Comments on CVE-2021-26928?
Adam Pribyl
pribyl at lowlevel.cz
Thu Mar 9 09:05:00 CET 2023
On Thu, 9 Mar 2023, Ondrej Filip wrote:
> On 09. 03. 23 5:14, William wrote:
>> On 09/03/2023 13:41, Robert Scheck wrote:
>>> Hello,
>
> Hi!
>
>>>
>>> with https://bugzilla.redhat.com/show_bug.cgi?id=2176483, Red Hat pointed
>>> me today to CVE-2021-26928.
>>> https://nvd.nist.gov/vuln/detail/CVE-2021-26928
>>> contains a reference to BIRD 2.0.7, but no link related to BIRD upstream.
>>>
>>> Do you see any chance for some comments on it (at least here)? Not sure if
>>> MITRE adds it then as references at CVE-2021-26928.
>>
>> I have a PDF of the Bird help documentation that I saved in 2019 (Fossies)
>> that lists password authentication mechanisms as per RFC2385 with extra
>> options for BSD systems. I'll defer to the Dev team on this for the final
>> word, but someone has some crossed wires here.
>
> Yes, this functionality was added in 1.0.12 (12 Nov 2008). So I do not
> understand this CVE.
Explanation is probably here:
https://www.cyberark.com/resources/threat-research-blog/attacking-kubernetes-clusters-through-your-network-plumbing-part-2
at the end in the Disclosure Timeline.
> Ondrej
Adam Pribyl
More information about the Bird-users
mailing list