. + Will be enabled by default at some point, adds some extra dependencies. + +Note that all options have a "no" form; if you want to have your decision +be sticky regardless of changes to what it defaults to, then always use one +of the two. For example, all occurrences of <pkg.frr.rtrlib> will at some +point be replaced with <!pkg.frr.nortrlib>. + +The main frr package has the exact same contents regardless of rtrlib or snmp +choices. The options only control frr-snmp and frr-rpki-rtrlib packages. + + +* Debian Policy compliance notes +================================ + +- 4.15 Reproducibility + FRR build is reproducible as outlined in version 4.2.1 of the Policy, but + won't be reproducible when the build directory is varied. This is because + configure parameters are burned into the executables which includes CFLAGS + like -fdebug-prefix-map=/build/directory/... + + +* Daemon selection: +=================== + +The Debian package uses /etc/frr/daemons to tell the +initscript which daemons to start. It's in the format +<daemon>=<yes|no|priority> +with no spaces (it's simply source-d into the initscript). +Default is not to start anything, since it can hose your +system's routing table if not set up properly. + +Priorities were suggested by Dancer <dancer@zeor.simegen.com>. +They're used to start the FRR daemons in more than one step +(for example start one or two at network initialization and the +rest later). The number of FRR daemons being small, priorities +must be between 1 and 9, inclusive (or the initscript has to be +changed). /etc/init.d/frr then can be started as + +/etc/init.d/frr <start|stop|restart|<priority>> + +where priority 0 is the same as 'stop', priority 10 or 'start' +means 'start all' + + +* Error message "privs_init: initial cap_set_proc failed": +========================================================== + +This error message means that "capability support" has to be built +into the kernel. + + +* Error message "netlink-listen: overrun: No buffer space available": +===================================================================== + +If this message occurs the receive buffer should be increased by adding the +following to /etc/sysctl.conf and "--nl-bufsize" to /etc/frr/daemons. +> net.core.rmem_default = 262144 +> net.core.rmem_max = 262144 +See message #4525 from 2005-05-09 in the quagga-users mailing list. + + +* vtysh immediately exists: +=========================== + +Check /etc/pam.d/frr, it probably denies access to your user. The passwords +configured in /etc/frr/frr.conf are only for telnet access. + + + -- Ondřej Surý <Ondřej Surý <ondrej@debian.org>>, Fri, 3 Jul 2020 12:39:42 +0200 diff --git a/debian/README.Maintainer b/debian/README.Maintainer new file mode 100644 index 0000000..9030022 --- /dev/null +++ b/debian/README.Maintainer @@ -0,0 +1,32 @@ +# +# TODO +# + +- check that tests/{control,daemons} actually do something useful and sensible +- /usr/share/doc/frr-doc should be named just frr? +- debian/watch pgpsigurlmangle / signing-key +- multiarch for DSOs? +- frr try-restart + +# +# To check if the patches still apply on new upstream versions: +# +for i in debian/patches/*.diff; do echo -e "#\n# $i\n#"; patch --fuzz=3 --dry-run -p1 < $i; done + +# +# Filename transition from zebra to frr +# + +Files that keep their names + /usr/bin/vtysh + +Files that got an -pj suffix + /etc/default/zebra -> /etc/frr/daemons.conf + /etc/init.d/zebra -> /etc/init.d/frr + /etc/zebra/ -> /etc/frr/ + /usr/share/doc/zebra/ -> /usr/share/doc/frr/ + /var/log/zebra/ -> /var/log/frr/ + /var/run/ -> /var/run/frr/ + +Files that were moved + /usr/sbin/* -> /usr/lib/frr/ diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..45fd970 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,1584 @@ +frr (8.4.4-1.1~deb12u1) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Update to upstream 8.4.4 stable point release. + + -- Aron Xu <aron@debian.org> Tue, 05 Sep 2023 16:04:06 +0800 + +frr (8.4.4-1.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Upstream fixes for CVE-2023-38802, CVE-2023-41358, CVE-2023-41360 + + -- Aron Xu <aron@debian.org> Fri, 01 Sep 2023 16:57:41 +0800 + +frr (8.4.4-1) unstable; urgency=medium + + * new upstream release FRR 8.4.4 + * upstream fix CVE-2023-31489 (closes: #1036061) + * upstream fix CVE-2023-31490 (closes: #1036062) + * correctly use sphinxdoc:Built-Using + * point watch file at git tarball, no more upstream dist tarballs + + -- David Lamparter <equinox-debian@diac24.net> Wed, 12 Jul 2023 14:28:34 +0200 + +frr (8.4.2-1) unstable; urgency=medium + + * new upstream release FRR 8.4.2 + * drop all patches in debian/patches/, they got merged upstream + + -- David Lamparter <equinox-debian@diac24.net> Mon, 23 Jan 2023 17:32:02 +0100 + +frr (8.4.1-2) unstable; urgency=medium + + * commit to git tarball as source instead of dist tarball + * ditch unneeded sphinx missing files patch + * fix clippy symbol lookup issue (build SEGV on mips64el) + * correctly mark :native for libelf-dev & libpython3-dev to fix cross-build + * use mutex for zserv stats (atomic uint64_t is too wide for 32-bit archs) + + -- David Lamparter <equinox-debian@diac24.net> Fri, 06 Jan 2023 14:59:57 +0100 + +frr (8.4.1-1) unstable; urgency=medium + + * New upstream release FRR 8.4.1 (closes: #1017518) + * New frr@ systemd service unit to run inside network namespace + * egrep to grep -E + * upstream fix ospfd crash (PR 8876) (closes: #981139) + * upstream fix isisd parsing issues CVE-2022-26125, CVE-2022-26126 and + babeld parsing issues CVE-2022-26127, CVE-2022-26128, CVE-2022-26129 + (closes: #1008010) + * upstream fix bgpd out-of-bounds read CVE-2022-37032 (closes: #1021016) + * upstream fix bgpd UAF CVE-2022-37035 (closes: #1016978) + * libyang-related pcre3 dep replaced with pcre2 (closes: #1000032) + * disable ELF magic on mips64el + * fixed texinfo figure installation directory + * enable dh_sphinxdoc to get rid of embedded javascript in frr-doc + * removed bogus iproute dependency choice + + -- David Lamparter <equinox-debian@diac24.net> Mon, 02 Jan 2023 14:46:06 +0100 + +frr (8.1-1) unstable; urgency=medium + + * New upstream release FRR 8.1 + * Upload to unstable. + + -- Ondřej Surý <ondrej@debian.org> Sat, 13 Nov 2021 13:32:48 +0100 + +frr (7.5.1-1) unstable; urgency=medium + + * Update the d/gbp.conf for 7.5.1 release + * Use wrap-and-sort -a to unify debian/ wrapping and sorting + * Work around the sphinx-build error that doesn't copy images to texinfo + * Change the upstream-tag in d/gbp.conf to track the upstream tarballs + + -- Ondřej Surý <ondrej@debian.org> Mon, 08 Mar 2021 09:40:19 +0100 + +frr (7.5-1) unstable; urgency=medium + + * New upstream version 7.5 + + -- Ondřej Surý <ondrej@debian.org> Sun, 14 Feb 2021 21:38:50 +0100 + +frr (7.4-2) unstable; urgency=medium + + * Bump libyang dependency to >= 1.0.184-1~ + * Make the autopkgtest more resilient (Closes: #980111) + * Adjust the ax_python.m4 to hardcode python3.9 + + -- Ondřej Surý <ondrej@debian.org> Sun, 07 Feb 2021 13:15:07 +0100 + +frr (7.4-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Backport upstream fix for FTBFS with Python 3.9. (Closes: #972767) + + -- Adrian Bunk <bunk@debian.org> Thu, 21 Jan 2021 16:06:12 +0200 + +frr (7.4-1) unstable; urgency=medium + + [ Ondřej Surý ] + * Use dh_installinit capabilities to install frr.tmpfile + * Remove unused debian/watchfrr.rc file + * Add missing lsof dependency + * Remove mention of pkg.frr.snmp build profile from debian/README.Debian + * Make lsb-base a hard dependency + * Update gbp.conf for 7.4 release + * Update and simplify d/watch + * Change the debian source format from 3.0 (git) to 3.0 (quilt) + * Convert the package to dh compat level 10 + * Add myself to Uploaders + * Bump standards version to 4.5.0.2 (latest) - no change + * Use wrap-and-sort -a to unify debian/ wrapping and sorting + * Work around the sphinx-build error that doesn't copy images to texinfo + (Properly closes: #955067) + * Depend on debhelper >= 9.20160709 and drop dh-systemd dependency + (Closes: #958626) + + -- Ondřej Surý <ondrej@debian.org> Mon, 10 Aug 2020 11:50:45 +0200 + +frr (7.3.1-1) unstable; urgency=medium + + [ David Lamparter ] + * allow cross-compile with sbuild --host + + [ Ondřej Surý ] + * Add myself to Uploaders + * Add d/gbp.conf + * Update changelog for 7.3.1-1~1.gbp2292a4 release + * Change the source format from git to quilt to use git-buildpackage + * Don't install frr-doc texinfo images, they are gone (Closes: #955067) + * Bump the dh_compat to 10 + + -- Ondřej Surý <ondrej@debian.org> Mon, 01 Jun 2020 08:41:03 +0200 + +frr (7.3-1) unstable; urgency=medium + + * new upstream release + + -- David Lamparter <equinox-debian@diac24.net> Tue, 25 Feb 2020 17:45:16 +0100 + +frr (7.2.1-1) unstable; urgency=medium + + * new upstream release + * daemon man pages renamed to frr-* (closes: #944392) + * fix/improve multi-arch markers on doc + * fix git URLs to point to debian branch + + -- David Lamparter <equinox-debian@diac24.net> Mon, 20 Jan 2020 17:06:21 +0100 + +frr (7.2-1) unstable; urgency=medium + + * New upstream release + + -- Jafar Al-Gharaibeh <jafar@atcorp.com> Sun, 03 Nov 2019 18:45:23 +0100 + +frr (6.0.2-2) unstable; urgency=medium + + * remove bogus libjson0 build-dep (closes: #921349) + * fix broken systemd dependency spec + * add proper Conflicts: for quagga and pimd (closes: #921376) + + -- David Lamparter <equinox-debian@diac24.net> Mon, 04 Feb 2019 22:16:07 +0100 + +frr (6.0.2-1) unstable; urgency=medium + + * Packaging has been more or less completely reworked, based off the old + Quagga packaging that hung around in git. Refer to "changelog-auto.in" + in the source root directory for the old changelog. + * Initial release of FRR for Debian. (closes: #863249) + + -- David Lamparter <equinox-debian@diac24.net> Sun, 27 Jan 2019 17:27:02 +0100 + +frr (6.0-2) testing; urgency=medium + + * add install-info to build deps + * remove trailing whitespace from control + * cleanup tcp-zebra configure options + * drop unused SMUX client OID MIBs + * remove /proc check + * remove --enable-poll + * remove libtool .la files + * drop texlive-latex-base, texlive-generic-recommended build deps + * consistently allow python2 or python3 + * remove bad USE_* options, add WERROR + * drop libncurses5 dep + * remove backports mechanism + * use better dependency for pythontools (binNMU compatible) + * remove bogus shlib:Depends on frr-dbg + * create frr-snmp and frr-rpki-rtrlib + * make frr-pythontools a "Recommends:" + * use redistclean target + * update to Debian Policy version 4.2.1 + * raise debhelper compat level to 9 + * ditch development-only files + * modernise dh_missing and use fail mode + * disable zeromq and FPM + * always install /etc/init.d/frr + * put frr-doc package in 'doc' section + * install HTML docs, drop tools/ + * fix install for {frr,rfptest,ospfclient} + * add watch file + * change python dependency and shebang to python3:any + * use set -e in maintscripts + * put myself in as maintainer + * update copyright file + * closes: #863249 + + -- David Lamparter <equinox-debian@diac24.net> Thu, 25 Oct 2018 16:36:50 +0200 + +frr (6.0-1) RELEASED; urgency=medium + + * New Enabled: PIM draft Unnumbered + + -- FRRouting-Dev <dev@lists.frrouting.org> Wed, 18 Oct 2017 17:01:42 -0700 + +frr (3.0-1) RELEASED; urgency=medium + + * Added Debian 9 Backport + + -- FRRouting-Dev <dev@lists.frrouting.org> Mon, 16 Oct 2017 03:28:00 -0700 + +frr (3.0-0) RELEASED; urgency=medium + + * New Enabled: BGP Shutdown Message + * New Enabled: BGP Large Community + * New Enabled: BGP RFC 7432 Partial Support w/ Ethernet VPN + * New Enabled: BGP EVPN RT-5 + * New Enabled: LDP RFC 5561 + * New Enabled: LDP RFC 5918 + * New Enabled: LDP RFC 5919 + * New Enabled: LDP RFC 6667 + * New Enabled: LDP RFC 7473 + * New Enabled: OSPF RFC 4552 + * New Enabled: ISIS SPF Backoff draft + * New Enabled: PIM Unnumbered Interfaces + * New Enabled: PIM RFC 4611 + * New Enabled: PIM Sparse Mode + * New Enabled: NHRP RFC 2332 + * New Enabled: Label Manager + * Switched from hardening-wrapper to dpkg-buildflags. + + -- FRRouting-Dev <dev@lists.frrouting.org> Fri, 13 Oct 2017 16:17:26 -0700 + +frr (2.0-0) RELEASED; urgency=medium + + * Switchover to FRR + + -- FRRouting-Dev <dev@lists.frrouting.org> Mon, 23 Jan 2017 16:30:22 -0400 + +quagga (0.99.24+cl3u5) RELEASED; urgency=medium + + * Closes: CM-12846 - Resolve Memory leaks in 'show ip bgp neighbor json' + * Closes: CM-5878 - Display all ospf peers with 'show ip ospf neighbor detail all' + * Closes: CM-5794 - Add support for IPv6 static to null0 + * Closes: CM-13060 - Reduce JSON memory usage. + * Closes: CM-10394 - protect 'could not get instance' error messages with debug + * Closes: CM-11173 - Move netlink error messages undeer a debug + * Closes: CM-13328 - Fixes route missing in hardware after reboot + + -- dev-support <dev-support@cumulusnetworks.com> Fri, 11 Nov 2016 22:13:29 -0400 + +quagga (0.99.24+cl3u4) RELEASED; urgency=medium + + * Closes: CM-12687 - Buffer overflow in zebra RA code + + -- dev-support <dev-support@cumulusnetworks.com> Wed, 31 Aug 2016 12:36:10 -0400 + +quagga (0.99.24+cl3u3) RELEASED; urgency=medium + + * New Enabled: Merge up-to 0.99.24 code from upstream + * New Enabled: Additional CLI simplification + * New Enabled: Various Bug Fixes + + -- dev-support <dev-support@cumulusnetworks.com> Thu, 04 Aug 2016 08:43:36 -0700 + +quagga (0.99.23.1-1+cl3u2) RELEASED; urgency=medium + + * New Enabled: VRF - See Documentation for how to use + * New Enabled: Improved interface statistics + * New Enabled: Various vtysh improvements + * New Enabled: Numerous compile warnings and SA fixes + * New Enabled: Improved priviledge handlingA + * New Enabled: Various OSPF CLI fixes + * New Enabled: Prefix-list Performance Improvements. + * New Enabled: Allow more than 1k peers in