Two vulnerabilities were discovered in quagga, a BGP/OSPF/RIP routing daemon.
- CVE-2016-4036
Tamás Németh discovered that sensitive configuration files in /etc/quagga were world-readable despite containing sensitive information.
- CVE-2016-4049
Evgeny Uskov discovered that a bgpd instance handling many peers could be crashed by a malicious user when requesting a route dump.
For the stable distribution (jessie), these problems have been fixed in version 0.99.23.1-1+deb8u2.
We recommend that you upgrade your quagga packages.