Source: gobgp Version: 4.3.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
*** /tmp/gobgp.reportbug Package: gobgp X-Debbugs-CC: [email protected] Severity: grave Tags: security Hi, The following vulnerabilities were published for gobgp. CVE-2026-5122[0]: | A security flaw has been discovered in osrg GoBGP up to 4.3.0. This | affects the function DecodeFromBytes of the file | pkg/packet/bgp/bgp.go of the component BGP OPEN Message Handler. | Performing a manipulation of the argument domainNameLen results in | improper access controls. The attack may be initiated remotely. A | high degree of complexity is needed for the attack. The | exploitability is reported as difficult. The patch is named | 2b09db390a3d455808363c53e409afe6b1b86d2d. It is suggested to install | a patch to address this issue. CVE-2026-5123[1]: | A weakness has been identified in osrg GoBGP up to 4.3.0. This | impacts the function DecodeFromBytes of the file | pkg/packet/bgp/bgp.go. Executing a manipulation of the argument | data[1] can lead to off-by-one. The attack may be launched remotely. | Attacks of this nature are highly complex. The exploitability is | said to be difficult. This patch is called | 67c059413470df64bc20801c46f64058e88f800f. A patch should be applied | to remediate this issue. CVE-2026-5124[2]: | A security vulnerability has been detected in osrg GoBGP up to | 4.3.0. Affected is the function BGPHeader.DecodeFromBytes of the | file pkg/packet/bgp/bgp.go of the component BGP Header Handler. The | manipulation leads to improper access controls. Remote exploitation | of the attack is possible. The attack is considered to have high | complexity. The exploitability is told to be difficult. The | identifier of the patch is f0f24a2a901cbf159260698211ab15c583ced131. | To fix this issue, it is recommended to deploy a patch. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-5122 https://www.cve.org/CVERecord?id=CVE-2026-5122 https://github.com/osrg/gobgp/pull/3343 [1] https://security-tracker.debian.org/tracker/CVE-2026-5123 https://www.cve.org/CVERecord?id=CVE-2026-5123 https://github.com/osrg/gobgp/pull/3342 [2] https://security-tracker.debian.org/tracker/CVE-2026-5124 https://www.cve.org/CVERecord?id=CVE-2026-5124 https://github.com/osrg/gobgp/pull/3340 Regards, Salvatore