Quagga + and Performance Improvements + * New Enabled: Systemd integration + * New Enabled: Various ISIS fixes + * New Enabled: BGP MRT improvements + * New Enabled: Lowered default MRAI timers + * New Enabled: Lowered default 'timers connect' + * New Enabled: 'bgp log-neighbor-changes' enabled by default + * New Enabled: BGP default keepalive to 3s and holdtime to 9s + * New Enabled: OSPF spf timers are now '0 50 5000' by default + * New Enabled: BGP hostname is displayed by default + * New Enabled: BGP 'no-as-set' is the default for + 'bgp as-path multipath-relax" + * New Enabled: RA is on by default if using 5549 on an interface + * New Enabled: peer-group restrictions relaxed, update-groups determine + outbund policy anyway + * New Enabled: BGP enabled 'maximum-paths 64' by default + * New Enabled: OSPF "log-adjacency-changes" on by default + * New Enabled: Zebra: Add IPv6 protocol filtering support + * and setting src of IPv6 routes. + * New Enabled: BGP and OSPF JSON commands added. + * New Enabled: BGP Enable multiple instances support by default + * New Enabled: 'banner motd file' command + * New Enabled: Remove bad default passwords from default conf + * New Enabled: BGP addpath TX + * New Enabled: Simplified configuration for BGP Unnumbered + + * New Deprecated: Remove unused 'show memory XXX' functionality + * New Deprecated: Remove babel protocol + + * Closes: CM-10435 Addition on hidden command + "bfd multihop/singlehop" and "ptm-enable" per interface command + * Closes: CM-9974 Get route counts right for show ip route summary + * Closes: CM-9786 BGP memory leak in peer hostname + * Closes: CM-9340 BGP: Ensure correct sequence of processing at exit + * Closes: CM-9270 ripd: Fix crash when a default route is passed to rip + * Closes: CM-9255 BGPD crash around bgp_config_write () + * Closes: CM-9134 ospf6d: Fix for crash when non area 0 network + entered first + * Closes: CM-8934 OSPFv3: Check area before scheduling SPF + * Closes: CM-8514 zebra: Crash upon disabling a link + * Closes: CM-8295 BGP crash in group_announce_route_walkcb + * Closes: CM-8191 BGP: crash in update_subgroup_merge() + * Closes: CM-8015 lib: Memory reporting fails over 2GB + * Closes: CM-7926 BGP: crash from not NULLing freed pointers + + -- dev-support <dev-support@cumulusnetworks.com> Wed, 04 May 2016 16:22:52 -0700 + +quagga (0.99.23.1-1) unstable; urgency=medium + + * New upstream release + * Added .png figures for info files to quagga-doc package. + * Changed dependency from iproute to iproute2 (thanks to Andreas + Henriksson). Closes: #753736 + * Added texlive-fonts-recommended to build-depends to get ecrm1095 font + (thanks to Christoph Biedl). Closes: #651545 + + -- Christian Brunotte <ch@debian.org> Tue, 30 Sep 2014 00:20:12 +0200 + +quagga (0.99.23-1) unstable; urgency=low + + * New upstream release + * Removed debian/patches/readline-6.3.diff which was already in upstream. + + -- Christian Hammers <ch@debian.org> Tue, 08 Jul 2014 09:15:48 +0200 + +quagga (0.99.22.4-4) unstable; urgency=medium + + * Fix build failure with readline-6.3 (thanks to Matthias Klose). + Closes: #741774 + + -- Christian Hammers <ch@debian.org> Sun, 23 Mar 2014 15:28:42 +0100 + +quagga (0.99.22.4-3) unstable; urgency=low + + * Added status to init script (thanks to Peter J. Holzer). Closes: #730625 + * Init script now sources /lib/lsb/init-functions. + * Switched from hardening-wrapper to dpkg-buildflags. + + -- Christian Hammers <ch@debian.org> Wed, 01 Jan 2014 19:12:01 +0100 + +quagga (0.99.22.4-2) unstable; urgency=low + + * Fixed typo in package description (thanks to Davide Prina). + Closes: #625860 + * Added Italian Debconf translation (thanks to Beatrice Torracca) + Closes: #729798 + + -- Christian Hammers <ch@debian.org> Tue, 26 Nov 2013 00:47:11 +0100 + +quagga (0.99.22.4-1) unstable; urgency=high + + * SECURITY: + "ospfd: CVE-2013-2236, stack overrun in apiserver + + the OSPF API-server (exporting the LSDB and allowing announcement of + Opaque-LSAs) writes past the end of fixed on-stack buffers. This leads + to an exploitable stack overflow. + + For this condition to occur, the following two conditions must be true: + - Quagga is configured with --enable-opaque-lsa + - ospfd is started with the "-a" command line option + + If either of these does not hold, the relevant code is not executed and + the issue does not get triggered." + Closes: #726724 + + * New upstream release + - ospfd: protect vs. VU#229804 (malformed Router-LSA) + (Quagga is said to be non-vulnerable but still adds some protection) + + -- Christian Hammers <ch@debian.org> Thu, 24 Oct 2013 22:58:37 +0200 + +quagga (0.99.22.1-2) unstable; urgency=low + + * Added autopkgtests (thanks to Yolanda Robla). Closes: #710147 + * Added "status" command to init script (thanks to James Andrewartha). + Closes: #690013 + * Added "libsnmp-dev" to Build-Deps. There not needed for the official + builds but for people who compile Quagga themselves to activate the + SNMP feature (which for licence reasons cannot be done by Debian). + Thanks to Ben Winslow). Closes: #694852 + * Changed watchquagga_options to an array so that quotes can finally + be used as expected. Closes: #681088 + * Fixed bug that prevented restarting only the watchquagga daemon + (thanks to Harald Kappe). Closes: #687124 + + -- Christian Hammers <ch@debian.org> Sat, 27 Jul 2013 16:06:25 +0200 + +quagga (0.99.22.1-1) unstable; urgency=low + + * New upstream release + - ospfd restore nexthop IP for p2p interfaces + - ospfd: fix LSA initialization for build without opaque LSA + - ripd: correctly redistribute ifindex routes (BZ#664) + - bgpd: fix lost passwords of grouped neighbors + * Removed 91_ld_as_needed.diff as it was found in the upstream source. + + -- Christian Hammers <ch@debian.org> Mon, 22 Apr 2013 22:21:20 +0200 + +quagga (0.99.22-1) unstable; urgency=low + + * New upstream release. + - [bgpd] The semantics of default-originate route-map have changed. + The route-map is now used to advertise the default route conditionally. + The old behaviour which allowed to set attributes on the originated + default route is no longer supported. + - [bgpd] this version of bgpd implements draft-idr-error-handling. This was + added in 0.99.21 and may not be desirable. If you need a version + without this behaviour, please use 0.99.20.1. There will be a + runtime configuration switch for this in future versions. + - [isisd] is in "beta" state. + - [ospf6d] is in "alpha/experimental" state + - More changes are documented in the upstream changelog! + * debian/watch: Adjusted to new savannah.gnu.org site, thanks to Bart + Martens. + * debian/patches/99_CVE-2012-1820_bgp_capability_orf.diff removed as its + in the changelog. + * debian/patches/99_distribute_list.diff removed as its in the changelog. + * debian/patches/10_doc__Makefiles__makeinfo-force.diff removed as it + was just for Debian woody. + + -- Christian Hammers <ch@debian.org> Thu, 14 Feb 2013 00:22:00 +0100 + +quagga (0.99.21-4) unstable; urgency=medium + + * Fixed regression bug that caused OSPF "distribute-list" statements to be + silently ignored. The patch has already been applied upstream but there + has been no new Quagga release since then. + Thanks to Hans van Kranenburg for reporting. Closes: #697240 + + -- Christian Hammers <ch@debian.org> Sun, 06 Jan 2013 15:50:32 +0100 + +quagga (0.99.21-3) unstable; urgency=high + + * SECURITY: + CVE-2012-1820 - Quagga contained a bug in BGP OPEN message handling. + A denial-of-service condition could be caused by an attacker controlling + one of the pre-configured BGP peers. In most cases this means, that the + attack must be originated from an adjacent network. Closes: #676510 + + -- Christian Hammers <ch@debian.org> Fri, 08 Jun 2012 01:15:32 +0200 + +quagga (0.99.21-2) unstable; urgency=low + + * Renamed babeld.8 to quagga-babeld.8 as it conflicted with the + original mapage of the babeld package which users might want to + install in parallel as it is slightly more capable. Closes: #671916 + + -- Christian Hammers <ch@debian.org> Thu, 10 May 2012 07:53:01 +0200 + +quagga (0.99.21-1) unstable; urgency=low + + * New upstream release + - [bgpd] BGP multipath support has been merged + - [bgpd] SAFI (Multicast topology) support has been extended to propagate + the topology to zebra. + - [bgpd] AS path limit functionality has been removed + - [babeld] a new routing daemon implementing the BABEL ad-hoc mesh routing + protocol has been merged. + - [isisd] a major overhaul has been picked up. Please note that isisd is + STILL NOT SUITABLE FOR PRODUCTION USE. + - a lot of bugs have been fixed + * Added watchquagga daemon. + * Added DEP-3 conforming patch comments. + + -- Christian Hammers <ch@debian.org> Sun, 06 May 2012 15:33:33 +0200 + +quagga (0.99.20.1-1) unstable; urgency=high + + * SECURITY: + CVE-2012-0249 - Quagga ospfd DoS on malformed LS-Update packet + CVE-2012-0250 - Quagga ospfd DoS on malformed Network-LSA data + CVE-2012-0255 - Quagga bgpd DoS on malformed OPEN message + * New upstream release. Closes: #664033 + + -- Christian Hammers <ch@debian.org> Fri, 16 Mar 2012 22:14:05 +0100 + +quagga (0.99.20-4) unstable; urgency=low + + * Switch to dpkg-source 3.0 (quilt) format. + * Switch to changelog-format-1.0. + + -- Christian Hammers <ch@debian.org> Sat, 25 Feb 2012 18:52:06 +0100 + +quagga (0.99.20-3) unstable; urgency=low + + * Added --sysconfdir back to the configure options (thanks to Sven-Haegar + Koch). Closes: #645649 + + -- Christian Hammers <ch@debian.org> Tue, 18 Oct 2011 00:24:37 +0200 + +quagga (0.99.20-2) unstable; urgency=low + + * Bumped standards version to 0.9.2. + * Migrated to "dh" build system. + * Added quagga-dbg package. + + -- Christian Hammers <ch@debian.org> Fri, 14 Oct 2011 23:59:26 +0200 + +quagga (0.99.20-1) unstable; urgency=low + + * New upstream release: + "The primary focus of this release is a fix of SEGV regression in ospfd, + which was introduced in 0.99.19. It also features a series of minor + improvements, including better RFC compliance in bgpd, better support + of FreeBSD and some enhancements to isisd." + * Fixes off-by-one bug (removed 20_ospf6_area_argv.dpatch). Closes: #519488 + + -- Christian Hammers <ch@debian.org> Fri, 30 Sep 2011 00:59:24 +0200 + +quagga (0.99.19-1) unstable; urgency=high + + * SECURITY: + "This release provides security fixes, which address assorted + vulnerabilities in bgpd, ospfd and ospf6d (CVE-2011-3323, + CVE-2011-3324, CVE-2011-3325, CVE-2011-3326 and CVE-2011-3327). + * New upstream release. + * Removed incorporated debian/patches/92_opaque_lsa_enable.dpatch. + * Removed incorporated debian/patches/93_opaque_lsa_fix.dpatch. + * Removed obsolete debian/README.Debian.Woody and README.Debian.MD5. + + -- Christian Hammers <ch@debian.org> Tue, 27 Sep 2011 00:16:27 +0200 + +quagga (0.99.18-1) unstable; urgency=low + + * SECURITY: + "This release fixes 2 denial of services in bgpd, which can be remotely + triggered by malformed AS-Pathlimit or Extended-Community attributes. + These issues have been assigned CVE-2010-1674 and CVE-2010-1675. + Support for AS-Pathlimit has been removed with this release." + * Added Brazilian Portuguese debconf translation. Closes: #617735 + * Changed section for quagga-doc from "doc" to "net". + * Added patch to fix FTBFS with latest GCC. Closes: #614459 + + -- Christian Hammers <ch@debian.org> Tue, 22 Mar 2011 23:13:34 +0100 + +quagga (0.99.17-4) unstable; urgency=low + + * Added comment to init script (thanks to Marc Haber). Closes: #599524 + + -- Christian Hammers <ch@debian.org> Thu, 13 Jan 2011 23:53:29 +0100 + +quagga (0.99.17-3) unstable; urgency=low + + * Fix FTBFS with ld --as-needed (thanks to Matthias Klose at Ubuntu). + Closes: #609555 + + -- Christian Hammers <ch@debian.org> Thu, 13 Jan 2011 23:27:06 +0100 + +quagga (0.99.17-2) unstable; urgency=low + + * Added Danisch Debconf translation (thanks to Joe Dalton). Closes: #596259 + + -- Christian Hammers <ch@debian.org> Sat, 18 Sep 2010 12:20:07 +0200 + +quagga (0.99.17-1) unstable; urgency=high + + * SECURITY: + "This release provides two important bugfixes, which address remote crash + possibility in bgpd discovered by CROSS team.": + 1. Stack buffer overflow by processing certain Route-Refresh messages + CVE-2010-2948 + 2. DoS (crash) while processing certain BGP update AS path messages + CVE-2010-2949 + Closes: #594262 + + -- Christian Hammers <ch@debian.org> Wed, 25 Aug 2010 00:52:48 +0200 + +quagga (0.99.16-1) unstable; urgency=low + + * New upstream release. Closes: #574527 + * Added chrpath to debian/rules to fix rpath problems that lintian spottet. + + -- Christian Hammers <ch@debian.org> Sun, 21 Mar 2010 17:05:40 +0100 + +quagga (0.99.15-2) unstable; urgency=low + + * Applied patch for off-by-one bug in ospf6d that caused a segmentation + fault when using the "area a.b.c.d filter-list prefix" command (thanks + to Steinar H. Gunderson). Closes: 519488 + + -- Christian Hammers <ch@debian.org> Sun, 14 Feb 2010 20:02:03 +0100 + +quagga (0.99.15-1) unstable; urgency=low + + * New upstream release + "This fixes some annoying little ospfd and ospf6d regressions, which made + 0.99.14 a bit of a problem release (...) This release still contains a + regression in the "no ip address ..." command, at least on Linux. + See bug #486, which contains a workaround patch. This release should be + considered a 1.0.0 release candidate. Please test this release as widely + as possible." + * Fixed wrong port number in zebra.8 (thanks to Thijs Kinkhorst). + Closes: #517860 + * Added Russian Debconf tanslation (thanks to Yuri Kozlov). + Closes: #539464 + * Removed so-version in build-dep to libreadline-dev on request of + Matthias Klose. + * Added README.source with reference to dpatch as suggested by lintian. + * Bumped standards versionto 3.8.3. + + -- Christian Hammers <ch@debian.org> Sun, 