Hello
With some delay due to holidays I started to prepare the latest
quagga release for Debian when I stumbled across the following
changelog entry:
2003-10-15 Jay Fenlason <fenlason at redhat.com>
* lib/vty.c: (vty_telnet_option) Remote DoS exists if a telnet
end-sub-negotation is sent when no sub-negotation data has been
sent. Return immediately if no sub-negotation is in progress.
(vty_read) do not attempt to process options if no sub-negotation
is in progress.
I do not know what a sub-negotiation is, so could anybody tell if this
is a way to DoS an arbitrary "normal" quagga installation? (with
management ports open to the internet maybe?) Which impact would this DoS
have? I mainly ask because I will have to propose the release of a
Debian Security Advisory if the risk is too high.
bye,
-christian-
With some delay due to holidays I started to prepare the latest
quagga release for Debian when I stumbled across the following
changelog entry:
2003-10-15 Jay Fenlason <fenlason at redhat.com>
* lib/vty.c: (vty_telnet_option) Remote DoS exists if a telnet
end-sub-negotation is sent when no sub-negotation data has been
sent. Return immediately if no sub-negotation is in progress.
(vty_read) do not attempt to process options if no sub-negotation
is in progress.
I do not know what a sub-negotiation is, so could anybody tell if this
is a way to DoS an arbitrary "normal" quagga installation? (with
management ports open to the internet maybe?) Which impact would this DoS
have? I mainly ask because I will have to propose the release of a
Debian Security Advisory if the risk is too high.
bye,
-christian-