CVE-2019-16159: Buffer Overflow
First published: Mon Sep 09 2019(Updated: )
BIRD Internet Routing Daemon 1.6.x through 1.6.7 and 2.x through 2.0.5 has a stack-based buffer overflow. The BGP daemon's support for RFC 8203 administrative shutdown communication messages included an incorrect logical expression when checking the validity of an input message. Sending a shutdown communication with a sufficient message length causes a four-byte overflow to occur while processing the message, where two of the overflow bytes are attacker-controlled and two are fixed.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/bird | 1.6.6-1+deb10u1 1.6.8-2.1 | |
| debian/bird2 | 2.0.7-4.1 2.0.12-7 2.14-1 | |
| NIC BIRD | >=1.6.0<=1.6.7 | |
| NIC BIRD | >=2.0.0<=2.0.5 | |
| openSUSE Backports | =15.0-sp1 | |
| Red Hat Fedora | =29 | |
| Red Hat Fedora | =30 | |
| Debian Linux | =10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://bird.network.cz
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00063.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00065.html
- http://trubka.network.cz/pipermail/bird-users/2019-September/013718.html
- http://trubka.network.cz/pipermail/bird-users/2019-September/013720.html
- http://trubka.network.cz/pipermail/bird-users/2019-September/013722.html
- https://gitlab.labs.nic.cz/labs/bird/commit/1657c41c96b3c07d9265b07dd4912033ead4124b
- https://gitlab.labs.nic.cz/labs/bird/commit/8388f5a7e14108a1458fea35bfbb5a453e2c563c
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4F23NNAPXX65MGJQBPPTVGRV3T4XCKBV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MCVNQJBZYGGNAJNGOFEBE3IAJME2QIZB/
- https://seclists.org/bugtraq/2019/Sep/34
- https://www.debian.org/security/2019/dsa-4528
- https://security-tracker.debian.org/tracker/CVE-2019-16159
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4F23NNAPXX65MGJQBPPTVGRV3T4XCKBV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MCVNQJBZYGGNAJNGOFEBE3IAJME2QIZB/
Frequently Asked Questions
What is the vulnerability identifier for this issue?
The vulnerability identifier for this issue is CVE-2019-16159.
What is the severity of CVE-2019-16159?
The severity of CVE-2019-16159 is high with a CVSS score of 7.5.
Which software versions are affected by CVE-2019-16159?
The BIRD Internet Routing Daemon versions 1.6.x through 1.6.7 and 2.x through 2.0.5 are affected by CVE-2019-16159.
How can I fix CVE-2019-16159?
To fix CVE-2019-16159, update BIRD Internet Routing Daemon to version 1.6.8-2.1 or 2.0.7-4.1 or later.
Where can I find more information about CVE-2019-16159?
You can find more information about CVE-2019-16159 on the BIRD Internet Routing Daemon website and the openSUSE security announcement page.
- collector/security-tracker-debian
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/author
- agent/severity
- agent/event
- agent/description
- agent/first-publish-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/nic
- canonical/nic bird
- version/nic bird/1.6.0
- version/nic bird/1.6.7
- version/nic bird/2.0.0
- version/nic bird/2.0.5
- vendor/opensuse
- canonical/opensuse backports
- version/opensuse backports/15.0-sp1
- vendor/fedoraproject
- canonical/red hat fedora
- version/red hat fedora/29
- version/red hat fedora/30
- vendor/debian
- canonical/debian linux
- version/debian linux/10.0