13 Sep 2009 18:12:06 +0200 + +quagga (0.99.14-1) unstable; urgency=low + + * New upstream release + "This release contains a regression fix for ospf6d, various small fixes + and some hopefully very significant bgpd stability fixes. + This release should be considered a 1.0.0 release candidate. Please test + this release as widely as possible." + * Fixes bug with premature LSA aging in ospf6d. Closes: #535030 + * Fixes section number in zebra.8 manpage. Closes: #517860 + + -- Christian Hammers <ch@debian.org> Sat, 25 Jul 2009 00:40:38 +0200 + +quagga (0.99.13-2) unstable; urgency=low + + * Added Japanese Debconf translation (thanks to Hideki Yamane). + Closes: #510714 + * When checking for obsoleted config options in preinst, print filename + where it occures (thanks to Michael Bussmann). Closes: #339489 + + -- Christian Hammers <ch@debian.org> Sun, 19 Jul 2009 17:13:23 +0200 + +quagga (0.99.13-1) unstable; urgency=low + + * New upstream release + "This release is contains a number of small fixes, for potentially + irritating issues, as well as small enhancements to vtysh and support + for linking to PCRE (a much faster regex library)." + * Added build-dep to gawk as configure required it for memtypes.awk + * Replaced build-dep to gs-gpl with ghostscript as requested by lintian + * Minor changes to copyright and control files to make lintian happy. + + -- Christian Hammers <ch@debian.org> Wed, 24 Jun 2009 17:53:28 +0200 + +quagga (0.99.12-1) unstable; urgency=high + + * New upstream release + "This release fixes an urgent bug in bgpd where it could hit an assert + if it received a long AS_PATH with a 4-byte ASN." Noteworthy bugfixes: + + [bgpd] Fix bgp ipv4/ipv6 accept handling + + [bgpd] AS4 bugfix by Chris Caputo + + [bgpd] Allow accepted peers to progress even if realpeer is in Connect + + [ospfd] Switch Fletcher checksum back to old ospfd version + + -- Christian Hammers <ch@debian.org> Mon, 22 Jun 2009 00:16:33 +0200 + +quagga (0.99.11-1) unstable; urgency=low + + * New upstream release + "Most regressions in 0.99 over 0.98 are now believed to be fixed. This + release should be considered a release-candidate for a new stable series." + + bgpd: Preliminary UI and Linux-IPv4 support for TCP-MD5 merged + + zebra: ignore dead routes in RIB update + + [ospfd] Default route needs to be refreshed after neighbour state change + + [zebra:netlink] Set proto/scope on all route update messages + * Removed debian/patches/20_*bgp*md5*.dpatch due to upstream support. + + -- Christian Hammers <ch@debian.org> Thu, 09 Oct 2008 22:56:38 +0200 + +quagga (0.99.10-1) unstable; urgency=medium + + * New upstream release + + bgpd: 4-Byte AS Number support + + Sessions were incorrectly reset if a partial AS-Pathlimit attribute + was received. + + Advertisement of Multi-Protocol prefixes (i.e. non-IPv4) had been + broken in the 0.99.9 release. Closes: #467656 + + -- Christian Hammers <ch@debian.org> Tue, 08 Jul 2008 23:32:42 +0200 + +quagga (0.99.9-6) unstable; urgency=low + + * Fixed FTBFS by adding a build-dep to libpcre3-dev (thanks to Luk Claes). + Closes: #469891 + + -- Christian Hammers <ch@debian.org> Sat, 12 Apr 2008 12:53:51 +0200 + +quagga (0.99.9-5) unstable; urgency=low + + * C.J. Adams-Collier and Paul Jakma suggested to build against libpcre3 + which is supposed to be faster. + + -- Christian Hammers <ch@debian.org> Sun, 02 Mar 2008 13:19:42 +0100 + +quagga (0.99.9-4) unstable; urgency=low + + * Added hardening-wrapper to the build-deps (thanks to Moritz Muehlenhoff). + + -- Christian Hammers <ch@debian.org> Tue, 29 Jan 2008 22:33:56 +0100 + +quagga (0.99.9-3) unstable; urgency=low + + * Replaced the BGP patch by a new one so that the package builds again + with kernels above 2.6.21! + * debian/control: + + Moved quagga-doc to section doc to make lintian happy. + * Added Spanish debconf translation (thanks to Carlos Galisteo de Cabo). + Closes: #428574 + * debian/control: (thanks to Marco Rodrigues) + + Bump Standards-Version to 3.7.3 (no changes needed). + + Add Homepage field. + + -- Christian Hammers <ch@debian.org> Mon, 28 Jan 2008 22:29:18 +0100 + +quagga (0.99.9-2.1) unstable; urgency=low + + * Non-maintainer upload. + * debian/rules: fixed bashisms. (Closes: #459122) + + -- Miguel Angel Ruiz Manzano <debianized@gmail.com> Tue, 22 Jan 2008 14:37:21 -0300 + +quagga (0.99.9-2) unstable; urgency=low + + * Added CVE id for the security bug to the last changelog entry. + Closes: 442133 + + -- Christian Hammers <ch@debian.org> Tue, 25 Sep 2007 22:01:31 +0200 + +quagga (0.99.9-1) unstable; urgency=high + + * SECURITY: + "This release fixes two potential DoS conditions in bgpd, reported by Mu + Security, where a bgpd could be crashed if a peer sent a malformed OPEN + message or a malformed COMMUNITY attribute. Only configured peers can do + this, hence we consider these issues to be very low impact." CVE-2007-4826 + + -- Christian Hammers <ch@debian.org> Wed, 12 Sep 2007 21:12:41 +0200 + +quagga (0.99.8-1) unstable; urgency=low + + * New upstream version. + + -- Christian Hammers <ch@debian.org> Fri, 17 Aug 2007 00:07:04 +0200 + +quagga (0.99.7-3) unstable; urgency=medium + + * Applied patch for FTBFS with linux-libc-dev (thanks to Andrew J. Schorr + and Lucas Nussbaum). Closes: #429003 + + -- Christian Hammers <ch@debian.org> Fri, 22 Jun 2007 21:34:55 +0200 + +quagga (0.99.7-2) unstable; urgency=low + + * Added Florian Weimar as co-maintainer. Closes: 421977 + * Added Dutch debconf translation (thanks to Bart Cornelis). + Closes: #420932 + * Added Portuguese debconf translation (thanks to Rui Branco). + Closes: #421185 + * Improved package description (thanks to Reuben Thomas). + Closes: #418933 + * Added CVE Id to 0.99.6-5 changelog entry. + + -- Christian Hammers <ch@debian.org> Wed, 02 May 2007 20:27:12 +0200 + +quagga (0.99.7-1) unstable; urgency=low + + * New upstream release. Closes: #421553 + + -- Christian Hammers <ch@debian.org> Mon, 30 Apr 2007 14:22:34 +0200 + +quagga (0.99.6-6) unstable; urgency=medium + + * Fixes FTBFS with tetex-live. Closes: #420468 + + -- Christian Hammers <ch@debian.org> Mon, 23 Apr 2007 21:34:13 +0200 + +quagga (0.99.6-5) unstable; urgency=high + + * SECURITY: + The bgpd daemon was vulnerable to a Denial-of-Service. Configured peers + could cause a Quagga bgpd to, typically, assert() and abort. The DoS + could be triggered by peers by sending an UPDATE message with a crafted, + malformed Multi-Protocol reachable/unreachable NLRI attribute. + This is CVE-2007-1995 and Quagga Bug#354. Closes: #418323 + + -- Christian Hammers <ch@debian.org> Thu, 12 Apr 2007 23:21:58 +0200 + +quagga (0.99.6-4) unstable; urgency=low + + * Improved note in README.Debian for SNMP self-builders (thanks to Matthias + Wamser). Closes: #414788 + + -- Christian Hammers <ch@debian.org> Wed, 14 Mar 2007 02:18:57 +0100 + +quagga (0.99.6-3) unstable; urgency=low + + * Updated German Debconf translation (thanks to Matthias Julius). + Closes: #409327 + + -- Christian Hammers <ch@debian.org> Sat, 10 Feb 2007 15:06:16 +0100 + +quagga (0.99.6-2) unstable; urgency=low + + * Updated config.guess/config.sub as suggested by lintian. + * Corrected README.Debian text regarding the WANT_SNMP flag. + + -- Christian Hammers <ch@debian.org> Sun, 17 Dec 2006 01:45:37 +0100 + +quagga (0.99.6-1) unstable; urgency=low + + * New upstream release. Closes: #402361 + + -- Christian Hammers <ch@debian.org> Mon, 11 Dec 2006 00:28:09 +0100 + +quagga (0.99.5-5) unstable; urgency=high + + * Changed Depends on adduser to Pre-Depends to avoid uninstallability + in certain cases (thanks to Steve Langasek, Lucas Nussbaum). + Closes: #398562 + + -- Christian Hammers <ch@debian.org> Wed, 15 Nov 2006 17:46:34 +0100 + +quagga (0.99.5-4) unstable; urgency=low + + * Added default PAM file and some explanations regarding PAM authentication + of vtysh which could prevent the start at boot-time when used wrong. + Now PAM permits anybody to access the vtysh tool (a malicious user could + build his own vtysh without PAM anyway) and the access is controled by + the read/write permissions of the vtysh socket which are only granted to + users belonging to the quaggavty group (thanks to Wakko Warner). + Closes: #389496 + * Added "case" to prerm script so that the Debconf question is not called a + second time in e.g. "new-prerm abort-upgrade" after being NACKed in the + old-prerm. + + -- Christian Hammers <ch@debian.org> Fri, 3 Nov 2006 01:22:15 +0100 + +quagga (0.99.5-3) unstable; urgency=medium + + * Backport CVS fix for an OSPF DD Exchange regression (thanks to Matt + Brown). Closes: #391040 + + -- Christian Hammers <ch@debian.org> Wed, 25 Oct 2006 19:47:11 +0200 + +quagga (0.99.5-2) unstable; urgency=medium + + * Added LSB info section to initscript. + * Removed unnecessary depends to libncurses5 to make checklib happy. + The one to libcap should remain though as it is just temporarily + unused. + + -- Christian Hammers <ch@debian.org> Thu, 21 Sep 2006 00:04:07 +0200 + +quagga (0.99.5-1) unstable; urgency=low + + * New upstream release. Closes: #38704 + * Upstream fixes ospfd documentary inconsistency. Closes: #347897 + * Changed debconf question in prerm to "high" (thanks to Rafal Pietrak). + + -- Christian Hammers <ch@debian.org> Mon, 11 Sep 2006 23:43:42 +0200 + +quagga (0.99.4-4) unstable; urgency=low + + * Recreate /var/run if not present because /var is e.g. on a tmpfs + filesystem (thanks to Martin Pitt). Closes: #376142 + * Removed nonexistant option from ospfd.8 manpage (thanks to + David Medberry). Closes: 378274 + + -- Christian Hammers <ch@debian.org> Sat, 15 Jul 2006 20:22:12 +0200 + +quagga (0.99.4-3) unstable; urgency=low + + * Removed invalid semicolon from rules file (thanks to Philippe Gramoulle). + + -- Christian Hammers <ch@debian.org> Tue, 27 Jun 2006 23:36:07 +0200 + +quagga (0.99.4-2) unstable; urgency=high + + * Set urgency to high as 0.99.4-1 fixes a security problem! + * Fixed building of the info file. + + -- Christian Hammers <ch@debian.org> Sun, 14 May 2006 23:04:28 +0200 + +quagga (0.99.4-1) unstable; urgency=low + + * New upstream release to fix a security problem in the telnet interface + of the BGP daemon which could be used for DoS attacks (CVE-2006-2276). + Closes: 366980 + + -- Christian Hammers <ch@debian.org> Sat, 13 May 2006 19:54:40 +0200 + +quagga (0.99.3-3) unstable; urgency=low + + * Added CVE numbers for the security patch in 0.99.3-2. + + -- Christian Hammers <ch@debian.org> Sat, 6 May 2006 17:14:22 +0200 + +quagga (0.99.3-2) unstable; urgency=high + + * SECURITY: + Added security bugfix patch from upstream BTS for security problem + that could lead to injected routes when using RIPv1. + CVE-2006-2223 - missing configuration to disable RIPv1 or require + plaintext or MD5 authentication + CVE-2006-2224 - lack of enforcement of RIPv2 authentication requirements + Closes: #365940 + * First amd64 upload. + + -- Christian Hammers <ch@debian.org> Thu, 4 May 2006 00:22:09 +0200 + +quagga (0.99.3-1) unstable; urgency=low + + * New upstream release + + -- Christian Hammers <ch@debian.org> Wed, 25 Jan 2006 13:37:27 +0100 + +quagga (0.99.2-1) unstable; urgency=low + + * New upstream release + Closes: #330248, #175553 + + -- Christian Hammers <ch@debian.org> Wed, 16 Nov 2005 00:25:52 +0100 + +quagga (0.99.1-7) unstable; urgency=low + + * Changed debian/rules check for mounted /proc directory to check + for /proc/1 as not all systems (e.g. 2.6 arm kernels) have + /proc/kcore which is a optional feature only (thanks to Lennert + Buytenhek). Closes: #335695 + * Added Swedish Debconf translation (thanks to Daniel Nylander). + Closes: #331367 + + -- Christian Hammers <ch@debian.org> Thu, 27 Oct 2005 20:53:19 +0200 + +quagga (0.99.1-6) unstable; urgency=low + + * Fixed debconf dependency as requested by Joey Hess. + + -- Christian Hammers <ch@debian.org> Mon, 26 Sep 2005 20:47:35 +0200 + +quagga (0.99.1-5) unstable; urgency=low + + * Rebuild with libreadline5-dev as build-dep as requested by + Matthias Klose. Closes: #326306 + * Made initscript more fault tolerant against missing lines in + /etc/quagga/daemons (thanks to Ralf Hildebrandt). Closes: #323774 + * Added dependency to adduser. + + -- Christian Hammers <ch@debian.org> Tue, 13 Sep 2005 21:42:17 +0200 + +quagga (0.99.1-4) unstable; urgency=low + + * Added French Debconf translation (thanks to Mohammed Adnene Trojette). + Closes: #319324 + * Added Czech Debconf translation (thanks to Miroslav Kure). + Closes: #318127 + + -- Christian Hammers <ch@debian.org> Sun, 31 Jul 2005 04:19:41 +0200 + +quagga (0.99.1-3) unstable; urgency=low + + * A Debconf question now asks the admin before upgrading if the daemon + should really be stopped as this could lead to the loss of network + connectivity or BGP flaps (thanks to Michael Horn and Achilleas Kotsis). + Also added a hint about setting Quagga "on hold" to README.Debian. + Closes: #315467 + * Added patch to build on Linux/ARM. + + -- Christian Hammers <ch@debian.org> Sun, 10 Jul 2005 22:19:38 +0200 + +quagga (0.99.1-2) unstable; urgency=low + + * Fixed SNMP enabled command in debian/rules (thanks to Christoph Kluenter). + Closes: #306840 + + -- Christian Hammers <ch@debian.org> Sat, 4 Jun 2005 14:04:01 +0200 + +quagga (0.99.1-1) unstable; urgency=low + + * New upstream version. Among others: + - BGP graceful restart and "match ip route-source" added + - support for interface renaming + - improved threading for better responsivness under load + * Switched to dpatch to make diffs cleaner. + * Made autoreconf unnecessary. + * Replaced quagga.dvi and quagga.ps by quagga.pdf in quagga-doc. + (the PostScript would have needed Makefile corrections and PDF + is more preferable anyway) + * Added isisd to the list of daemons in /etc/init.d/quagga (thanks + to Ernesto Elbe). + * Added hint for "netlink-listen: overrun" messages (thanks to + Hasso Tepper). + * Added preinst