)]}'
{
  "commit": "5e728e929942d39ce5a4ab3d01c33f7b688c4e3f",
  "tree": "6f2b2413fc182b75b589fdb340c813d7da944771",
  "parents": [
    "f47e5a18b5beb00d6b5b94965e305dadb5aa5bad"
  ],
  "author": {
    "name": "David Lamparter",
    "email": "equinox@opensourcerouting.org",
    "time": "Wed Jan 23 05:50:24 2013 +0100"
  },
  "committer": {
    "name": "David Lamparter",
    "email": "equinox@opensourcerouting.org",
    "time": "Fri Feb 01 17:55:04 2013 +0100"
  },
  "message": "bgpd: relax ORF capability length handling\n\ncommit fe9bb64... \"bgpd: CVE-2012-1820, DoS in bgp_capability_orf()\"\nmade the length test in bgp_capability_orf_entry() stricter and is now\ncausing us to refuse (with CEASE) ORF capabilites carrying any excess\ndata.  This does not conform to the robustness principle as laid out by\nRFC1122 (\"be liberal in what you accept\").\n\nEven worse, RFC5291 is quite unclear on how to use the ORF capability\nwith multiple AFI/SAFIs.  It can be interpreted as either \"use one\ninstance, stuff everything in\" but also as \"use multiple instances\".\nSo, if not for applying robustness, we end up clearing sessions from\nimplementations going by the former interpretation.  (or if anyone dares\nadd a byte of padding...)\n\nCc: Denis Ovsienko \u003cinfrastation@yandex.ru\u003e\nSigned-off-by: David Lamparter \u003cequinox@opensourcerouting.org\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "af711cc8ceba87bea72958983bca69b7b138767f",
      "old_mode": 33188,
      "old_path": "bgpd/bgp_open.c",
      "new_id": "7bf350165b670028591465cdfa4713bc4d1db3a0",
      "new_mode": 33188,
      "new_path": "bgpd/bgp_open.c"
    }
  ]
}