CVE-2016-1245 Debian CVE debrief

Who should care

Operators of Quagga-based routing stacks, especially zebra instances handling IPv6 Neighbor Discovery on routers, appliances, and Linux distributions that ship Quagga packages or backports.

Technical summary

The vulnerable path is in Quagga before the fixed 1.0.20161017 release referenced by the source corpus. NVD describes a stack-based buffer overflow in zebra when processing IPv6 Neighbor Discovery messages, caused by treating BUFSIZ as if it were compatible with the incoming message size. The published CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and NVD maps the issue to CWE-119.

Defensive priority

Critical — remediate urgently on any exposed Quagga/zebra deployment.

Recommended defensive actions

• Upgrade Quagga to a version that includes the upstream fix (or install the vendor package containing it).
• Apply the relevant vendor advisories for your platform, including Debian DSA-3695, Gentoo GLSA 201701-48, and Red Hat RHSA-2017-0794 where applicable.
• Confirm whether zebra is running and whether IPv6 Neighbor Discovery is processed on interfaces that may receive untrusted traffic.
• Restart or reload affected routing services after patching, then verify IPv6 routing behavior and daemon stability.
• Watch for zebra crashes or abnormal memory-corruption symptoms until all affected systems are updated.

Evidence notes

The source corpus and NVD record describe a stack-based buffer overflow in Quagga zebra during IPv6 Neighbor Discovery processing, with a root cause tied to unsafe reliance on BUFSIZ. The record includes a critical CVSS 3.0 vector (9.8) and CWE-119 classification. References point to an upstream Quagga fix commit and multiple vendor advisories. One data-quality note: the narrative description says the issue was fixed in Quagga before 1.0.20161017, while the CPE criteria in the supplied NVD data also include an end version of 1.0.20160315.

Official resources