check that bails out if old smux options are in use + as Quagga would not start up else anyway (thanks to Bjorn Mork). + Closes: #308320 + + -- Christian Hammers <ch@debian.org> Fri, 13 May 2005 01:18:24 +0200 + +quagga (0.98.3-7) unstable; urgency=high + + * Removed SNMP support as linking against NetSNMP introduced a dependency + to OpenSSL which is not compatible to the GPL which governs this + application (thanks to Faidon Liambotis). See README.Debian for more + information. Closes: #306840 + * Changed listening address of ospf6d and ripngd from 127.0.0.1 to "::1". + * Added build-dep to groff to let drafz-zebra-00.txt build correctly. + + -- Christian Hammers <ch@debian.org> Wed, 4 May 2005 20:08:14 +0200 + +quagga (0.98.3-6) testing-proposed-updates; urgency=high + + * Removed "Recommends kernel-image-2.4" as aptitude then + installes a kernel-image for an arbitrary architecture as long + as it fullfill that recommendation which can obviously fatal + at the next reboot :) Also it is a violation of the policy + which mandates a reference to real packages (thanks to Holger Levsen). + Closes: #307281 + + -- Christian Hammers <ch@debian.org> Tue, 3 May 2005 22:53:39 +0200 + +quagga (0.98.3-5) unstable; urgency=high + + * The patch which tried to remove the OpenSSL dependency, which is + not only unneccessary but also a violation of the licence and thus RC, + stopped working a while ago, since autoreconf is no longer run before + building the binaries. So now ./configure is patched directly (thanks + to Faidon Liambotis for reporting). Closes: #306840 + * Raised Debhelper compatibility level from 3 to 4. Nothing changed. + * Added build-dep to texinfo (>= 4.7) to ease work for www.backports.org. + + -- Christian Hammers <ch@debian.org> Fri, 29 Apr 2005 02:31:03 +0200 + +quagga (0.98.3-4) unstable; urgency=low + + * Removed Debconf upgrade note as it was considered a Debconf abuse + and apart from that so obvious that it was not even worth to be + put into NEWS.Debian (thanks to Steve Langasek). Closes: #306384 + + -- Christian Hammers <ch@debian.org> Wed, 27 Apr 2005 00:10:24 +0200 + +quagga (0.98.3-3) unstable; urgency=medium + + * Adding the debconf module due to a lintian suggestion is a very + bad idea if no db_stop is called as the script hangs then (thanks + to Tore Anderson for reporting). Closes: #306324 + + -- Christian Hammers <ch@debian.org> Mon, 25 Apr 2005 21:55:58 +0200 + +quagga (0.98.3-2) unstable; urgency=low + + * Added debconf confmodule to postinst as lintian suggested. + + -- Christian Hammers <ch@debian.org> Sun, 24 Apr 2005 13:16:00 +0200 + +quagga (0.98.3-1) unstable; urgency=low + + * New upstream release. + Mmost notably fixes last regression in bgpd (reannounce of prefixes + with changed attributes works again), race condition in netlink + handling while using IPv6, MTU changes handling in ospfd and several + crashes in ospfd, bgpd and ospf6d. + + -- Christian Hammers <ch@debian.org> Mon, 4 Apr 2005 12:51:24 +0200 + +quagga (0.98.2-2) unstable; urgency=low + + * Added patch to let Quagga compile with gcc-4.0 (thanks to + Andreas Jochens). Closes: #300949 + + -- Christian Hammers <ch@debian.org> Fri, 25 Mar 2005 19:33:30 +0100 + +quagga (0.98.2-1) unstable; urgency=medium + + * Quoting the upstream announcement: + The 0.98.1 release unfortunately was a brown paper bag release with + respect to ospfd. [...] 0.98.2 has been released, with one crucial change + to fix the unfortunate mistake in 0.98.1, which caused problems if + ospfd became DR. + * Note: the upstream tarball had a strange problem, apparently redhat.spec + was twice in it? At least debuild gave a strange error message so I + unpacked it by hand. No changes were made to the .orig.tar.gz! + + -- Christian Hammers <ch@debian.org> Fri, 4 Feb 2005 01:31:36 +0100 + +quagga (0.98.1-1) unstable; urgency=medium + + * New upstream version + "fixing a fatal OSPF + MD5 auth regression, and a non-fatal high-load + regression in bgpd which were present in the 0.98.0 release." + * Upstream version fixes bug in ospfd that could lead to crash when OSPF + packages had a MTU > 1500. Closes: #290566 + * Added notice regarding capability kernel support to README.Debian + (thanks to Florian Weimer). Closes: #291509 + * Changed permission setting in postinst script (thanks to Bastian Blank). + Closes: #292690 + + -- Christian Hammers <ch@debian.org> Tue, 1 Feb 2005 02:01:27 +0100 + +quagga (0.98.0-3) unstable; urgency=low + + * Fixed problem in init script. Closes: #290317 + * Removed obsolete "smux peer enable" patch. + + -- Christian Hammers <ch@debian.org> Fri, 14 Jan 2005 17:37:27 +0100 + +quagga (0.98.0-2) unstable; urgency=low + + * Updated broken TCP MD5 patch for BGP (thanks to John P. Looney + for telling me). + + -- Christian Hammers <ch@debian.org> Thu, 13 Jan 2005 02:03:54 +0100 + +quagga (0.98.0-1) unstable; urgency=low + + * New upstream release + * Added kernel-image-2.6 as alternative to 2.4 to the recommends + (thanks to Faidon Liambotis). Closes: #289530 + + -- Christian Hammers <ch@debian.org> Mon, 10 Jan 2005 19:36:17 +0100 + +quagga (0.97.5-1) unstable; urgency=low + + * New upstream version. + * Added Czech debconf translation (thanks to Miroslav Kure). + Closes: #287293 + * Added Brazilian debconf translation (thanks to Andre Luis Lopes). + Closes: #279352 + + -- Christian Hammers <ch@debian.org> Wed, 5 Jan 2005 23:49:57 +0100 + +quagga (0.97.4-2) unstable; urgency=low + + * Fixed quagga.info build problem. + + -- Christian Hammers <ch@debian.org> Wed, 5 Jan 2005 22:38:01 +0100 + +quagga (0.97.4-1) unstable; urgency=low + + * New upstream release. + + -- Christian Hammers <ch@debian.org> Tue, 4 Jan 2005 01:45:22 +0100 + +quagga (0.97.3-2) unstable; urgency=low + + * Included isisd in the daemon list. + * Wrote an isisd manpage. + * It is now ensured that zebra is always the last daemon to be stopped. + * (Thanks to Hasso Tepper for mailing me a long list of suggestions + which lead to this release) + + -- Christian Hammers <ch@debian.org> Sat, 18 Dec 2004 13:14:55 +0100 + +quagga (0.97.3-1) unstable; urgency=medium + + * New upstream version. + - Fixes important OSPF bug. + * Added ht-20040911-smux.patch regarding Quagga bug #112. + * Updated ht-20041109-0.97.3-bgp-md5.patch for BGP with TCP MD5 + (thanks to Matthias Wamser). + + -- Christian Hammers <ch@debian.org> Tue, 9 Nov 2004 17:45:26 +0100 + +quagga (0.97.2-4) unstable; urgency=low + + * Added Portuguese debconf translation (thanks to Andre Luis Lopes). + Closes: #279352 + * Disabled ospfapi server by default on recommendation of Paul Jakma. + + -- Christian Hammers <ch@debian.org> Sun, 7 Nov 2004 15:07:05 +0100 + +quagga (0.97.2-3) unstable; urgency=low + + * Added Andrew Schorrs VTY Buffer patch from the [quagga-dev 1729]. + + -- Christian Hammers <ch@debian.org> Tue, 2 Nov 2004 00:46:56 +0100 + +quagga (0.97.2-2) unstable; urgency=low + + * Changed file and directory permissions and ownerships according to a + suggestion from Paul Jakma. Still not perfect though. + * Fixed upstream vtysh.conf.sample file. + * "ip ospf network broadcast" is now saved correctly. Closes: #244116 + * Daemon options are now in /etc/quagga/debian.conf to be user + configurable (thanks to Simon Raven and Hasso Tepper). Closes: #266715 + + -- Christian Hammers <ch@debian.org> Tue, 26 Oct 2004 23:35:45 +0200 + +quagga (0.97.2-1) unstable; urgency=low + + * New upstream version. + Closes: #254541 + * Fixed warning on unmodular kernels (thanks to Christoph Biedl). + Closes: #277973 + + -- Christian Hammers <ch@debian.org> Mon, 25 Oct 2004 00:47:04 +0200 + +quagga (0.97.1-2) unstable; urgency=low + + * Version 0.97 introduced shared libraries. They are now included. + (thanks to Raf D'Halleweyn). Closes: #277446 + + -- Christian Hammers <ch@debian.org> Wed, 20 Oct 2004 15:32:06 +0200 + +quagga (0.97.1-1) unstable; urgency=low + + * New upstream version. + * Removed some obsolete files from debian/patches. + * Added patch from upstream bug 113. Closes: #254541 + * Added patch from upstream that fixes a compilation problem in the + ospfclient code (thanks to Hasso Tepper). + * Updated German debconf translation (thanks to Jens Nachtigall) + Closes: #277059 + + -- Christian Hammers <ch@debian.org> Mon, 18 Oct 2004 01:16:35 +0200 + +quagga (0.96.5-11) unstable; urgency=low + + * Fixed /tmp/buildd/* paths in binaries. + For some unknown reason the upstream Makefile modified a .h file at + the end of the "debian/rules build" target. During the following + "make install" one library got thus be re*compiled* - with /tmp/buildd + paths as sysconfdir (thanks to Peder Chr. Norgaard). Closes: #274050 + + -- Christian Hammers <ch@debian.org> Fri, 1 Oct 2004 01:21:02 +0200 + +quagga (0.96.5-10) unstable; urgency=medium + + * The BGP routing daemon might freeze on network disturbances when + their peer is also a Quagga/Zebra router. + Applied patch from http://bugzilla.quagga.net/show_bug.cgi?id=102 + which has been confirmed by the upstream author. + (thanks to Gunther Stammwitz) + * Changed --enable-pam to --with-libpam (thanks to Hasso Tepper). + Closes: #264562 + * Added patch for vtysh (thanks to Hasso Tepper). Closes: #215919 + + -- Christian Hammers <ch@debian.org> Mon, 9 Aug 2004 15:33:02 +0200 + +quagga (0.96.5-9) unstable; urgency=low + + * Rewrote the documentation chapter about SNMP support. Closes: #195653 + * Added MPLS docs. + + -- Christian Hammers <ch@debian.org> Thu, 29 Jul 2004 21:01:52 +0200 + +quagga (0.96.5-8) unstable; urgency=low + + * Adjusted a grep in the initscript to also match a modprobe message + from older modutils packages (thanks to Faidon Paravoid). + + -- Christian Hammers <ch@debian.org> Wed, 28 Jul 2004 21:19:02 +0200 + +quagga (0.96.5-7) unstable; urgency=low + + * Added a "cd /etc/quagga/" to the init script as quagga tries to load + the config file first from the current working dir and then from the + config dir which could lead to confusion (thanks to Marco d'Itri). + Closes: #255078 + * Removed warning regarding problems with the Debian kernels from + README.Debian as they are no longer valid (thanks to Raphael Hertzog). + Closes: #257580 + * Added patch from Hasso Tepper that makes "terminal length 0" work + in vtysh (thanks to Matthias Wamser). Closes: #252579 + + -- Christian Hammers <ch@debian.org> Thu, 8 Jul 2004 21:53:21 +0200 + +quagga (0.96.5-6) unstable; urgency=low + + * Try to load the capability module as it is needed now. + + -- Christian Hammers <ch@debian.org> Tue, 8 Jun 2004 23:25:29 +0200 + +quagga (0.96.5-5) unstable; urgency=low + + * Changed the homedir of the quagga user to /etc/quagga/ to allow + admins to put ~/.ssh/authorized_keys there (thanks to Matthias Wamser). + Closes: #252577 + + -- Christian Hammers <ch@debian.org> Sat, 5 Jun 2004 14:47:31 +0200 + +quagga (0.96.5-4) unstable; urgency=medium + + * Fixed rules file to use the renamed ./configure option --enable-tcp-md5 + (thanks to Matthias Wamser). Closes: #252141 + + -- Christian Hammers <ch@debian.org> Tue, 1 Jun 2004 22:58:32 +0200 + +quagga (0.96.5-3) unstable; urgency=low + + * Provided default binary package name to all build depends that were + virtual packages (thanks to Goswin von Brederlow). Closes: #251625 + + -- Christian Hammers <ch@debian.org> Sat, 29 May 2004 22:48:53 +0200 + +quagga (0.96.5-2) unstable; urgency=low + + * New upstream version. + * New md5 patch version (thanks to Niklas Jakobsson and Hasso Tepper). + Closes: #250985 + * Fixes info file generation (thanks to Peder Chr. Norgaard). + Closes: #250992 + * Added catalan debconf translation (thanks to Aleix Badia i Bosch). + Closes: #250118 + * PATCHES: + This release contains BGP4 MD5 support which requires a kernel patch + to work. See /usr/share/doc/quagga/README.Debian.MD5. + (The patch is ht-20040525-0.96.5-bgp-md5.patch from Hasso Tepper) + + -- Christian Hammers <ch@debian.org> Thu, 27 May 2004 20:09:37 +0200 + +quagga (0.96.5-1) unstable; urgency=low + + * New upstream version. + * PATCHES: + This release contains BGP4 MD5 support which also requires a kernel patch. + See /usr/share/doc/quagga/README.Debian.MD5 and search for CAN-2004-0230. + + -- Christian Hammers <ch@debian.org> Sun, 16 May 2004 17:40:40 +0200 + +quagga (0.96.4x-10) unstable; urgency=low + + * SECURITY: + This release contains support for MD5 for BGP which is one suggested + prevention of the actually long known TCP SYN/RST attacks which got + much news in the last days as ideas were revealed that made them much + easier probable agains especially the BGP sessions than commonly known. + There are a lot of arguments agains the MD5 approach but some ISPs + started to require it. + See: CAN-2004-0230, http://www.us-cert.gov/cas/techalerts/TA04-111A.html + * PATCHES: + This release contains the MD5 patch from Hasso Tepper. It also seems to + required a kernel patch. See /usr/share/doc/quagga/README.Debian.MD5. + + -- Christian Hammers <ch@debian.org> Thu, 29 Apr 2004 01:01:38 +0200 + +quagga (0.96.4x-9) unstable; urgency=low + + * Fixed daemon loading order (thanks to Matt Kemner). + * Fixed typo in init script (thanks to Charlie Brett). Closes: #238582 + + -- Christian Hammers <ch@debian.org> Sun, 4 Apr 2004 15:32:18 +0200 + +quagga (0.96.4x-8) unstable; urgency=low + + * Patched upstream source so that quagga header files end up in + /usr/include/quagga/. Closes: #233792 + + -- Christian Hammers <ch@debian.org> Mon, 23 Feb 2004 01:42:53 +0100 + +quagga (0.96.4x-7) unstable; urgency=low + + * Fixed info file installation (thanks to Holger Dietze). Closes: #227579 + * Added Japanese translation (thanks to Hideki Yamane). Closes: #227812 + + -- Christian Hammers <ch@debian.org> Sun, 18 Jan 2004 17:28:29 +0100 + +quagga (0.96.4x-6) unstable; urgency=low + + * Added dependency to iproute. + * Initscript now checks not only for the pid file but also for the + daemons