Ubuntu alert USN-7661-1 (gobgp)

From:
             
 
noreply+usn-bot@canonical.com
To:
             
 
ubuntu-security-announce@lists.ubuntu.com
Subject:
             
 
[USN-7661-1] GoBGP vulnerabilities
Date:
             
 
Tue, 22 Jul 2025 07:18:15 +0000
Message-ID:
             
 
<E1ue7GR-0003zx-Kk@lists.ubuntu.com>
==========================================================================
Ubuntu Security Notice USN-7661-1
July 22, 2025

gobgp vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in GoBGP.

Software Description:
- gobgp: BGP implementation in Go

Details:

It was discovered that GoBGP did not properly manage memory under
certain circumstances, which could lead to a buffer overflow. An
attacker could possibly use this issue to cause a denial of service. This
issue was only addressed in Ubuntu 22.04 LTS and Ubuntu 20.04 LTS.
(CVE-2023-46565)

It was discovered that GoBGP did not properly verify the length of
certain inputs. An attacker could possibly use this issue to cause a
panic resulting in a denial of service.
(CVE-2025-43970, CVE-2025-43971, CVE-2025-43972, CVE-2025-43973)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  gobgpd                          3.23.0-1ubuntu0.3+esm2
                                  Available with Ubuntu Pro
  golang-github-osrg-gobgp-dev    3.23.0-1ubuntu0.3+esm2
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  gobgpd                          2.25.0-3ubuntu0.1+esm2
                                  Available with Ubuntu Pro
  golang-github-osrg-gobgp-dev    2.25.0-3ubuntu0.1+esm2
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS
  gobgpd                          2.12.0-1ubuntu0.1~esm2
                                  Available with Ubuntu Pro
  golang-github-osrg-gobgp-dev    2.12.0-1ubuntu0.1~esm2
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  gobgpd                          1.29-1ubuntu0.1+esm1
                                  Available with Ubuntu Pro
  golang-github-osrg-gobgp-dev    1.29-1ubuntu0.1+esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7661-1
  CVE-2023-46565, CVE-2025-43970, CVE-2025-43971, CVE-2025-43972,
  CVE-2025-43973


Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmh/OosACgkQcpJm3tlz
hgFgEQ/+M/jz2M0VukApwAeZjBpvctkMRFPXfbt63e+KiVUldhnZuJ1iYfjnXgEg
J+swoaHEiHvE+wpSCN3jzERdBpiToD2Tb/2z4eUg86brQbpf6snsVzElhTxsNOF+
i0OjDCdlpVH7rR2nYNRxXmqOOIHm02D73mun1KPwpfBMJO1bD6BriYbEAE1ZqZRp
IaVNct+j/d7S9ZoqLpMXcAezfzSYpxKnIXt8Is73UNltGOKIsEvl+4bo9gLx71f2
olVIzmzZuIj9IclBBGydphc8nmVR6n9iETb7okMOhR/eDF8p/J+BXPNpTIU6G+/N
FNBCKCECTPPyifqPqp0ZrkRNa9yBFJRkgrIWuEXnxBHWLwB08IhnEHtCLg18DokN
KGadJk69t9sDbP5LtDOwwnvCmWQYV8SHOVwrJ4E1VoMkJyPw8nBov9PI5J25ku9U
oJURsryS5+SJSRpD9hIpW03aXCxOHB393IuYo6GuWAM64x38u1pgDgjx91QSm6p+
WvRSdIOiqre09Y8RZODmW0MlmxyJpxSIWVGa02ZQDo07GCNnvIZvgd3uOEB57JB7
oFmgKJq+nnsjVbJEdiYKknJQhx+WBvbOdiv0mKvtuGLTu0t75JgRRQGwMWuBRPz1
C6KKxEFZ75dXknG7Ux2oaLZsjVF+fsXzqFaZUHSq5p2wkvpxf8A=
=UcHm
-----END PGP SIGNATURE-----