David Lamparter

**Name of the Vulnerable Software and Affected Versions** Quagga versions prior to 1.0.20161017 **Description** A stack-based buffer overflow issue was found in the zebra daemon when processing IPv6 Neighbor Discovery messages. The root cause of this issue is the reliance on BUFSIZ, which is system-dependent, to be compatible with a message size. **Recommendations** For versions prior to 1.0.20161017, update to version 1.0.20161017 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Quagga version 0.99.21 **Description** The issue is related to the bgp attr unknown function in bgp attr.c, which does not properly initialize the total variable. This allows remote attackers to cause a denial of service by crashing bgpd via a crafted BGP update. **Recommendations** For Quagga version 0.99.21, consider applying a patch that properly initializes the total variable in the bgp attr unknown function to prevent the denial of service.