presence (thanks to Phil Gregory). Closes: #224389 + * Added my patch to configure file permissions. + + -- Christian Hammers <ch@debian.org> Mon, 15 Dec 2003 22:34:29 +0100 + +quagga (0.96.4x-5) unstable; urgency=low + + * Added patch which gives bgpd the CAP_NET_RAW capability to allow it + to bind to special IPv6 link-local interfaces (Thanks to Bastian Blank). + Closes: #222930 + * Made woody backport easier by applying Colin Watsons po-debconf hack. + Thanks to Marc Haber for suggesting it. Closes: #223527 + * Made woody backport easier by applying a patch that removes some + obscure whitespaces inside an C macro. (Thanks to Marc Haber). + Closes: #223529 + * Now uses /usr/bin/pager. Closes: #204070 + * Added note about the "official woody backports" on my homepage. + + -- Christian Hammers <ch@debian.org> Mon, 15 Dec 2003 20:39:06 +0100 + +quagga (0.96.4x-4) unstable; urgency=high + + * SECURITY: + Fixes another bug that was originally reported against Zebra. + . + http://rhn.redhat.com/errata/RHSA-2003-307.html + Herbert Xu reported that Zebra can accept spoofed messages sent on the + kernel netlink interface by other users on the local machine. This could + lead to a local denial of service attack. The Common Vulnerabilities and + Exposures project (cve.mitre.org) has assigned the name CAN-2003-0858 to + this issue. + + * Minor improvements to init script (thanks to Iustin Pop). + Closes: #220938 + + -- Christian Hammers <ch@debian.org> Sat, 22 Nov 2003 13:27:57 +0100 + +quagga (0.96.4x-3) unstable; urgency=low + + * Changed "more" to "/usr/bin/pager" as default pager if $PAGER or + $VTYSH_PAGER is not set (thanks to Bastian Blank). Closes: #204070 + * Made the directory (but not the config/log files!) world accessible + again on user request (thanks to Anand Kumria)). Closes: #213129 + * No longer providing sample configuration in /etc/quagga/. They are + now only available in /usr/share/doc/quagga/ to avoid accidently + using them without changing the adresses (thanks to Marc Haber). + Closes: #215918 + + -- Christian Hammers <ch@debian.org> Sun, 16 Nov 2003 16:59:30 +0100 + +quagga (0.96.4x-2) unstable; urgency=low + + * Fixed permission problem with pidfile (thanks to Kir Kostuchenko). + Closes: #220938 + + -- Christian Hammers <ch@debian.org> Sun, 16 Nov 2003 14:24:08 +0100 + +quagga (0.96.4x-1) unstable; urgency=low + + * Reupload of 0.96.4. Last upload-in-a-hurry produced a totally + crappy .tar.gz file. Closes: #220621 + + -- Christian Hammers <ch@debian.org> Fri, 14 Nov 2003 19:45:57 +0100 + +quagga (0.96.4-1) unstable; urgency=high + + * SECURITY: Remote DoS of protocol daemons. + Fix for a remote triggerable crash in vty layer. The management + ports ("telnet myrouter ospfd") should not be open to the internet! + + * New upstream version. + - OSPF bugfixes. + - Some improvements for bgp and rip. + + -- Christian Hammers <ch@debian.org> Thu, 13 Nov 2003 11:52:27 +0100 + +quagga (0.96.3-3) unstable; urgency=low + + * Fixed pid file generation by substituting the daemons "-d" by the + start-stop-daemon option "--background" (thanks to Micha Gaisser). + Closes: #218103 + + -- Christian Hammers <ch@debian.org> Wed, 29 Oct 2003 05:17:49 +0100 + +quagga (0.96.3-2) unstable; urgency=low + + * Readded GNOME-PRODUCT-ZEBRA-MIB. + + -- Christian Hammers <ch@debian.org> Thu, 23 Oct 2003 06:17:03 +0200 + +quagga (0.96.3-1) unstable; urgency=medium + + * New upstream version. + * Removed -u and -e in postrm due to problems with debhelper and userdel + (thanks to Adam Majer and Jaakko Niemi). Closes: #216770 + * Removed SNMP MIBs as they are now included in libsnmp-base (thanks to + David Engel and Peter Gervai). Closes: #216138, #216086 + * Fixed seq command in init script (thanks to Marc Haber). Closes: #215915 + * Improved /proc check (thanks to Marc Haber). Closes: #212331 + + -- Christian Hammers <ch@debian.org> Thu, 23 Oct 2003 03:42:02 +0200 + +quagga (0.96.2-9) unstable; urgency=medium + + * Removed /usr/share/info/dir.* which were accidently there and prevented + the installation by dpkg (thanks to Simon Raven). Closes: #212614 + * Reworded package description (thanks to Anand Kumria). Closes: #213125 + * Added french debconf translation (thanks to Christian Perrier). + Closes: #212803 + + -- Christian Hammers <ch@debian.org> Tue, 7 Oct 2003 13:26:58 +0200 + +quagga (0.96.2-8) unstable; urgency=low + + * debian/rules now checks if /proc is mounted as ./configure needs + it but just fails with an obscure error message if it is absent. + (Thanks to Norbert Tretkowski). Closes: #212331 + + -- Christian Hammers <ch@debian.org> Tue, 23 Sep 2003 12:57:38 +0200 + +quagga (0.96.2-7) unstable; urgency=low + + * Last build was rejected due to a buggy dpkg-dev version. Rebuild. + + -- Christian Hammers <ch@debian.org> Mon, 22 Sep 2003 20:34:12 +0200 + +quagga (0.96.2-6) unstable; urgency=low + + * Fixed init script so that is is now possible to just start + the bgpd but not the zebra daemon. Also daemons are now actually + started in the order defined their priority. (Thanks to Thomas Kaehn + and Jochen Friedrich) Closes: #210924 + + -- Christian Hammers <ch@debian.org> Fri, 19 Sep 2003 21:17:02 +0200 + +quagga (0.96.2-5) unstable; urgency=low + + * For using quagga as BGP route server or similar, it is not + wanted to have the zebra daemon running too. For this reason + it can now be disabled in /etc/quagga/daemons, too. + (Thanks to Jochen Friedrich). Closes: #210924 + * Attached *unapplied* patch for the ISIS protocol. I did not dare + to apply it as long as upstream does not do it but this way give + users the possibilities to use it if they like to. + (Thanks to Remco van Mook) + + -- Christian Hammers <ch@debian.org> Wed, 17 Sep 2003 19:57:31 +0200 + +quagga (0.96.2-4) unstable; urgency=low + + * Enabled IPV6 router advertisement feature by default on user request + (thanks to Jochen Friedrich and Hasso Tepper). Closes: #210732 + * Updated GNU autoconf to let it build on hppa/parisc64 (thanks to + lamont). Closes: #210492 + + -- Christian Hammers <ch@debian.org> Sat, 13 Sep 2003 14:11:13 +0200 + +quagga (0.96.2-3) unstable; urgency=medium + + * Removed unnecessary "-lcrypto" to avoid dependency against OpenSSL + which would require further copyright addtions. + + -- Christian Hammers <ch@debian.org> Wed, 10 Sep 2003 01:37:28 +0200 + +quagga (0.96.2-2) unstable; urgency=low + + * Added note that config files of quagga are in /etc/quagga and + not /etc/zebra for the zebra users that migrate to quagga. + (Thanks to Roberto Suarez Soto for the idea) + * Fixed setgid rights in /etc/quagga. + + -- Christian Hammers <ch@debian.org> Wed, 27 Aug 2003 14:05:39 +0200 + +quagga (0.96.2-1) unstable; urgency=low + + * This package has formally been known as "zebra-pj"! + * New upstream release. + Fixes "anoying OSPF problem". + * Modified group ownerships so that vtysh can now be used by normal + uses if they are in the quaggavty group. + + -- Christian Hammers <ch@debian.org> Mon, 25 Aug 2003 23:40:14 +0200 + +quagga (0.96.1-1) unstable; urgency=low + + * Zebra-pj, the fork of zebra has been renamed to quagga as the original + upstream author asked the new project membed not to use "zebra" in the + name. zebra-pj is obsolete. + + -- Christian Hammers <ch@debian.org> Mon, 18 Aug 2003 23:37:20 +0200 + +zebra-pj (0.94+cvs20030721-1) unstable; urgency=low + + * New CVS build. + - OSPF changes (integration of the OSPF API?) + - code cleanups (for ipv6?) + * Tightened Build-Deps to gcc-2.95 as 3.x does not compile a stable ospfd. + This is a known problem and has been discussed on the mailing list. + No other solutions so far. + + -- Christian Hammers <ch@debian.org> Mon, 21 Jul 2003 23:52:00 +0200 + +zebra-pj (0.94+cvs20030701-1) unstable; urgency=low + + * Initial Release. + + -- Christian Hammers <ch@debian.org> Tue, 1 Jul 2003 01:58:06 +0200 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..f599e28 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +10 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..43fb033 --- /dev/null +++ b/debian/control @@ -0,0 +1,129 @@ +Source: frr +Section: net +Priority: optional +Maintainer: David Lamparter <equinox-debian@diac24.net> +Uploaders: FRRouting-dev <dev@lists.frrouting.org>, + Ondřej Surý <ondrej@debian.org> +Build-Depends: bison, + chrpath, + debhelper (>= 10~) | dh-systemd, + debhelper (>= 9.20150101~), + flex, + gawk, + install-info, + libc-ares-dev, + libcap-dev, + libelf-dev:native, + libjson-c-dev | libjson0-dev, + libpam0g-dev | libpam-dev, + libpcre2-dev, + libpython3-dev:native, + libreadline-dev, + librtr-dev (>= 0.8.0~) <!pkg.frr.nortrlib>, + libsnmp-dev, + libssh-dev <!pkg.frr.nortrlib>, + libyang2-dev, + lsb-base, + pkg-config, + python3:native, + python3-dev:native, + python3-pytest:native <!nocheck>, + python3-sphinx:native, + texinfo (>= 4.7), + lua5.3 <pkg.frr.lua>, + liblua5.3-dev <pkg.frr.lua> +Standards-Version: 4.5.0.3 +Homepage: https://www.frrouting.org/ +Vcs-Browser: https://github.com/FRRouting/frr/tree/debian/master +Vcs-Git: https://github.com/FRRouting/frr.git -b debian/master + +Package: frr +Architecture: linux-any +Depends: iproute2, + logrotate (>= 3.2-11), + lsof, + ${misc:Depends}, + ${shlibs:Depends} +Pre-Depends: adduser +Recommends: frr-pythontools +Suggests: frr-doc +Conflicts: pimd, + quagga, + quagga-bgpd, + quagga-core, + quagga-isisd, + quagga-ospf6d, + quagga-ospfd, + quagga-pimd, + quagga-ripd, + quagga-ripngd, + zebra, + zebra-pj +Replaces: zebra, + zebra-pj +Description: FRRouting suite of internet protocols (BGP, OSPF, IS-IS, ...) + FRRouting implements the routing protocols commonly used in the + internet and private networks to exchange information between routers. + Both IP and IPv6 are supported, as are BGP, OSPFv2, OSPFv3, IS-IS, BABEL, + EIGRP, RIP, RIPng, LDP, BFD, PIM, VRRP, PBR, and NHRP. + . + These protocols are used to turn your system into a dynamic router, + exchanging information about available connections with other routers + in a standards-compliant way. The actual packet forwarding + functionality is provided by the OS kernel. + . + FRRouting is a fork of Quagga with an open community model. The main + git lives on https://github.com/frrouting/frr.git and the project name + is commonly abbreviated as "FRR." + +Package: frr-snmp +Architecture: linux-any +Depends: frr (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Recommends: snmpd +Description: FRRouting suite - SNMP support + Adds SNMP support to FRR's daemons by attaching to net-snmp's snmpd + through the AgentX protocol. Provides read-only access to current + routing state through standard SNMP MIBs. + +Package: frr-rpki-rtrlib +Architecture: linux-any +Depends: frr (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Description: FRRouting suite - BGP RPKI support (rtrlib) + Adds RPKI support to FRR's bgpd, allowing validation of BGP routes + against cryptographic information stored in WHOIS databases. This is + used to prevent hijacking of networks on the wider internet. It is only + relevant to internet service providers using their own autonomous system + number. +Build-Profiles: <!pkg.frr.nortrlib> + +Package: frr-doc +Section: doc +Architecture: all +Multi-Arch: foreign +Depends: ${misc:Depends}, + ${sphinxdoc:Depends} +Built-Using: ${sphinxdoc:Built-Using} +Suggests: frr +Conflicts: quagga-doc +Description: FRRouting suite - user manual + This provides the FRR user manual in HTML form. This is the official + manual maintained as part of the package and is also available online + at https://frrouting.readthedocs.io/ + +Package: frr-pythontools +Architecture: all +Depends: frr (<< ${source:Upstream-Version}.0-~), + frr (>= ${source:Version}~), + python3:any, + ${misc:Depends} +Description: FRRouting suite - Python tools + The FRRouting suite uses a small Python tool to provide configuration + reload functionality, particularly useful when the interactive configuration + shell is not used. + . + Without this package installed, "reload" (as a systemd or init script + invocation) will not work for the FRR daemons. