BIRD 3.1.4 and 3.0.5 released
Dear BIRD users, we are releasing BIRD versions 3.1.4 and 3.0.5. We have fixed several crashes in BGP. including one which was remotely exploitable (CVE-2025-59688). This was so far probably the worst bug I remember, and we very much hope that nothing similar is going to happen any time soon again. Release TGZs are available on our website <https://bird.nic.cz/get-bird>. Our autobuild packages are available in the appropriate Gitlab jobs: - [3.0.5](https://gitlab.nic.cz/labs/bird/-/jobs/1493710/artifacts/browse/pkg/) - [3.1.4](https://gitlab.nic.cz/labs/bird/-/jobs/1493709/artifacts/browse/pkg/) Debian and Ubuntu packages will be also soon available in our repository at <https://pkg.labs.nic.cz/doc?project=bird>. This is the last release of BIRD 3.0.x. Happy routing! Maria and the BIRD Team -- Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.
Hello Is version 2.x also affected by this issue?
Wiadomość napisana przez Maria Matejka via Bird-users <bird-users@network.cz> w dniu 22 wrz 2025, o godz. 22:22:
Dear BIRD users, we are releasing BIRD versions 3.1.4 and 3.0.5. We have fixed several crashes in BGP. including one which was remotely exploitable (CVE-2025-59688). This was so far probably the worst bug I remember, and we very much hope that nothing similar is going to happen any time soon again. Release TGZs are available on our website https://bird.nic.cz/get-bird. Our autobuild packages are available in the appropriate Gitlab jobs: • 3.0.5 • 3.1.4 Debian and Ubuntu packages will be also soon available in our repository at https://pkg.labs.nic.cz/doc?project=bird. This is the last release of BIRD 3.0.x. Happy routing! Maria and the BIRD Team – Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.
Hello, BIRD 2 is*not affected* at all. All bugs were just in BIRD 3. David David Petera (he/him) | BIRD Tech Support | CZ.NIC, z.s.p.o. On 9/23/25 11:37, Łukasz Trąbiński via Bird-users wrote:
Hello
Is version 2.x also affected by this issue?
Wiadomość napisana przez Maria Matejka via Bird-users<bird-users@network.cz> w dniu 22 wrz 2025, o godz. 22:22:
Dear BIRD users, we are releasing BIRD versions 3.1.4 and 3.0.5. We have fixed several crashes in BGP. including one which was remotely exploitable (CVE-2025-59688). This was so far probably the worst bug I remember, and we very much hope that nothing similar is going to happen any time soon again. Release TGZs are available on our websitehttps://bird.nic.cz/get-bird. Our autobuild packages are available in the appropriate Gitlab jobs: • 3.0.5 • 3.1.4 Debian and Ubuntu packages will be also soon available in our repository athttps://pkg.labs.nic.cz/doc?project=bird. This is the last release of BIRD 3.0.x. Happy routing! Maria and the BIRD Team – Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.
Awesome, looking forward to testing it. Any chance we can get 3.1.4 uploaded to Debian stable? Matt On 9/22/25 4:22 PM, Maria Matejka via Bird-users wrote:
Dear BIRD users,
we are releasing BIRD versions 3.1.4 and 3.0.5. We have fixed several crashes in BGP. including one which was remotely exploitable (CVE-2025-59688). This was so far probably the worst bug I remember, and we very much hope that nothing similar is going to happen any time soon again.
Release TGZs are available on our website https://bird.nic.cz/get-bird <https://bird.nic.cz/get- bird>. Our autobuild packages are available in the appropriate Gitlab jobs:
* 3.0.5 <https://gitlab.nic.cz/labs/bird/-/jobs/1493710/artifacts/browse/pkg/> * 3.1.4 <https://gitlab.nic.cz/labs/bird/-/jobs/1493709/artifacts/browse/pkg/>
Debian and Ubuntu packages will be also soon available in our repository at https://pkg.labs.nic.cz/ doc?project=bird <https://pkg.labs.nic.cz/doc?project=bird>.
This is the last release of BIRD 3.0.x.
Happy routing! Maria and the BIRD Team
– Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.
Hello Olivier! On Tue, Sep 23, 2025 at 06:05:08PM +0200, Olivier Cochard-Labbé wrote:
Thanks for this fix. Could you please provide the list of impacted versions for the CVE? Specifically, are versions 3.1.1 and 3.1.2 impacted too ?
Yes. 3.0.x where x < 5, and 3.1.y where y < 4, all are impacted. BIRD 2 is not affected. The crashing assert is directly related to the multithreaded environment. I hope that now it's clear, sorry for any confusion. Maria -- Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.
Hello! On Mon, Sep 22, 2025 at 10:22:46PM +0200, Maria Matejka via Bird-users wrote:
we are releasing BIRD versions 3.1.4 and 3.0.5. We have fixed several crashes in BGP. including one which was remotely exploitable (CVE-2025-59688). This was so far probably the worst bug I remember, and we very much hope that nothing similar is going to happen any time soon again.
… and now there is also a writeup about that exploitable crash. <https://en.blog.nic.cz/2025/09/24/crashing-bird-3-by-sending-a-notification-cve-2025-59688/> Maria -- Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.
participants (5)
-
David Petera -
Maria Matejka -
Matt Corallo -
Olivier Cochard-Labbé -
Łukasz Trąbiński