frr (7.2.1-1ubuntu0.2+esm4) focal-security; urgency=medium

  * SECURITY UPDATE: Improper Access Controls
    - debian/patches/CVE-2026-5107.patch: Improve packet parsing for
      EVPN and ENCAP/VNC
    - CVE-2026-5107

 -- Bruce Cable <bruce.cable@canonical.com>  Fri, 10 Apr 2026 12:40:39 +1000

frr (7.2.1-1ubuntu0.2+esm3) focal-security; urgency=medium

  * SECURITY UPDATE: Buffer overflow from unchecked TLV value
    - debian/patches/CVE-2024-44070.patch: bgpd: Check the actual
      remaining stream length before taking TLV value
    - CVE-2024-44070
  * SECURITY UPDATE: Denial of service via route re-validation
    - debian/patches/CVE-2024-55553-1.patch: bgpd: Validate only
      affected RPKI prefixes instead of a full RIB part 1
    - debian/patches/CVE-2024-55553-2.patch: bgpd: Validate only
      affected RPKI prefixes instead of a full RIB part 2
    - CVE-2024-55553

 -- John Breton <john.breton@canonical.com>  Thu, 23 Jan 2025 15:13:53 -0500

frr (7.2.1-1ubuntu0.2+esm2) focal-security; urgency=medium

  * SECURITY UPDATE: buffer overflow
    - debian/patches/CVE-2022-26126.patch: isisd: fix #10505 using
      base64 encoding
    - CVE-2022-26126
  * SECURITY UPDATE: buffer overflow
    - debian/patches/CVE-2022-26127.patch: babeld: fix #10487 by adding
      a check on packet length
    - CVE-2022-26127
  * SECURITY UPDATE: buffer ovewflow
    - debian/patches/CVE-2022-26128-26129.patch: babeld: fix #10502
      #10503 by repairing the checks on length
    - CVE-2022-26128
  * SECURITY UPDATE: buffer overflow
    - debian/patches/CVE-2022-26128-26129.patch: babeld: fix #10502
      #10503 by repairing the checks on length
    - CVE-2022-26129
  * SECURITY UPDATE: out-of-bounds read
    - debian/patches/CVE-2022-37032.patch: bgpd: Make sure hdr length is
      at a minimum of what is expected
    - CVE-2022-37032
  * SECURITY UPDATE: use after free
    - debian/patches/CVE-2022-37035.patch: bgpd: avoid notify race
      between io and main pthreads
    - CVE-2022-37035
  * SECURITY UPDATE: improper input validation
    - debian/patches/CVE-2023-31490.patch: bgpd: Ensure stream received
      has enough data
    - CVE-2023-31490
  * SECURITY UPDATE: improper handling of exceptional conditions
    - debian/patches/CVE-2023-38406.patch: bgpd: Flowspec overflow issue
    - CVE-2023-38406
  * SECURITY UPDATE: out-of-bounds read
    - debian/patches/CVE-2023-38407.patch: bgpd: Fix use beyond end of
      stream of labeled unicast parsing
    - CVE-2023-38407
  * SECURITY UPDATE: improper validation of integerity check value
    - debian/patches/CVE-2023-38802.patch: bgpd: Use treat-as-withdraw
      for tunnel encapsulation attribute
    - CVE-2023-38802
  * SECURITY UPDATE: denial of service
    - debian/patches/CVE-2023-46752.patch: bgpd: Handle MP_REACH_NLRI
      malformed packets with session reset
    - CVE-2023-46752
  * SECURITY UPDATE: denial of service
    - debian/patches/CVE-2023-46753.patch: bgpd: Check mandatory
      attributes more carefully for UPDATE message
    - CVE-2023-46753
  * SECURITY UPDATE: denial of service
    - debian/patches/CVE-2023-47234.patch: bgpd: Ignore handling NLRIs
      if we received MP_UNREACH_NLRI
    - CVE-2023-47234
  * SECURITY UPDATE: denial of service
    - debian/patches/CVE-2023-47235.patch: bgpd: Treat EOR as withdrawn
      to avoid unwanted handling of malformed attrs
    - CVE-2023-47235
  * SECURITY UPDATE: denial of service
    - debian/patches/CVE-2024-31948-1.patch: bgpd: Fix error handling
      when receiving BGP Prefix SID attribute
    - debian/patches/CVE-2024-31948-2.patch: bgpd: Prevent from one more
      CVE triggering this place
    - CVE-2024-31948

 -- Allen Huang <allen.huang@canonical.com>  Tue, 04 Jun 2024 11:12:29 +0100

frr (7.2.1-1ubuntu0.2+esm1) focal-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2023-41358.patch: Do not process NLRIs if the
      attribute length is zero
    - debian/patches/CVE-2023-41360.patch: Don't read the first byte of ORF
      header if we are ahead of stream
    - CVE-2023-41358
    - CVE-2023-41360
  * SECURITY UPDATE: Null pointer dereference
    - debian/patches/CVE-2023-41909.patch: Limit flowspec to no attribute
      means a implicit withdrawal
    - CVE-2023-41909

 -- Nishit Majithia <nishit.majithia@canonical.com>  Mon, 16 Oct 2023 13:04:24 +0530

frr (7.2.1-1ubuntu0.2) focal; urgency=medium

  * d/frr.postinst: don't change log ownership if the syslog user
    doesn't exist. Thanks to Alessandro Ratti
    <alessandro.ratti@exoscale.ch> for the fix (LP: #1991812).

 -- Andreas Hasenack <andreas@canonical.com>  Fri, 28 Oct 2022 14:12:00 -0300

frr (7.2.1-1ubuntu0.1) focal; urgency=medium

  * Fix logging with Ubuntu's unprivileged rsyslog (LP: #1958162):
    - d/frr.postinst: change log files ownership
    - d/frr.logrotate: change rotated log file ownership

 -- Andreas Hasenack <andreas@canonical.com>  Tue, 19 Jul 2022 17:40:11 -0300

frr (7.2.1-1) unstable; urgency=medium

  * new upstream release
  * daemon man pages renamed to frr-* (closes: #944392)
  * fix/improve multi-arch markers on doc
  * fix git URLs to point to debian branch

 -- David Lamparter <equinox-debian@diac24.net>  Mon, 20 Jan 2020 17:06:21 +0100

frr (7.2-1) unstable; urgency=medium

  * New upstream release

 -- Jafar Al-Gharaibeh <jafar@atcorp.com>  Sun, 03 Nov 2019 18:45:23 +0100

frr (6.0.2-2) unstable; urgency=medium

  * remove bogus libjson0 build-dep (closes: #921349)
  * fix broken systemd dependency spec
  * add proper Conflicts: for quagga and pimd (closes: #921376)

 -- David Lamparter <equinox-debian@diac24.net>  Mon, 04 Feb 2019 22:16:07 +0100

frr (6.0.2-1) unstable; urgency=medium

  * Packaging has been more or less completely reworked, based off the old
    Quagga packaging that hung around in git.  Refer to "changelog-auto.in"
    in the source root directory for the old changelog.
  * Initial release of FRR for Debian. (closes: #863249)

 -- David Lamparter <equinox-debian@diac24.net>  Sun, 27 Jan 2019 17:27:02 +0100