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..edd7302 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,474 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: FRR +Upstream-Contact: maintainers@frrouting.org, security@frrouting.org +Source: https://www.frrouting.org/ + +Files: * +Copyright: 1996-2003 by the original Zebra authors: + Kunihiro Ishiguro <kunihiro@zebra.org> + Toshiaki Takada <takada@zebra.org> + Yasuhiro Ohara <yasu@sfc.wide.ad.jp> + 2003-2016 by the Quagga Project + 2016-2018 by the FRRouting Project + Adam Fitzgerald 2017 + Alex Couloumbis 2017 + Alexandre Cassen 2001-2017 + Alexandre Chappuis 2011 + Alexis Fasquel 2015 + Ali Rezaee 2018 + Ameya Dharkar 2018 + Amritha Nambiar 2015 + Andreas Jaggi 2017 + Andrew Certain 2012 + Andrew J. Schorr 2004-2011 + Andrew Lunn 2017 + Andrey Korolyov 2017-2018 + Ang Way Chuang 2012 + Anuradha Karuppiah 2016-2018 + Arthur Jones 2018 + Avneesh Sachdev 2012, 2016 + Ayan Banerjee 2012 + Balaji G. 2011-2016 + Barry Friedman 2011 + Bartek Kania 2008 + Baruch Siach 2016 + Bingen Eguzkitza 2016-2017 + Boian Bonev 2013 + Boris Yakubov 2013 + Brad Smith 2012 + Brett Ciphery 2013 + Brian Bennett 2015 + Brian Rak 2017 + Chirag Shah 2017-2018 + Chris Caputo 2009-2010 + Chris Hall 2010 + Chris Luke 2011 + Christian Franke 2012-2018 + Christian Hammers 2011 + Christoffer Hansen 2018 + Christoph Dwertmann 2018 + Colin Petrie 2016 + Cumulus Networks 2013-2019 + Daniel Kozlowski 2012 + Daniel Ng 2008 + Daniel Walton 2015-2018 + Daniil Baturin 2018 + Dario Wiesner 2018 + Dave Olson 2016-2017 + David BÉRARD 2010 + David Lamparter 2009-2018 + David Lebrun 2016 + David Ward 2009-2012 + David Young 2007 + Denil Vira 2015 + Denis Ovsienko 2007-2012 + Dinesh Dutt 2012-2013 + Dinesh G. Dutt 2013-2017 + Dmitrij Tejblum 2009-2011 + Dmitry Popov 2011 + Don Slice 2016-2018 + Donald Sharp 2015-2018 + Donatas Abraitis 2018 + Dongling Duan 2018 + Donnie Savage 2017 + Doug VanLeuven 2012 + Dylan Hall 2011 + Emanuele Di Pascale 2018 + Eric Pulvino 2017 + Everton Marques 2012-2014 + Evgeny Uskov 2016 + F. Aragon 2018 + Fatih USTA 2017 + Feng Lu 2014-2015 + Fernando Soto 2015 + Francesco Dolcini 2009 + Fredi Raspall 2016-2018 + Fritz Reichmann 2011 + G. Paul Ziemba 2016-2018 + Greg Troxel 2003-2007, 2010-2015 + Hasso Tepper 2003-2007, 2012-2013 + Hiroshi Yokoi 2015 + Hongguang Li 2016 + Hung-Weic Chiu 2017 + Igor Ryzhov 2016 + Ilya Shipitsin 2018 + Ingo Flaschberger 2011 + Ivan Moskalyov 2010 + JR Rivers 2012 + Jafar Al-Gharaibeh 2009, 2015-2018 + Jarad Olson 2018 + Jaroslav Fojtik 2011 + Jeremy Jackson 2008-2009 + Jingjing Duan 2008-2009 + Joachim Nilsson 2012-2013 + Joakim Tjernlund 2008-2014 + Job Snijders 2016 + John Berezovik 2016 + John Glotzer 2014 + John Kemp 2011 + Jon Andersson 2009-2011 + Jorge Boncompte 2012-2013, 2017 + Josh Bailey 2011-2012 + Juergen Kammer 2017 + Julien Courtat 2016 + Juliusz Chroboczek 2012 + Kaloyan Kovachev 2015-2017 + Ken Williams 2014 + Khiruthigai Balasubramanian 2016 + Krisztian Kovacs 2009 + Kunihiro Ishiguro 2018 + Leonard Tracy 2012 + Leonid Rosenboim 2012-2013 + Liu Xiaofeng 2016 + Lou Berger 2013, 2016-2018 + Lu Feng 2014-2015 + Lucian Cristian 2017 + Maitane Zotes 2014 + Manuel Schweizer 2017 + Marcel Röthke 2017-2018 + Mark Stapp 2018 + Martin Buck 2018 + Martin Winter 2015-2018 + Martín Beauchamp 2017 + Mathias Krause 2010 + Mathieu Goessens 2009 + Matthew Smith 2017 + Matthias Ferdinand 2011 + Matthieu Boutier 2012, 2016-2017 + Matti-Oskari Leppänen 2013 + Michael Lambert 2008-2010 + Michael Rossberg 2015 + Michael Zingg 2012 + Michal Sekletar 2014 + Mike Tancsa 2017 + Milan Kocian 2013-2014 + Mitesh Kanjariya 2017-2018 + Mladen Sablic 2017-2018 + Morgan Stewart 2015 + Nathan Van Gheem 2018 + Nick Hilliard 2009-2012 + Nico Golde 2010 + Nicolas Dichtel 2015 + Nigel Kukard 2017 + Nolan Leake 2012 + Oleg A. Arkhangelsky 2011 + Olivier Cochard-Labbé 2014 + Olivier Dugeon 2014-2018 + Ondrej Zajicek 2009 + Open Source Routing / NetDEF 2012-2017 + Pascal Mathis 2018 + Paul Jakma 2002-2016 + Paul P Komkoff Jr 2008 + Pawel Wieczorkiewicz 2016 + Peter Pentchev 2011 + Peter Szilagyi 2011 + Phil Huang 2017 + Phil Laverdiere 2012 + Philippe Guibert 2016-2018 + Piotr Jurkiewicz 2018 + Pradosh Mohapatra 2013-2014 + Quentin Young 2016-2018 + Radhika Mahankali 2015-2017 + Rafael Zalamena 2017-2018 + Rakesh Garimella 2013 + Raymond P. Burkholder 2017 + Remi Gacogne 2013 + Renato Westphal 2012, 2016-2018 + Robert Bays 2010 + Roderick Schertler 2011 + Rodny Molina 2018 + Roman Hoog Antink 2010-2013 + Ruben Kerkhof 2018 + Russ White 2017-2018 + Ryan Hagelstrom 2017 + Sam Tannous 2016-2017 + Sarita Patra 2018 + Sebastian Lohff 2017 + Sergey Fionov 2018 + Sergey Y. Afonin 2011 + Serj Kalichev 2012 + Sid Khot 2016 + Silas McCroskey 2017-2018 + Stephane Litkowski 2017 + Stephen Hemminger 2008-2014 + Stephen Worley 2018 + Steve Hill 2009 + Stig Thormodsrud 2008 + Subbaiah Venkata 2012 + Svata Dedic 2011 + Sébastien Luttringer 2014 + Takashi Sogabe 2009 + Thijs Kinkhorst 2009 + Thomas Gelf 2018 + Thomas Petazzoni 2016 + Thomas Ries 2011 + Thorvald Natvig 2017 + Tigran Martirosyan 2018 + Timo Teräs 2008-2009, 2013-2017 + Timothy Redaelli 2017 + Tom Goff 2009-2011 + Tom Henderson 2009 + Tomasz Pala 2009 + Udaya Shankara KS 2016 + Ulrich Weber 2011-2013 + Vasilis Tsiligiannis 2009 + Vincent Bernat 2012, 2017-2018 + Vincent Jardin 2003-2007, 2014, 2017-2018 + Vipin Kumar 2014-2015 + Vishal Dhingra 2018 + Vishal Kumar 2012 + Vitaliy Senchyshyn 2013 + Vivek Venkatraman 2015-2018 + Vladimir L Ivanov 2010 + Vyacheslav Trushkin 2011-2012 + Vystoropskyi, Sergii 2015 + Wataru Tanitsu 2010 + Wenjian Ma 2015 + Will McLendon 2017 + YAMAMOTO Shigeru 2011 + Yasuhiro Ohara 2009 + Zefan Xu 2018 + dturlupov 2018 + heasley 2009-2011 + jaydom 2017 + jpmondet 2018 + kssoman 2018 + lihongguang 2018 + lyq140 2018 + pcarana 2018 + pogojotz 2017 + tigranmartirosyan 2017 + tmartiro 2017 + vize 2007 + 高鹏 2012 +License: GPL-2+ + +Files: lib/strl*.c +License: LGPL-2.1+ +Copyright: Copyright (C) 2016 Free Software Foundation, Inc. + +Files: lib/skiplist.* +License: BSD-0-clause +Copyright: Copyright 1990 William Pugh + +Files: lib/sha256.* +License: BSD-2-clause +Copyright: Copyright 2005,2007,2009 Colin Percival + +Files: lib/qobj.h lib/monotime.h lib/memory.* lib/hook.* lib/frratomic.h lib/ferr.* lib/compiler.h lib/module.* +License: ISC +Copyright: Copyright (c) 2015-18 David Lamparter, for NetDEF, Inc. + +Files: nhrpd/nhrp_protocol.h +License: MIT +Copyright: Copyright (c) 2007-2012 Timo Teräs <timo.teras@iki.fi> + +Files: babeld/* +License: MIT +Copyright: + Copyright 2011 by Matthieu Boutier and Juliusz Chroboczek + Copyright 2007, 2008 by Grégoire Henry, Julien Cristau and Juliusz Chroboczek + +Files: babeld/babel_errors.* +License: GPL-2+ +Copyright: Copyright (C) 2017-2018 Donald Sharp, Cumulus Networks, Inc. + +Files: ldpd/* +License: ISC +Copyright: + Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> + Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org> + Copyright (c) 2004, 2005, 2008 Esben Norby <norby@openbsd.org> + Copyright (c) 2004, 2005, 2012 Claudio Jeker <claudio@openbsd.org> + Copyright (c) 2009 Michele Marchetto <michele@openbsd.org> + Copyright (c) 2012 Alexander Bluhm <bluhm@openbsd.org> + Copyright (c) 2013-2016 Renato Westphal <renato@openbsd.org> + Copyright (C) 2016 by Open Source Routing. + +Files: ldpd/ldp_debug.* ldpd/ldp_vty* ldpd/ldp_zebra.c +License: GPL-2+ +Copyright: + Copyright (C) 2016 by Open Source Routing. + +Files: doc/user/*.rst doc/figures/fig* +Copyright: Copyright (c) 1996-2018 Kunihiro Ishiguro, et al. +License: FRR-docs + Permission is granted to make and distribute verbatim copies of this + manual provided the copyright notice and this permission notice are + preserved on all copies. + . + Permission is granted to copy and distribute modified versions of this + manual under the conditions for verbatim copying, provided that the + entire resulting derived work is distributed under the terms of a + permission notice identical to this one. + . + Permission is granted to copy and distribute translations of this manual + into another language, under the above conditions for modified versions, + except that this permission notice may be stated in a translation + approved by Kunihiro Ishiguro. + +Files: lib/freebsd-queue.h lib/openbsd-queue.h lib/md5.* +License: BSD-3-clause +Copyright: + Copyright (c) 1991, 1993 The Regents of the University of California. + Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + Copyright (C) 2004 6WIND <Vincent.Jardin@6WIND.com> + +Files: lib/openbsd-tree.* +License: BSD-2-clause +Copyright: + Copyright 2002 Niels Provos <provos@citi.umich.edu> + Copyright (c) 2016 David Gwynne <dlg@openbsd.org> + +Files: lib/imsg* +License: ISC +Copyright: + Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> + Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org> + Copyright (c) 2006, 2007, 2008 Reyk Floeter <reyk@openbsd.org> + +Files: qpb/qpb.proto fpm/fpm.proto +License: ISC +Copyright: Copyright (C) 2016 Sproute Networks, Inc. + +Files: doc/extra/frrlexer.py +License: ISC +Copyright: Copyright (c) 2017 Vincent Bernat <bernat@luffy.cx> + +Files: tests/helpers/python/frrsix.py +License: MIT +Copyright: Copyright (c) 2010-2017 Benjamin Peterson + +License: GPL-2+ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + . + On Debian systems, the full text of the GNU General Public + License version 2 can be found in the file + `/usr/share/common-licenses/GPL-2'. + +License: LGPL-2.1+ + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + . + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. + . + On Debian systems, the full text of the GNU Lesser General Public + License version 2.1 can be found in the file + `/usr/share/common-licenses/LGPL-2.1'. + +License: BSD-0-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted. + . + THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' + AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +License: BSD-2-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +License: BSD-3-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 4. Neither the name of the University nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +License: ISC + Permission to use, copy, modify, and distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +License: MIT + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. diff --git a/debian/frr-doc.doc-base b/debian/frr-doc.doc-base new file mode 100644 index 0000000..af960e3 --- /dev/null +++ b/debian/frr-doc.doc-base @@ -0,0 +1,23 @@ +Document: frr +Title: FRRouting user manual +Abstract: General user/operator description for the FRRouting suite of + routing protocol daemons. +Section: Network/Communication + +Format: HTML +Index: /usr/share/doc/frr/html/index.html +Files: /usr/share/doc/frr/html/* + +Format: info +Index: /usr/share/info/frr.info.gz +Files: + /usr/share/info/frr.info.gz + /usr/share/info/frr-figures/fig-normal-processing.png + /usr/share/info/frr-figures/fig-rs-processing.png + /usr/share/info/frr-figures/fig-vnc-commercial-route-reflector.png + /usr/share/info/frr-figures/fig-vnc-frr-route-reflector.png + /usr/share/info/frr-figures/fig-vnc-gw.png + /usr/share/info/frr-figures/fig-vnc-mesh.png + /usr/share/info/frr-figures/fig-vnc-redundant-route-reflectors.png + /usr/share/info/frr-figures/fig_topologies_full.png + /usr/share/info/frr-figures/fig_topologies_rs.png diff --git a/debian/frr-doc.info b/debian/frr-doc.info new file mode 100644 index 0000000..1976365 --- /dev/null +++ b/debian/frr-doc.info @@ -0,0 +1 @@ +build/doc/user/_build/texinfo/frr.info diff --git a/debian/frr-doc.install b/debian/frr-doc.install new file mode 100644 index 0000000..7cef52e --- /dev/null +++ b/debian/frr-doc.install @@ -0,0 +1,16 @@ +# html docs include RST sources +# info + images referenced by it +# other +README.md usr/share/doc/frr +doc/figures/*.png usr/share/doc/frr +doc/figures/fig-normal-processing.png usr/share/info/frr-figures +doc/figures/fig-rs-processing.png usr/share/info/frr-figures +doc/figures/fig-vnc-commercial-route-reflector.png usr/share/info/frr-figures +doc/figures/fig-vnc-frr-route-reflector.png usr/share/info/frr-figures +doc/figures/fig-vnc-gw.png usr/share/info/frr-figures +doc/figures/fig-vnc-mesh.png usr/share/info/frr-figures +doc/figures/fig-vnc-redundant-route-reflectors.png usr/share/info/frr-figures +doc/figures/fig_topologies_full.png usr/share/info/frr-figures +doc/figures/fig_topologies_rs.png usr/share/info/frr-figures +usr/share/doc/frr/html +usr/share/info/ diff --git a/debian/frr-doc.lintian-overrides b/debian/frr-doc.lintian-overrides new file mode 100644 index 0000000..d4ada82 --- /dev/null +++ b/debian/frr-doc.lintian-overrides @@ -0,0 +1,2 @@ +# personal name +spelling-error-in-copyright Ang And diff --git a/debian/frr-pythontools.install b/debian/frr-pythontools.install new file mode 100644 index 0000000..662fbe0 --- /dev/null +++ b/debian/frr-pythontools.install @@ -0,0 +1,4 @@ +usr/lib/frr/frr-reload.py +usr/lib/frr/generate_support_bundle.py +usr/lib/frr/frr_babeltrace.py +usr/lib/frr/ospfclient.py diff --git a/debian/frr-pythontools.lintian-overrides b/debian/frr-pythontools.lintian-overrides new file mode 100644 index 0000000..d4ada82 --- /dev/null +++ b/debian/frr-pythontools.lintian-overrides @@ -0,0 +1,2 @@ +# personal name +spelling-error-in-copyright Ang And diff --git a/debian/frr-rpki-rtrlib.install b/debian/frr-rpki-rtrlib.install new file mode 100644 index 0000000..0465c0d --- /dev/null +++ b/debian/frr-rpki-rtrlib.install @@ -0,0 +1 @@ +usr/lib/*/frr/modules/bgpd_rpki.so diff --git a/debian/frr-rpki-rtrlib.lintian-overrides b/debian/frr-rpki-rtrlib.lintian-overrides new file mode 100644 index 0000000..3927731 --- /dev/null +++ b/debian/frr-rpki-rtrlib.lintian-overrides @@ -0,0 +1,5 @@ +# module contains no function calls that can be hardened +frr-rpki-rtrlib binary: hardening-no-fortify-functions * + +# personal name +spelling-error-in-copyright Ang And diff --git a/debian/frr-snmp.install b/debian/frr-snmp.install new file mode 100644 index 0000000..5517ca7 --- /dev/null +++ b/debian/frr-snmp.install @@ -0,0 +1,2 @@ +usr/lib/*/frr/libfrrsnmp.* +usr/lib/*/frr/modules/*_snmp.so diff --git a/debian/frr-snmp.lintian-overrides b/debian/frr-snmp.lintian-overrides new file mode 100644 index 0000000..d4ada82 --- /dev/null +++ b/debian/frr-snmp.lintian-overrides @@ -0,0 +1,2 @@ +# personal name +spelling-error-in-copyright Ang And diff --git a/debian/frr.dirs b/debian/frr.dirs new file mode 100644 index 0000000..e3832d1 --- /dev/null +++ b/debian/frr.dirs @@ -0,0 +1,7 @@ +etc/frr/ +etc/iproute2/rt_protos.d/ +etc/logrotate.d/ +usr/share/doc/frr/ +usr/share/lintian/overrides/ +usr/share/yang/ +var/log/frr/ diff --git a/debian/frr.docs b/debian/frr.docs new file mode 100644 index 0000000..220127c --- /dev/null +++ b/debian/frr.docs @@ -0,0 +1,2 @@ +debian/README.Debian +tools/zebra.el diff --git a/debian/frr.install b/debian/frr.install new file mode 100644 index 0000000..69ccb4f --- /dev/null +++ b/debian/frr.install @@ -0,0 +1,20 @@ +etc/ +tools/etc/frr/frr.conf etc/frr/ +tools/frr-reload usr/lib/frr/ +usr/bin/mtracebis +usr/bin/vtysh +usr/lib/*/frr/libfrr.* +usr/lib/*/frr/libfrrcares.* +usr/lib/*/frr/libfrrospfapiclient.