Ubuntu alert USN-8348-1 (gobgp)
| From: | noreply+usn-bot--- via ubuntu-security-announce <ubuntu-security-announce@lists.ubuntu.com> | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-8348-1] GoBGP vulnerabilities | |
| Date: | Wed, 03 Jun 2026 08:17:24 +0000 | |
| Message-ID: | <E1wUgmy-00076W-VT@lists.ubuntu.com> | |
| Cc: | noreply+usn-bot@canonical.com |
========================================================================== Ubuntu Security Notice USN-8348-1 June 03, 2026 gobgp vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in GoBGP. Software Description: - gobgp: BGP implementation in Go Details: It was discovered that GoBGP incorrectly handled certain specially crafted BGP UPDATE messages. A remote attacker could possibly use this issue to cause GoBGP to crash, resulting in a denial of service. (CVE-2026-37461) Yanlei Wang discovered that GoBGP incorrectly handled certain malformed BGP UPDATE messages containing 4-byte AS attributes. A remote attacker could possibly use this issue to cause GoBGP to crash, resulting in a denial of service. (CVE-2026-41643) It was discovered that GoBGP incorrectly handled certain malformed BGP UPDATE messages containing SRv6 L3 Service attributes. A remote attacker could possibly use this issue to cause GoBGP to crash, resulting in a denial of service. (CVE-2026-7734) It was discovered that GoBGP incorrectly handled certain malformed BGP UPDATE messages containing Accumulated IGP (AIGP) attributes. A remote attacker could possibly use this issue to cause GoBGP to crash, resulting in a denial of service. (CVE-2026-7735) It was discovered that GoBGP incorrectly handled certain malformed Multi- threaded Routing Toolkit (MRT) routing information entries. A remote attacker could possibly use this issue to cause GoBGP to crash, resulting in a denial of service. (CVE-2026-7736) It was discovered that GoBGP incorrectly handled certain malformed Multi- threaded Routing Toolkit (MRT) headers. A remote attacker could possibly use this issue to cause GoBGP to crash, resulting in a denial of service. (CVE-2026-7737) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS gobgpd 3.36.0-2ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 24.04 LTS gobgpd 3.23.0-1ubuntu0.3+esm4 Available with Ubuntu Pro Ubuntu 22.04 LTS gobgpd 2.25.0-3ubuntu0.1+esm4 Available with Ubuntu Pro Ubuntu 20.04 LTS gobgpd 2.12.0-1ubuntu0.1~esm3 Available with Ubuntu Pro Ubuntu 18.04 LTS gobgpd 1.29-1ubuntu0.1+esm2 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8348-1 CVE-2026-37461, CVE-2026-41643, CVE-2026-7734, CVE-2026-7735, CVE-2026-7736, CVE-2026-7737
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmof4tcACgkQcpJm3tlz hgFVRxAAlH47r4CBHbF6KexNoxXoXol1o+q76ZMuxQyxovdwV1Uq1aamSy0owUGo t7hBIJw5hColQ99rX1tWKnZC7RoAciJ10BvPrP2og33W4Z1ioQi7Ev11oCIKEeso i88fagyA15qhFPuUe7eKUU5SNkbmYwg/rFWP9gdmDYUSHcS6uQ06xdohmeU7Nsse ixZshJStL893sOdhZW2i+L2aFZIGp4rl+5zlgX4O6APo0xnSQdQQTRISXpEu9EzP 0Tuq3smKlijj6c2Kh6QAT6NAClMutXt81LTWeB9WQBVIxRaaHGskR6doDDBGia2F qH0qX/AZn2InM5lYV7mMOqTYWkbdkAeal0XBXkweqwo2nbLsMXmLyJmKCZIU7RMN OMfd8AG1ePB3IUW/BPXf7KPelj2GFBZQICLFgSBHzioLGcAfo/Tzsc1Jv0toL3CT B3dF1K+er3aw3QERWyU2cL3uciQuxAZRms26n8grjNPrjwz2oZNcbyyuniDGYWI7 grU3Otr8OuUnwEx+GfZblH4KVL2gPWp0+91EH9U93HL0jY3JtM+eFekTDFK96ujC Izoqn4j7aFWSzqzR0GkwrS12tSAO9x5msfGj7y/5hr0WxZ1XG19zXe5DwhR9qggy bllfXZgJmiq7WyhdVUO2N2ijTHdWI1OdPDdxgTzj/WkjjMdXfnk= =trfN -----END PGP SIGNATURE-----