Comments on CVE-2021-26928?

Adam Pribyl pribyl at lowlevel.cz
Thu Mar 9 09:05:00 CET 2023


On Thu, 9 Mar 2023, Ondrej Filip wrote:

> On 09. 03. 23 5:14, William wrote:
>> On 09/03/2023 13:41, Robert Scheck wrote:
>>> Hello,
>
> Hi!
>
>>> 
>>> with https://bugzilla.redhat.com/show_bug.cgi?id=2176483, Red Hat pointed
>>> me today to CVE-2021-26928. 
>>> https://nvd.nist.gov/vuln/detail/CVE-2021-26928
>>> contains a reference to BIRD 2.0.7, but no link related to BIRD upstream.
>>> 
>>> Do you see any chance for some comments on it (at least here)? Not sure if
>>> MITRE adds it then as references at CVE-2021-26928.
>> 
>> I have a PDF of the Bird help documentation that I saved in 2019 (Fossies) 
>> that lists password authentication mechanisms as per RFC2385 with extra 
>> options for BSD systems.  I'll defer to the Dev team on this for the final 
>> word, but someone has some crossed wires here.
>
> Yes, this functionality was added in 1.0.12 (12 Nov 2008). So I do not 
> understand this CVE.

Explanation is probably here:
https://www.cyberark.com/resources/threat-research-blog/attacking-kubernetes-clusters-through-your-network-plumbing-part-2
at the end in the Disclosure Timeline.


> 	Ondrej


Adam Pribyl


More information about the Bird-users mailing list