{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/ubuntu16.04els/vex/2018/cve-2018-5378-els_os-ubuntu16_04els.json" } ], "tracking": { "current_release_date": "2026-04-24T11:43:28Z", "generator": { "date": "2026-04-24T11:43:28Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2018-5378-ELS_OS-UBUNTU16.04ELS", "initial_release_date": "2018-02-19T13:29:00Z", "revision_history": [ { "date": "2018-02-19T13:29:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-04-20T15:27:52Z", "number": "2", "summary": "Official Publication" }, { "date": "2026-04-24T11:43:28Z", "number": "3", "summary": "Update document" } ], "status": "final", "version": "3" }, "title": "Security update on CVE-2018-5378" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Ubuntu 16.04", "product": { "name": "Ubuntu 16.04", "product_id": "Ubuntu-16", "product_identification_helper": { "cpe": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*" } } } ], "category": "product_family", "name": "Ubuntu" }, { "branches": [ { "category": "product_version", "name": "quagga-doc-0:0.99.24.1-2ubuntu1.4.all", "product": { "name": "quagga-doc-0:0.99.24.1-2ubuntu1.4.all", "product_id": "quagga-doc-0:0.99.24.1-2ubuntu1.4.all", "product_identification_helper": { "purl": "pkg:deb/ubuntu/quagga-doc@0.99.24.1-2ubuntu1.4?arch=all" } } } ], "category": "architecture", "name": "all" }, { "branches": [ { "category": "product_version", "name": "quagga-0:0.99.24.1-2ubuntu1.4.amd64", "product": { "name": "quagga-0:0.99.24.1-2ubuntu1.4.amd64", "product_id": "quagga-0:0.99.24.1-2ubuntu1.4.amd64", "product_identification_helper": { "purl": "pkg:deb/ubuntu/quagga@0.99.24.1-2ubuntu1.4?arch=amd64" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Canonical Ltd." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "quagga-doc-0:0.99.24.1-2ubuntu1.4+tuxcare.els1.all", "product": { "name": "quagga-doc-0:0.99.24.1-2ubuntu1.4+tuxcare.els1.all", "product_id": "quagga-doc-0:0.99.24.1-2ubuntu1.4+tuxcare.els1.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/quagga-doc@0.99.24.1-2ubuntu1.4%2Btuxcare.els1?arch=all" } } } ], "category": "architecture", "name": "all" }, { "branches": [ { "category": "product_version", "name": "quagga-0:0.99.24.1-2ubuntu1.4+tuxcare.els1.amd64", "product": { "name": "quagga-0:0.99.24.1-2ubuntu1.4+tuxcare.els1.amd64", "product_id": "quagga-0:0.99.24.1-2ubuntu1.4+tuxcare.els1.amd64", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/quagga@0.99.24.1-2ubuntu1.4%2Btuxcare.els1?arch=amd64" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "CloudLinux" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "quagga-doc-0:0.99.24.1-2ubuntu1.4+tuxcare.els1.all as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:quagga-doc-0:0.99.24.1-2ubuntu1.4+tuxcare.els1.all" }, "product_reference": "quagga-doc-0:0.99.24.1-2ubuntu1.4+tuxcare.els1.all", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "quagga-0:0.99.24.1-2ubuntu1.4+tuxcare.els1.amd64 as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:quagga-0:0.99.24.1-2ubuntu1.4+tuxcare.els1.amd64" }, "product_reference": "quagga-0:0.99.24.1-2ubuntu1.4+tuxcare.els1.amd64", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "quagga-doc-0:0.99.24.1-2ubuntu1.4.all as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:quagga-doc-0:0.99.24.1-2ubuntu1.4.all" }, "product_reference": "quagga-doc-0:0.99.24.1-2ubuntu1.4.all", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "quagga-0:0.99.24.1-2ubuntu1.4.amd64 as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:quagga-0:0.99.24.1-2ubuntu1.4.amd64" }, "product_reference": "quagga-0:0.99.24.1-2ubuntu1.4.amd64", "relates_to_product_reference": "Ubuntu-16" } ] }, "vulnerabilities": [ { "cve": "CVE-2018-5378", "cwe": { "id": "CWE-119", "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer" }, "notes": [ { "category": "description", "text": "The Quagga BGP daemon (bgpd) prior to version 1.2.3 does not properly bounds check the data sent with a NOTIFY to a peer, if an attribute length is invalid. Arbitrary data from the bgpd process may be sent over the network to a peer and/or bgpd may crash.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "Ubuntu-16:quagga-0:0.99.24.1-2ubuntu1.4+tuxcare.els1.amd64", "Ubuntu-16:quagga-0:0.99.24.1-2ubuntu1.4.amd64", "Ubuntu-16:quagga-doc-0:0.99.24.1-2ubuntu1.4+tuxcare.els1.all", "Ubuntu-16:quagga-doc-0:0.99.24.1-2ubuntu1.4.all" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2018-5378" }, { "category": "external", "summary": "http://savannah.nongnu.org/forum/forum.php?forum_id=9095", "url": "http://savannah.nongnu.org/forum/forum.php?forum_id=9095" }, { "category": "external", "summary": "http://www.kb.cert.org/vuls/id/940439", "url": "http://www.kb.cert.org/vuls/id/940439" }, { "category": "external", "summary": "https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-0543.txt", "url": "https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-0543.txt" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/201804-17", "url": "https://security.gentoo.org/glsa/201804-17" }, { "category": "external", "summary": "https://usn.ubuntu.com/3573-1/", "url": "https://usn.ubuntu.com/3573-1/" }, { "category": "external", "summary": "https://www.debian.org/security/2018/dsa-4115", "url": "https://www.debian.org/security/2018/dsa-4115" } ], "release_date": "2018-02-19T13:29:00Z", "remediations": [ { "category": "no_fix_planned", "details": "- Exploitation requires the host to be actively running Quagga’s bgpd and to have an established, explicitly configured BGP peering session; arbitrary external hosts cannot trigger it. \n- The impact is limited to possible bgpd process crash (availability) and leakage of bgpd memory only to that same peer, with no integrity impact or code execution. \n- For centrally managed enterprise servers/VMs that are not acting as BGP routers—and even where bgpd is present but peers are explicitly configured—the practical exploitation likelihood is low, so this CVE can be safely deprioritized.", "product_ids": [ "Ubuntu-16:quagga-0:0.99.24.1-2ubuntu1.4+tuxcare.els1.amd64", "Ubuntu-16:quagga-0:0.99.24.1-2ubuntu1.4.amd64", "Ubuntu-16:quagga-doc-0:0.99.24.1-2ubuntu1.4+tuxcare.els1.all", "Ubuntu-16:quagga-doc-0:0.99.24.1-2ubuntu1.4.all" ] } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H", "version": "3.0" }, "products": [ "Ubuntu-16:quagga-0:0.99.24.1-2ubuntu1.4+tuxcare.els1.amd64", "Ubuntu-16:quagga-0:0.99.24.1-2ubuntu1.4.amd64", "Ubuntu-16:quagga-doc-0:0.99.24.1-2ubuntu1.4+tuxcare.els1.all", "Ubuntu-16:quagga-doc-0:0.99.24.1-2ubuntu1.4.all" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }