Two vulnerabilities were discovered in quagga, a BGP/OSPF/RIP routing daemon.

• CVE-2016-4036

  Tamás Németh discovered that sensitive configuration files in /etc/quagga were world-readable despite containing sensitive information.

• CVE-2016-4049

  Evgeny Uskov discovered that a bgpd instance handling many peers could be crashed by a malicious user when requesting a route dump.

For the stable distribution (jessie), these problems have been fixed in version 0.99.23.1-1+deb8u2.

We recommend that you upgrade your quagga packages.