Riku Hietamäki

**Name of the Vulnerable Software and Affected Versions** Quagga versions prior to 0.99.19 Quagga-devel versions prior to 0.99.19 Quagga-contrib versions prior to 0.99.19 Quagga-debuginfo versions prior to 0.99.19 **Description** The issue is related to multiple vulnerabilities in the Quagga package, which can lead to disruption of confidentiality, integrity, and availability of protected information. Exploitation of these vulnerabilities can be done remotely. A heap-based buffer overflow in the `ecommunity ecom2str` function in `bgp ecommunity.c` in `bgpd` in Quagga before version 0.99.19 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code by sending a crafted BGP UPDATE message over IPv4. **Recommendations** For Quagga versions prior to 0.99.19, update to version 0.99.19 or later. For Quagga-devel versions prior to 0.99.19, update to version 0.99.19 or later. For Quagga-contrib versions prior to 0.99.19, update to version 0.99.19 or later. For Quagga-debuginfo versions prior to 0.99.19, update to version 0.99.19 or later. As a temporary workaround, consider restricting access to the `bgpd` service until a patch is available. Avoid using the `ecommunity ecom2str` function in the affected `bgp ecommunity.c` file until the issue is resolved.