Stack-based buffer overflow in the bgp_route_refresh_receive
function in bgp_packet.c in bgpd in Quagga before 0.99.17 allows
remote authenticated users to cause a denial of service (daemon
crash) or possibly execute arbitrary code via a malformed Outbound
Route Filtering (ORF) record in a BGP ROUTE-REFRESH (RR) message
(CVE-2010-2948).

bgpd in Quagga before 0.99.17 does not properly parse AS paths, which
allows remote attackers to cause a denial of service (NULL pointer
dereference and daemon crash) via an unknown AS type in an AS path
attribute in a BGP UPDATE message (CVE-2010-2949).

Updated packages are available that bring Quagga to version 0.99.17
which provides numerous bugfixes over the previous 0.99.12 version,
and also corrects these issues.