* +usr/lib/*/frr/modules/bgpd_bmp.so +usr/lib/*/frr/modules/dplane_fpm_nl.so +usr/lib/*/frr/modules/zebra_cumulus_mlag.so +usr/lib/*/frr/modules/zebra_fpm.so +usr/lib/*/frr/modules/zebra_irdp.so +usr/lib/*/frr/modules/pathd_pcep.so +usr/lib/frr/*.sh +usr/lib/frr/*d +usr/lib/frr/watchfrr +usr/lib/frr/zebra +usr/share/man/ +usr/share/yang/ diff --git a/debian/frr.lintian-overrides b/debian/frr.lintian-overrides new file mode 100644 index 0000000..4468ef7 --- /dev/null +++ b/debian/frr.lintian-overrides @@ -0,0 +1,9 @@ +# function names & co. +frr binary: spelling-error-in-binary *writen written* +frr binary: spelling-error-in-binary *iif if* + +# prefixed man pages for off-PATH daemons +manpage-without-executable + +# personal name +spelling-error-in-copyright Ang And diff --git a/debian/frr.logrotate b/debian/frr.logrotate new file mode 100644 index 0000000..735af65 --- /dev/null +++ b/debian/frr.logrotate @@ -0,0 +1,27 @@ +/var/log/frr/*.log { + size 500k + sharedscripts + missingok + compress + rotate 14 + create 0640 frr frr + + postrotate + pid=$(lsof -t -a -c /syslog/ /var/log/frr/* 2>/dev/null) + if [ -n "$pid" ] + then # using syslog + kill -HUP $pid + fi + # in case using file logging; if switching back and forth + # between file and syslog, rsyslogd might still have file + # open, as well as the daemons, so always signal the daemons. + # It's safe, a NOP if (only) syslog is being used. + for i in babeld bgpd eigrpd isisd ldpd nhrpd ospf6d ospfd sharpd \ + pimd pim6d ripd ripngd zebra pathd pbrd staticd bfdd fabricd vrrpd; do + if [ -e /var/run/frr/$i.pid ] ; then + pids="$pids $(cat /var/run/frr/$i.pid)" + fi + done + [ -n "$pids" ] && kill -USR1 $pids || true + endscript +} diff --git a/debian/frr.manpages b/debian/frr.manpages new file mode 100644 index 0000000..5a1b74c --- /dev/null +++ b/debian/frr.manpages @@ -0,0 +1,16 @@ +build/doc/manpages/_build/man/frr-bgpd.8 +build/doc/manpages/_build/man/frr-eigrpd.8 +build/doc/manpages/_build/man/frr-fabricd.8 +build/doc/manpages/_build/man/frr-isisd.8 +build/doc/manpages/_build/man/frr-ldpd.8 +build/doc/manpages/_build/man/frr-nhrpd.8 +build/doc/manpages/_build/man/frr-ospf6d.8 +build/doc/manpages/_build/man/frr-ospfd.8 +build/doc/manpages/_build/man/frr-pimd.8 +build/doc/manpages/_build/man/frr-ripd.8 +build/doc/manpages/_build/man/frr-ripngd.8 +build/doc/manpages/_build/man/frr-watchfrr.8 +build/doc/manpages/_build/man/frr-zebra.8 +build/doc/manpages/_build/man/frr.1 +build/doc/manpages/_build/man/mtracebis.8 +build/doc/manpages/_build/man/vtysh.1 diff --git a/debian/frr.pam b/debian/frr.pam new file mode 100644 index 0000000..2b106d4 --- /dev/null +++ b/debian/frr.pam @@ -0,0 +1,3 @@ +# Any user may call vtysh but only those belonging to the group frrvty can +# actually connect to the socket and use the program. +auth sufficient pam_permit.so diff --git a/debian/frr.postinst b/debian/frr.postinst new file mode 100644 index 0000000..eb9ec67 --- /dev/null +++ b/debian/frr.postinst @@ -0,0 +1,96 @@ +#!/bin/sh +set -e + +# most of this file makes sense to execute regardless of whether this is any +# of normal "configure" or error-handling "abort-upgrade", "abort-remove" or +# "abort-deconfigure" + +addgroup --system frrvty +addgroup --system frr +adduser \ + --system \ + --ingroup frr \ + --home /nonexistent \ + --gecos "Frr routing suite" \ + --no-create-home \ + frr +usermod -a -G frrvty frr + +mkdir -m 0755 -p /var/log/frr +mkdir -p /etc/frr + + +# only change ownership of files when they were previously owned by root or +# quagga; this is to ensure we don't trample over some custom user setup. +# +# if we are on a freshly installed package (or we added new configfiles), +# the files should be owned by root by default so we should end up with "frr" +# owned configfiles. + +quaggauid=`id -u quagga 2>/dev/null || echo 0` +quaggagid=`id -g quagga 2>/dev/null || echo 0` + +find \ + /etc/frr \ + /var/log/frr \ + \( -uid 0 -o -uid $quaggauid \) -a \ + \( -gid 0 -o -gid $quaggauid \) | \ + while read filename; do + + # don't chown anything that has ACLs (but don't fail if we don't + # have getfacl) + if { getfacl -c "$filename" 2>/dev/null || true; } \ + | grep -E -q -v '^((user|group|other)::|$)'; then + : + else + chown frr: "$filename" + chmod o-rwx "$filename" + fi +done + +# fix misconfigured vtysh.conf & frr.conf ownership caused by config save +# mishandling in earlier FRR (and Quagga) versions +find /etc/frr -maxdepth 1 \( -name vtysh.conf -o -name frr.conf \) \ + -group frrvty -exec chgrp frr {} \; + +# more Quagga -> FRR upgrade smoothing. Not technically needed, but let's +# at least do the straightforward pieces. + +check_old_config() { + oldcfg="$1" + [ -r "$oldcfg" ] || return 0 + [ -s "$oldcfg" ] || return 0 + grep -v '^[[:blank:]]*\(#\|$\)' "$oldcfg" > /dev/null || return 0 + + cat >&2 <<EOF +Note: deprecated $oldcfg is present. This file is still read by +the FRR service but its contents should be migrated to /etc/frr/daemons. +EOF +} + +rmsum() { + fname="$1" + test -f "$1" || return 0 + fhash="`sha1sum \"$fname\"`" + fhash="${fhash%% *}" + if test "$fhash" = "$2"; then + rm "$fname" + fi +} + +case "$1" in +configure) + check_old_config /etc/frr/daemons.conf + check_old_config /etc/default/frr + if test -f /etc/frr/.pkg.frr.nointegrated; then + # remove integrated config setup + # (if checksums match, the files match freshly installed + # defaults, but the user has split config in place) + rmsum /etc/frr/vtysh.conf 5e7e3a488c51751e1ff98f27c9ad6085e1ad9cbb + rmsum /etc/frr/frr.conf dac6f2af4fca9919ba40eb338885a5d1773195c8 + rm /etc/frr/.pkg.frr.nointegrated + fi + ;; +esac + +#DEBHELPER# diff --git a/debian/frr.postrm b/debian/frr.postrm new file mode 100644 index 0000000..018f59e --- /dev/null +++ b/debian/frr.postrm @@ -0,0 +1,14 @@ +#!/bin/sh +set -e + +rm -f /etc/frr/.pkg.frr.nointegrated + +if [ "$1" = "purge" ]; then + rm -rf /run/frr || true + + # "purge" does not remove logfiles. therefore we shouldn't delete + # the "frr" user/group since that would leave files with "dangling" + # ownership. +fi + +#DEBHELPER# diff --git a/debian/frr.preinst b/debian/frr.preinst new file mode 100644 index 0000000..2af5a4e --- /dev/null +++ b/debian/frr.preinst @@ -0,0 +1,94 @@ +#!/bin/bash +set -e +# bash is required since /etc/frr/daemons.conf used a bash array in some +# previous versions. + +# NOTE: this code exists specifically to make migrations from Quagga to +# FRR easier. FRR is able to load most Quagga configurations, but the +# config handling itself has changed with the move towards the "integrated" +# /etc/frr/frr.conf approach instead of separate per-daemon config files. +# +# That said, with this in place there's a good chance users can use a +# preexisting Quagga config with little hassle. + +case "$1" in +install|upgrade) + ( + test -f /etc/frr/daemons && . /etc/frr/daemons + test -f /etc/frr/daemons.conf && . /etc/frr/daemons.conf + test -f /etc/default/frr && . /etc/default/frr + + if [ "$watchfrr_enable" = no -o \ + "$watchfrr_enable" = "0" ]; then + cat >&2 <<EOF +ERROR: Pre-existing frr configuration file disables watchfrr. + +This configuration is deprecated upstream and not supported by the Debian +FRR package. Refusing to $1 in order to not break running setups. +Please change your setup to use watchfrr and remove the "watchfrr_enable" +option from /etc/frr/daemons, /etc/frr/daemons.conf and/or /etc/default/frr. +EOF + exit 1 + fi + ) + vtysh='' + if test -f /etc/frr/vtysh.conf; then + if grep -q '^[[:space:]]*service[[:space:]]\+integrated-vtysh-config' /etc/frr/vtysh.conf; then + # existing vtysh.conf with integrated statement + # - do nothing (=> integrated config) + vtysh='i' + elif grep -q '^[[:space:]]*no[[:space:]]\+service[[:space:]]\+integrated-vtysh-config' /etc/frr/vtysh.conf; then + # explicit non-integrated + # => need to fix vtysh.conf & frr.conf in postinst + vtysh='ni' + if test -f /etc/frr/frr.conf; then + cat >&2 <<EOF +ERROR: Pre-existing /etc/frr/vtysh.conf specifies +"no service integrated-vtysh-config", but /etc/frr/frr.conf exists. This +will cause the frr package to malfunction. Please remove /etc/frr/frr.conf +or remove the "no service integrated-vtysh-config" statement from +/etc/frr/vtysh.conf. +EOF + exit 1 + fi + else + # vtysh.conf exists but has no statement + : + fi + fi + if test -f /etc/frr/frr.conf; then + # vtysh.conf has no explicit statement but frr.conf exists + # => integrated config used + vtysh='i' + elif test -f /etc/frr/zebra.conf \ + -o -f /etc/frr/bgpd.conf \ + -o -f /etc/frr/ospfd.conf \ + -o -f /etc/frr/ospf6d.conf \ + -o -f /etc/frr/ripd.conf \ + -o -f /etc/frr/ripngd.conf \ + -o -f /etc/frr/isisd.conf \ + -o -f /etc/frr/pimd.conf \ + -o -f /etc/frr/ldpd.conf \ + -o -f /etc/frr/nhrpd.conf \ + -o -f /etc/frr/eigrpd.conf \ + -o -f /etc/frr/babeld.conf \ + -o -f /etc/frr/pbrd.conf \ + -o -f /etc/frr/pathd.conf \ + -o -f /etc/frr/bfdd.conf; then + # no explicit statement, but some split config file exists + # => need to fix vtysh.conf & frr.conf in postinst + test -n "$vtysh" || vtysh='ni' + else + # no config at all - use integrated + : + fi + if test "$vtysh" = "ni"; then + touch /etc/frr/.pkg.frr.nointegrated + fi + ;; +abort-upgrade) + # shouldn't fail an upgrade abort + ;; +esac + +#DEBHELPER# diff --git a/debian/frr.tmpfile b/debian/frr.tmpfile new file mode 100644 index 0000000..dee3cd8 --- /dev/null +++ b/debian/frr.tmpfile @@ -0,0 +1,2 @@ +# Create the /run/frr directory at boot or from systemd-tmpfiles on install +d /run/frr 0755 frr frr diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..1a9603f --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,7 @@ +[DEFAULT] +upstream-tag = frr-%(version)s +pristine-tar = False + +[export-orig] +compression = xz + diff --git a/debian/not-installed b/debian/not-installed new file mode 100644 index 0000000..1a89f35 --- /dev/null +++ b/debian/not-installed @@ -0,0 +1,3 @@ +usr/include +usr/lib/frr/ospfclient +usr/lib/frr/rfptest diff --git a/debian/patches/CVE-2023-38802.patch b/debian/patches/CVE-2023-38802.patch new file mode 100644 index 0000000..99753c7 --- /dev/null +++ b/debian/patches/CVE-2023-38802.patch @@ -0,0 +1,131 @@ +From bcb6b58d9530173df41d3a3cbc4c600ee0b4b186 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis <donatas@opensourcerouting.org> +Date: Thu, 13 Jul 2023 22:32:03 +0300 +Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation + attribute + +Before this path we used session reset method, which is discouraged by rfc7606. + +Handle this as rfc requires. + +Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> +--- + bgpd/bgp_attr.c | 61 ++++++++++++++++++++----------------------------- + 1 file changed, 25 insertions(+), 36 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index dcf0f4d47..8c53191d6 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -1405,6 +1405,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, + case BGP_ATTR_LARGE_COMMUNITIES: + case BGP_ATTR_ORIGINATOR_ID: + case BGP_ATTR_CLUSTER_LIST: ++ case BGP_ATTR_ENCAP: + case BGP_ATTR_OTC: + return BGP_ATTR_PARSE_WITHDRAW; + case BGP_ATTR_MP_REACH_NLRI: +@@ -2635,26 +2636,21 @@ ipv6_ext_community_ignore: + } + + /* Parse Tunnel Encap attribute in an UPDATE */ +-static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ +- bgp_size_t length, /* IN: attr's length field */ +- struct attr *attr, /* IN: caller already allocated */ +- uint8_t flag, /* IN: attr's flags field */ +- uint8_t *startp) ++static int bgp_attr_encap(struct bgp_attr_parser_args *args) + { +- bgp_size_t total; + uint16_t tunneltype = 0; +- +- total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3); ++ struct peer *const peer = args->peer; ++ struct attr *const attr = args->attr; ++ bgp_size_t length = args->length; ++ uint8_t type = args->type; ++ uint8_t flag = args->flags; + + if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS) + || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) { +- zlog_info( +- "Tunnel Encap attribute flag isn't optional and transitive %d", +- flag); +- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR, +- startp, total); +- return -1; ++ zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d", ++ flag); ++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + + if (BGP_ATTR_ENCAP == type) { +@@ -2662,12 +2658,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ + uint16_t tlv_length; + + if (length < 4) { +- zlog_info( ++ zlog_err( + "Tunnel Encap attribute not long enough to contain outer T,L"); +- bgp_notify_send_with_data( +- peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); +- return -1; ++ return bgp_attr_malformed(args, ++ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + tunneltype = stream_getw(BGP_INPUT(peer)); + tlv_length = stream_getw(BGP_INPUT(peer)); +@@ -2699,13 +2694,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ + } + + if (sublength > length) { +- zlog_info( +- "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", +- sublength, length); +- bgp_notify_send_with_data( +- peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); +- return -1; ++ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", ++ sublength, length); ++ return bgp_attr_malformed(args, ++ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + + /* alloc and copy sub-tlv */ +@@ -2753,13 +2746,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ + + if (length) { + /* spurious leftover data */ +- zlog_info( +- "Tunnel Encap attribute length is bad: %d leftover octets", +- length); +- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, +- startp, total); +- return -1; ++ zlog_err("Tunnel Encap attribute length is bad: %d leftover octets", ++ length); ++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + + return 0; +@@ -3732,8 +3722,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, + case BGP_ATTR_VNC: + #endif + case BGP_ATTR_ENCAP: +- ret = bgp_attr_encap(type, peer, length, attr, flag, +- startp); ++ ret = bgp_attr_encap(&attr_args); + break; + case BGP_ATTR_PREFIX_SID: + ret = bgp_attr_prefix_sid(&attr_args); +-- +2.39.2 + diff --git a/debian/patches/CVE-2023-41358.patch b/debian/patches/CVE-2023-41358.patch new file mode 100644 index 0000000..ff2f2b7 --- /dev/null +++ b/debian/patches/CVE-2023-41358.patch @@ -0,0 +1,100 @@ +From f291f1ee9434f56d4b185db0652794a92e313b00 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis <donatas@opensourcerouting.org> +Date: Tue, 22 Aug 2023 22:52:04 +0300 +Subject: [PATCH] bgpd: Do not process NLRIs if the attribute length is zero + +``` +3 0x00007f423aa42476 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26 +4 0x00007f423aef9740 in core_handler (signo=11, siginfo=0x7fffc414deb0, context=<optimized out>) at lib/sigevent.c:246 +5 <signal handler called> +6 0x0000564dea2fc71e in route_set_aspath_prepend (rule=0x564debd66d50, prefix=0x7fffc414ea30, object=0x7fffc414e400) + at bgpd/bgp_routemap.c:2258 +7 0x00007f423aeec7e0 in route_map_apply_ext (map=<optimized out>, prefix=prefix@entry=0x7fffc414ea30, + match_object=match_object@entry=0x7fffc414e400, set_object=set_object@entry=0x7fffc414e400, pref=pref@entry=0x0) at lib/routemap.c:2690 +8 0x0000564dea2d277e in bgp_input_modifier (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, attr=attr@entry=0x7fffc414e770, + afi=afi@entry=AFI_IP, safi=safi@entry=SAFI_UNICAST, rmap_name=rmap_name@entry=0x0, label=0x0, num_labels=0, dest=0x564debdd5130) + at bgpd/bgp_route.c:1772 +9 0x0000564dea2df762 in bgp_update (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, addpath_id=addpath_id@entry=0, + attr=0x7fffc414eb50, afi=afi@entry=AFI_IP, safi=<optimized out>, safi@entry=SAFI_UNICAST, type=9, sub_type=0, prd=0x0, label=0x0, + num_labels=0, soft_reconfig=0, evpn=0x0) at bgpd/bgp_route.c:4374 +10 0x0000564dea2e2047 in bgp_nlri_parse_ip (peer=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50, packet=0x7fffc414eaf0) + at bgpd/bgp_route.c:6249 +11 0x0000564dea2c5a58 in bgp_nlri_parse (peer=peer@entry=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50, + packet=packet@entry=0x7fffc414eaf0, mp_withdraw=mp_withdraw@entry=false) at bgpd/bgp_packet.c:339 +12 0x0000564dea2c5d66 in bgp_update_receive (peer=peer@entry=0x7f4238f59010, size=size@entry=109) at bgpd/bgp_packet.c:2024 +13 0x0000564dea2c901d in bgp_process_packet (thread=<optimized out>) at bgpd/bgp_packet.c:2933 +14 0x00007f423af0bf71 in event_call (thread=thread@entry=0x7fffc414ee40) at lib/event.c:1995 +15 0x00007f423aebb198 in frr_run (master=0x564deb73c670) at lib/libfrr.c:1213 +16 0x0000564dea261b83 in main (argc=<optimized out>, argv=<optimized out>) at bgpd/bgp_main.c:505 +``` + +With the configuration: + +``` +frr version 9.1-dev-MyOwnFRRVersion +frr defaults traditional +hostname ip-172-31-13-140 +log file /tmp/debug.log +log syslog +service integrated-vtysh-config +! +debug bgp keepalives +debug bgp neighbor-events +debug bgp updates in +debug bgp updates out +! +router bgp 100 + bgp router-id 9.9.9.9 + no bgp ebgp-requires-policy + bgp bestpath aigp + neighbor 172.31.2.47 remote-as 200 + ! + address-family ipv4 unicast + neighbor 172.31.2.47 default-originate + neighbor 172.31.2.47 route-map RM_IN in + exit-address-family +exit +! +route-map RM_IN permit 10 + set as-path prepend 200 +exit +! +``` + +The issue is that we try to process NLRIs even if the attribute length is 0. + +Later bgp_update() will handle route-maps and a crash occurs because all the +attributes are NULL, including aspath, where we dereference. + +According to the RFC 4271: + +A value of 0 indicates that neither the Network Layer + Reachability Information field nor the Path Attribute field is + present in this UPDATE message. + +But with a fuzzed UPDATE message this can be faked. I think it's reasonable +to skip processing NLRIs if both update_len and attribute_len are 0. + +Reported-by: Iggy Frankovic <iggyfran@amazon.com> +Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> +(cherry picked from commit 28ccc24d38df1d51ed8a563507e5d6f6171fdd38) +--- + bgpd/bgp_packet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index 60f1dcbcd..a02d54894 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -1983,7 +1983,7 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size) + /* Network Layer Reachability Information. */ + update_len = end - stream_pnt(s); + +- if (update_len) { ++ if (update_len && attribute_len) { + /* Set NLRI portion to structure. */ + nlris[NLRI_UPDATE].afi = AFI_IP; + nlris[NLRI_UPDATE].safi = SAFI_UNICAST; +-- +2.39.2 + diff --git a/debian/patches/CVE-2023-41360.patch b/debian/patches/CVE-2023-41360.patch new file mode 100644 index 0000000..fd37714 --- /dev/null +++ b/debian/patches/CVE-2023-41360.patch @@ -0,0 +1,30 @@ +From 3515178de4a56d66ed948a774efcbe4a854e1ca7 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis <donatas@opensourcerouting.org> +Date: Sun, 20 Aug 2023 22:15:27 +0300 +Subject: [PATCH] bgpd: Don't read the first byte of ORF header if we are ahead + of stream + +Reported-by: Iggy Frankovic iggyfran@amazon.com +Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> +(cherry picked from commit 9b855a692e68e0d16467e190b466b4ecb6853702) +--- + bgpd/bgp_packet.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index a2959ef6e..60f1dcbcd 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -2408,7 +2408,8 @@ static int bgp_route_refresh_receive(struct peer *peer, bgp_size_t size) + * and 7 bytes of ORF Address-filter entry from + * the stream + */ +- if (*p_pnt & ORF_COMMON_PART_REMOVE_ALL) { ++ if (p_pnt < p_end && ++ *p_pnt & ORF_COMMON_PART_REMOVE_ALL) { + if (bgp_debug_neighbor_events(peer)) + zlog_debug( + "%pBP rcvd Remove-All pfxlist ORF request", +-- +2.39.2 + diff --git a/debian/patches/CVE-2023-41361.patch b/debian/patches/CVE-2023-41361.patch new file mode 100644 index 0000000..a227dc2 --- /dev/null +++ b/debian/patches/CVE-2023-41361.patch @@ -0,0 +1,43 @@ +From 73ad93a83f18564bb7bff4659872f7ec1a64b05e Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis <donatas@opensourcerouting.org> +Date: Sun, 20 Aug 2023 21:37:25 +0300 +Subject: [PATCH] bgpd: Check the length of the rcv software version + +Make sure we don't exceed the maximum of BGP_MAX_SOFT_VERSION. + +The Capability Length SHOULD be no greater than 64. + +Reported-by: Iggy Frankovic <iggyfran@amazon.com> +Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> +(cherry picked from commit b4d09af9194d20a7f9f16995a062f5d8e3d32840) +--- + bgpd/bgp_open.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c +index 0dd546397..e7e3c2191 100644 +--- a/bgpd/bgp_open.c ++++ b/bgpd/bgp_open.c +@@ -940,8 +940,18 @@ static int bgp_capability_software_version(struct peer *peer, + return -1; + } + +- if (len) { ++ if (len > BGP_MAX_SOFT_VERSION) { ++ flog_warn(EC_BGP_CAPABILITY_INVALID_LENGTH, ++ "%s: Received Software Version, but the length is too big, truncating, from peer %s", ++ __func__, peer->host); ++ stream_get(str, s, BGP_MAX_SOFT_VERSION); ++ stream_forward_getp(s, len - BGP_MAX_SOFT_VERSION); ++ len = BGP_MAX_SOFT_VERSION; ++ } else if (len) { + stream_get(str, s, len); ++ } ++ ++ if (len) { + str[len] = '\0'; + + XFREE(MTYPE_BGP_SOFT_VERSION, peer->soft_version); +-- +2.39.2 + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..5ec3c8f --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,3 @@ +CVE-2023-38802.patch +CVE-2023-41358.patch +CVE-2023-41360.patch diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..71ee211 --- /dev/null +++ b/debian/rules @@ -0,0 +1,124 @@ +#!/usr/bin/make -f + +# standard Debian options & profiles + +export DEB_BUILD_MAINT_OPTIONS = hardening=+all + +ifneq (,$(filter terse,$(DEB_BUILD_OPTIONS))) + MAKE_SILENT="V=0" + export DH_VERBOSE=0 +else + MAKE_SILENT="V=1" + export DH_VERBOSE=1 + export DH_OPTIONS=-v +endif + +# package-specific build profiles + +ifeq ($(filter pkg.frr.nortrlib,$(DEB_BUILD_PROFILES)),) + CONF_RPKI=--enable-rpki +else + CONF_RPKI=--disable-rpki +endif + +ifeq ($(filter pkg.frr.lua,$(DEB_BUILD_PROFILES)),) + CONF_LUA=--disable-scripting +else + CONF_LUA=--enable-scripting +endif + +ifeq ($(filter pkg.frr.pim6d,$(DEB_BUILD_PROFILES)),) + CONF_PIM6=--disable-pim6d +else + CONF_PIM6=--enable-pim6d +endif + +export PYTHON=python3 + +%: + dh $@ -Bbuild --with=sphinxdoc + +override_dh_auto_configure: + $(shell dpkg-buildflags --export=sh); \ + dh_auto_configure -- \ + --localstatedir=/var/run/frr \ + --sbindir=/usr/lib/frr \ + --sysconfdir=/etc/frr \ + --with-vtysh-pager=/usr/bin/pager \ + --libdir=/usr/lib/$(DEB_HOST_MULTIARCH)/frr \ + --with-moduledir=/usr/lib/$(DEB_HOST_MULTIARCH)/frr/modules \ + LIBTOOLFLAGS="-rpath /usr/lib/$(DEB_HOST_MULTIARCH)/frr" \ + --disable-dependency-tracking \ + \ + $(CONF_RPKI) \ + $(CONF_LUA) \ + $(CONF_PIM6) \ + --with-libpam \ + --enable-doc \ + --enable-doc-html \ + --enable-snmp \ + --enable-fpm \ + --disable-protobuf \ + --disable-zeromq \ + --enable-ospfapi \ + --enable-bgp-vnc \ + --enable-multipath=256 \ + \ + --enable-user=frr \ + --enable-group=frr \ + --enable-vty-group=frrvty \ + --enable-configfile-mask=0640 \ + --enable-logfile-mask=0640 \ + # end + +override_dh_auto_install: + dh_auto_install + + sed -e '1c #!/usr/bin/python3' -i debian/tmp/usr/lib/frr/frr-reload.py + sed -e '1c #!/usr/bin/python3' -i debian/tmp/usr/lib/frr/generate_support_bundle.py + sed -e '1c #!/usr/bin/python3' -i debian/tmp/usr/lib/frr/frr_babeltrace.py + sed -e '1c #!/usr/bin/python3' -i debian/tmp/usr/lib/frr/ospfclient.py + +# let dh_systemd_* and dh_installinit do their thing automatically + cp build/tools/frr.service debian/frr.service + cp build/tools/frr@.service debian/frr@.service + cp build/tools/frrinit.sh debian/frr.init + -rm -f debian/tmp/usr/lib/frr/frr + +# install config files + mkdir -p debian/tmp/etc + cp -r tools/etc/* debian/tmp/etc/ + -rm debian/tmp/etc/frr/daemons.conf + +# drop dev-only files + find debian/tmp -name '*.la' -o -name '*.a' -o -name 'lib*.so' | xargs rm -f + rm -rf debian/tmp/usr/include + -rm debian/tmp/usr/lib/frr/ssd + +override_dh_auto_build: + dh_auto_build -- $(MAKE_SILENT) + +override_dh_installinit: + dh_installinit -r + +override_dh_installsystemd: + dh_installsystemd -r + +override_dh_makeshlibs: + dh_makeshlibs -n + +override_dh_missing: + dh_missing --fail-missing + +ifneq ($(filter nocheck,$(DEB_BUILD_PROFILES) $(DEB_BUILD_OPTIONS)),) +override_dh_auto_test: + true +endif + +override_dh_auto_clean: +# we generally do NOT want a full distclean since that wipes both +# debian/changelog and config.version + if test -f Makefile; then make redistclean; fi + -rm -f debian/frr.init + -rm -f debian/frr.service + -rm -f debian/frr@.service diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides new file mode 100644 index 0000000..112182c --- /dev/null +++ b/debian/source/lintian-overrides @@ -0,0 +1,2 @@ +# Debian Jessie and Ubuntu 16.04 need dh-systemd +frr source: ored-build-depends-on-obsolete-package diff --git a/debian/tests/bgpd-snmp-rpki b/debian/tests/bgpd-snmp-rpki new file mode 100755 index 0000000..930b8c2 --- /dev/null +++ b/debian/tests/bgpd-snmp-rpki @@ -0,0 +1,22 @@ +#!/bin/sh +set -e + +# enable bgpd with SNMP & RPKI modules +cat >> /etc/frr/daemons <<EOF +bgpd=yes +bgpd_options="-A 127.0.0.1 -Msnmp -Mrpki" +EOF + +service frr restart + +# check that it actually started +pgrep watchfrr +pgrep zebra +pgrep bgpd + +# just for debugging +vtysh -c 'show modules' + +# ... and SNMP & RPKI should be loaded +vtysh -c 'show modules' | grep -q snmp +vtysh -c 'show modules' | grep -q rpki diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..6cb5b02 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,14 @@ +Tests: zebra-lo +Depends: frr +Restrictions: needs-root, isolation-container + +Tests: bgpd-snmp-rpki +Depends: frr, + frr-rpki-rtrlib, + frr-snmp +Restrictions: needs-root, isolation-container + +Tests: py-frr-reload +Depends: frr, + frr-pythontools +Restrictions: needs-root, isolation-container diff --git a/debian/tests/py-frr-reload b/debian/tests/py-frr-reload new file mode 100755 index 0000000..6dfef33 --- /dev/null +++ b/debian/tests/py-frr-reload @@ -0,0 +1,36 @@ +#!/bin/sh +set -e + +# should have been started on install, but policy may have inhibited that +service frr restart + +# these should be running by default +pgrep watchfrr +pgrep zebra +pgrep staticd + +# configure interactively, save to file +vtysh -c 'configure terminal' -c 'ip route 198.51.100.0/28 127.0.0.1' +vtysh -c 'show running-config' | grep -q 'ip route 198.51.100.0/28 127.0.0.1' +vtysh -c 'write memory' + +grep -q 'ip route 198.51.100.0/28 127.0.0.1' /etc/frr/frr.conf + +# configure in file, check interactively +sed -e '/^ip route 198.51.100.0\/28 127.0.0.1/ c ip route 198.51.100.64/28 127.0.0.1' \ + -i /etc/frr/frr.conf + +service frr reload + +# wait for the new config to load +for __t in $(seq 1 10); do + if vtysh -c 'show running-config' | grep -q 'ip route 198.51.100.64/28 127.0.0.1'; then + break + fi + sleep "$__t" +done + +# fail if the old config is still loaded +if vtysh -c 'show running-config' | grep -q 'ip route 198.51.100.0/28 127.0.0.1'; then + exit 1 +fi diff --git a/debian/tests/zebra-lo b/debian/tests/zebra-lo new file mode 100755 index 0000000..2a388d5 --- /dev/null +++ b/debian/tests/zebra-lo @@ -0,0 +1,16 @@ +#!/bin/sh +set -e + +# should have been started on install, but policy may have inhibited that +service frr status >/dev/null || service frr restart + +# these should be running by default +pgrep watchfrr +pgrep zebra +pgrep staticd + +# check vtysh works at all +vtysh -c 'show version' + +# check zebra is properly talking to the kernel +vtysh -c 'show interface lo' | grep -q LOOPBACK diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..2485a0d --- /dev/null +++ b/debian/watch @@ -0,0 +1,10 @@ +version=4 + +opts="\ +searchmode=plain,\ +uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/,\ +downloadurlmangle=s&releases/>FRR\s*(\d\S+)\s+Release<&archive/refs/tags/frr-$1.tar.gz&,\ +filenamemangle=s&>FRR\s*(\d\S+)\s+Release<&frr-$1.tar.gz&,\ +" \ +https://github.com/FRRouting/frr/releases/ \ + >FRR\s*(\d\S+)\s+Release< |