Multiple vulnerabilities in FRRouting (frr) allow remote attackers to cause denial of service or potentially execute arbitrary code by sending specially crafted protocol packets to vulnerable BGP, OSPF, or babeld daemons. According to NVD data, specific CVEs include CVE-2023-3748 (CVSS 3.5) affecting versions before 8.5, CVE-2024-27913 (CVSS 6.5) affecting versions before 9.0, and CVE-2024-31950 (CVSS 6.5) affecting versions through 9.1. For Debian bookworm, the fixed version is 8.4.4-1.1~deb12u2, and for trixie, it is 10.3-3+deb13u1.
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index] [SECURITY] [DSA 6322-1] frr security update To: debian-security-announce@lists.debian.org Subject: [SECURITY] [DSA 6322-1] frr security update From: Aron Xu <aron@debian.org> Date: Thu, 04 Jun 2026 17:40:16 +0000 Message-id: <[🔎] E1wVC3E-0000000CD4v-3HDM@seger.debian.org> Reply-to: debian-security-announce-request@lists.debian.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian Security Advisory DSA-6322-1 security@debian.org https://www.debian.org/security/ Aron Xu June 05, 2026 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : frr CVE ID : CVE-2023-3748 CVE-2024-27913 CVE-2024-31950 CVE-2024-31951 CVE-2024-34088 CVE-2025-61099 CVE-2025-61100 CVE-2025-61101 CVE-2025-61102 CVE-2025-61103 CVE-2025-61104 CVE-2025-61105 CVE-2025-61106 CVE-2025-61107 CVE-2026-5107 CVE-2026-28532 CVE-2026-37457 CVE-2026-37458 Debian Bug : Several vulnerabilities were discovered in FRRouting (frr), a suite of internet routing protocol daemons. A remote attacker could trigger these issues by sending specially crafted protocol packets to a vulnerable daemon, resulting in denial of service (infinite loops, NULL pointer dereferences and crashes) or potentially the execution of arbitrary code through out-of-bounds reads and writes and buffer overflows. The flaws affect packet and attribute parsing in the BGP daemon (including FlowSpec, EVPN/VNC NLRI and MP_REACH_NLRI handling), the OSPF daemon (Traffic Engineering, Segment Routing and Opaque LSA processing) and the babeld daemon. For the oldstable distribution (bookworm), these problems have been fixed in version 8.4.4-1.1~deb12u2. For the stable distribution (trixie), these problems have been fixed in version 10.3-3+deb13u1. We recommend that you upgrade your frr packages. For the detailed security status of frr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/frr Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEExq6D0hxncEPaPayX+GQ1dHE8m64FAmoht1gACgkQ+GQ1dHE8 m676nAgA094uJCBNzH5T5Qa/ce27ovdL1jh62uD50PyN+b072l5sTKbPQqmlholg lh4268Im53Tjpa5zBhJQUPLWGI0olOYSEY2U3fOG+/h293c0naaMkoU7w96hswoM rxfiU5+31/wLteb7TlQKzM1jqmvcwOzCEn2PRti9IU3QO4kLObXERP/SPLsZxuUy 8UykyCJpIsk0ARmENU2a0hf+HA7mLo5+dxTOz9OYhu5Iu7Nu+/VZ7m4Q6i2eA3V7 cWJGdCJZb2HJjlXbvyoUINlNzaAXs082NZubJUEr/yuMBQXa+4SaqTiy7D7LYurj BvOoijj/RoHGHbib76OLZJb7LOzqQA== =ZtXt -----END PGP SIGNATURE----- Reply to: debian-security-announce@lists.debian.org Aron Xu (on-list) Aron Xu (off-list) Prev by Date: [SECURITY] [DSA 6321-1] ceph security update Previous by thread: [SECURITY] [DSA 6321-1] ceph security update Index(es): Date Thread