Version in base suite: 2.17.1-1+deb13u1 Base version: bird2_2.17.1-1+deb13u1 Target version: bird2_2.17.1-1+deb13u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/b/bird2/bird2_2.17.1-1+deb13u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/b/bird2/bird2_2.17.1-1+deb13u2.dsc changelog | 10 ++++ patches/backport-05-1867ffa | 26 +++++++++++ patches/backport-06-9c7d028 | 19 ++++++++ patches/backport-07-cad5353 | 22 +++++++++ patches/backport-08-b143f6e | 19 ++++++++ patches/backport-09-f7eb6f1 | 24 ++++++++++ patches/backport-10-87a77ae | 35 +++++++++++++++ patches/backport-11-3c83997 | 35 +++++++++++++++ patches/backport-12-de64c80 | 32 ++++++++++++++ patches/backport-13-b4e228d | 52 ++++++++++++++++++++++ patches/backport-14-4be9672 | 63 +++++++++++++++++++++++++++ patches/backport-15-650e2fa | 100 ++++++++++++++++++++++++++++++++++++++++++++ patches/backport-16-3beb709 | 97 ++++++++++++++++++++++++++++++++++++++++++ patches/backport-17-954b305 | 31 +++++++++++++ patches/series | 13 +++++ 15 files changed, 578 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpsfqrawdx/bird2_2.17.1-1+deb13u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpsfqrawdx/bird2_2.17.1-1+deb13u2.dsc: no acceptable signature found diff -Nru bird2-2.17.1/debian/changelog bird2-2.17.1/debian/changelog --- bird2-2.17.1/debian/changelog 2025-12-17 23:21:35.000000000 +0000 +++ bird2-2.17.1/debian/changelog 2026-04-07 01:07:30.000000000 +0000 @@ -1,3 +1,13 @@ +bird2 (2.17.1-1+deb13u2) stable; urgency=medium + + * Backport all fixes from upstream 2.17.4: + + ASPA: Fix downstream validation + + BGP: Fix restart behavior on reconfiguration + + Filters: Fix string attributes + + Logging: Fix error handling + + -- Marco d'Itri Tue, 07 Apr 2026 03:07:30 +0200 + bird2 (2.17.1-1+deb13u1) stable; urgency=medium * New maintainer. diff -Nru bird2-2.17.1/debian/patches/backport-05-1867ffa bird2-2.17.1/debian/patches/backport-05-1867ffa --- bird2-2.17.1/debian/patches/backport-05-1867ffa 1970-01-01 00:00:00.000000000 +0000 +++ bird2-2.17.1/debian/patches/backport-05-1867ffa 2026-04-07 01:07:30.000000000 +0000 @@ -0,0 +1,26 @@ +From 1867ffae9d6bc76572f5876abf5337dba54f5da6 Mon Sep 17 00:00:00 2001 +From: Joshua Rogers +Date: Tue, 10 Feb 2026 01:10:28 +0100 +Subject: Netlink: Fix handling of RTAX_CC_ALGO netlink attribute + +The kernel-provided congestion control algorithm (RTAX_CC_ALGO) is stored in +an EAF_TYPE_STRING adata blob without the terminating NULL. When exporting +metrics back to netlink, the value is treated as a C string and passed to +nl_add_attr_str(), which uses strlen(str)+1. This may read past the allocated +adata and leak adjacent memory or crash. + +Minor change by committer. + +diff --git a/sysdep/linux/netlink.c b/sysdep/linux/netlink.c +index 299f132fe..8be5112c4 100644 +--- a/sysdep/linux/netlink.c ++++ b/sysdep/linux/netlink.c +@@ -1876,7 +1876,7 @@ nl_parse_route(struct nl_parse_state *s, struct nlmsghdr *h) + } + else if (t == RTAX_CC_ALGO) + { +- struct adata *ad = lp_alloc_adata(s->pool, strlen(cc_algo)); ++ struct adata *ad = lp_alloc_adata(s->pool, strlen(cc_algo) + 1); + memcpy(ad->data, cc_algo, ad->length); + + ea->attrs[n++] = (eattr) { diff -Nru bird2-2.17.1/debian/patches/backport-06-9c7d028 bird2-2.17.1/debian/patches/backport-06-9c7d028 --- bird2-2.17.1/debian/patches/backport-06-9c7d028 1970-01-01 00:00:00.000000000 +0000 +++ bird2-2.17.1/debian/patches/backport-06-9c7d028 2026-04-07 01:07:30.000000000 +0000 @@ -0,0 +1,19 @@ +From 9c7d028465f4c9c28106b58b4514e5c6644bdeab Mon Sep 17 00:00:00 2001 +From: Joshua Rogers +Date: Tue, 10 Feb 2026 01:16:51 +0100 +Subject: Lib: Fix mem_hash_mix_str() infinite loop/OOB read + + +diff --git a/lib/hash.h b/lib/hash.h +index 3c173958f..41409e47e 100644 +--- a/lib/hash.h ++++ b/lib/hash.h +@@ -219,7 +219,7 @@ static inline void + mem_hash_mix_str(u64 *h, const char *s) + { + const u64 multiplier = 0xb38bc09a61202731ULL; +- while (s) ++ while (*s) + *h = *h * multiplier + *s++; + } + diff -Nru bird2-2.17.1/debian/patches/backport-07-cad5353 bird2-2.17.1/debian/patches/backport-07-cad5353 --- bird2-2.17.1/debian/patches/backport-07-cad5353 1970-01-01 00:00:00.000000000 +0000 +++ bird2-2.17.1/debian/patches/backport-07-cad5353 2026-04-07 01:07:30.000000000 +0000 @@ -0,0 +1,22 @@ +From cad5353aaa0b198f3cb8397424710c3656e50f7a Mon Sep 17 00:00:00 2001 +From: Ondrej Zajicek +Date: Tue, 10 Feb 2026 03:41:59 +0100 +Subject: Filter: Fix string ordering + +Function strcmp() returns negative / 0 / positive, but val_compare() +is expected to return -1 / 0 / 1. + +diff --git a/filter/data.c b/filter/data.c +index f5a9e5eec..a685aa1a4 100644 +--- a/filter/data.c ++++ b/filter/data.c +@@ -210,7 +210,8 @@ val_compare(const struct f_val *v1, const struct f_val *v2) + case T_NET: + return net_compare(v1->val.net, v2->val.net); + case T_STRING: +- return strcmp(v1->val.s, v2->val.s); ++ int i = strcmp(v1->val.s, v2->val.s); ++ return (i > 0) - (i < 0); + case T_PATH: + return as_path_compare(v1->val.ad, v2->val.ad); + case T_ROUTE: diff -Nru bird2-2.17.1/debian/patches/backport-08-b143f6e bird2-2.17.1/debian/patches/backport-08-b143f6e --- bird2-2.17.1/debian/patches/backport-08-b143f6e 1970-01-01 00:00:00.000000000 +0000 +++ bird2-2.17.1/debian/patches/backport-08-b143f6e 2026-04-07 01:07:30.000000000 +0000 @@ -0,0 +1,19 @@ +From b143f6ea8e9cdd3c461d109e94b542106d12e1b0 Mon Sep 17 00:00:00 2001 +From: Ondrej Zajicek +Date: Tue, 10 Feb 2026 04:12:22 +0100 +Subject: Filter: Fix definition after label + + +diff --git a/filter/data.c b/filter/data.c +index a685aa1a4..eb0612c63 100644 +--- a/filter/data.c ++++ b/filter/data.c +@@ -209,7 +209,7 @@ val_compare(const struct f_val *v1, const struct f_val *v2) + return ipa_compare(v1->val.ip, v2->val.ip); + case T_NET: + return net_compare(v1->val.net, v2->val.net); +- case T_STRING: ++ case T_STRING:; + int i = strcmp(v1->val.s, v2->val.s); + return (i > 0) - (i < 0); + case T_PATH: diff -Nru bird2-2.17.1/debian/patches/backport-09-f7eb6f1 bird2-2.17.1/debian/patches/backport-09-f7eb6f1 --- bird2-2.17.1/debian/patches/backport-09-f7eb6f1 1970-01-01 00:00:00.000000000 +0000 +++ bird2-2.17.1/debian/patches/backport-09-f7eb6f1 2026-04-07 01:07:30.000000000 +0000 @@ -0,0 +1,24 @@ +From f7eb6f1611eb0a17ddb804c38acaab7e031c8126 Mon Sep 17 00:00:00 2001 +From: Ondrej Zajicek +Date: Thu, 29 May 2025 17:34:35 +0200 +Subject: Nest: Fix route update after preference change + +The route preference was ignored in route comparison, therefore if +a protocol changed it and then reloaded routes, they were ignored +and routes with the old prefernce were kept. + +The bug was introduced 5 years ago, when preference was moved from +struct rte to struct rta. + +diff --git a/nest/rt-attr.c b/nest/rt-attr.c +index 7c49af174..e10e1ecbf 100644 +--- a/nest/rt-attr.c ++++ b/nest/rt-attr.c +@@ -1182,6 +1182,7 @@ rta_same(rta *x, rta *y) + return (x->source == y->source && + x->scope == y->scope && + x->dest == y->dest && ++ x->pref == y->pref && + x->igp_metric == y->igp_metric && + ipa_equal(x->from, y->from) && + x->hostentry == y->hostentry && diff -Nru bird2-2.17.1/debian/patches/backport-10-87a77ae bird2-2.17.1/debian/patches/backport-10-87a77ae --- bird2-2.17.1/debian/patches/backport-10-87a77ae 1970-01-01 00:00:00.000000000 +0000 +++ bird2-2.17.1/debian/patches/backport-10-87a77ae 2026-04-07 01:07:30.000000000 +0000 @@ -0,0 +1,35 @@ +From 87a77ae542d8b29bb26432eb65ced254536c2895 Mon Sep 17 00:00:00 2001 +From: Ondrej Zajicek +Date: Tue, 3 Jun 2025 16:56:41 +0200 +Subject: BGP: Do route refresh after preference change + +Reconfiguration of preference is handled by nest code by asking for +reload, but in case of BGP with import table, that just reloaded routes +with the old preference. In BGP, we can handle that by triggering full +route refresh. + +Although, it would be probably better to set preference in nest, when +a route is propagated from the import table. + +diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c +index c8f90fadb..203715258 100644 +--- a/proto/bgp/bgp.c ++++ b/proto/bgp/bgp.c +@@ -2830,12 +2830,16 @@ bgp_channel_reconfigure(struct channel *C, struct channel_config *CC, int *impor + if ((new->gw_mode != old->gw_mode) || + (new->next_hop_prefer != old->next_hop_prefer) || + (new->aigp != old->aigp) || +- (new->cost != old->cost)) ++ (new->cost != old->cost) || ++ (new->c.preference != old->c.preference)) + { + /* import_changed itself does not force ROUTE_REFRESH when import_table is active */ + if (c->c.in_table && (c->c.channel_state == CS_UP)) + bgp_schedule_packet(p->conn, c, PKT_ROUTE_REFRESH); + ++ /* Note that preference is already handled in channel_reconfigure(), ++ but we need it handle again here for the ROUTE_REFRESH trigger */ ++ + *import_changed = 1; + } + diff -Nru bird2-2.17.1/debian/patches/backport-11-3c83997 bird2-2.17.1/debian/patches/backport-11-3c83997 --- bird2-2.17.1/debian/patches/backport-11-3c83997 1970-01-01 00:00:00.000000000 +0000 +++ bird2-2.17.1/debian/patches/backport-11-3c83997 2026-04-07 01:07:30.000000000 +0000 @@ -0,0 +1,35 @@ +From 3c839977ebb9f2eb3b683e002fffa17be9a3e6e5 Mon Sep 17 00:00:00 2001 +From: Maria Matejka +Date: Wed, 4 Jun 2025 14:53:36 +0200 +Subject: BGP: Restart if route refresh is impossible on attribute change + +In previous commit, we force route refresh when some protocol attributes +change. Yet, when the neighbor doesn't support route refresh, we have to +restart the session, not send an unsupported request. + +Note: if the neighbor is restarting right now with graceful restart +enabled, we keep the stale routes until the neighbor converges again. + +Related to #268 + +diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c +index 203715258..d38666fab 100644 +--- a/proto/bgp/bgp.c ++++ b/proto/bgp/bgp.c +@@ -2833,7 +2833,15 @@ bgp_channel_reconfigure(struct channel *C, struct channel_config *CC, int *impor + (new->cost != old->cost) || + (new->c.preference != old->c.preference)) + { +- /* import_changed itself does not force ROUTE_REFRESH when import_table is active */ ++ /* Route refresh needed, these attributes are set by BGP itself ++ * and even if import table exists, we can't use it */ ++ ++ /* Route refresh impossible, restart is needed */ ++ if ((c->c.channel_state == CS_UP) && !p->route_refresh) ++ return 0; ++ ++ /* Force ROUTE_REFRESH with import table; otherwise ++ * it will be forced by import_changed set to 1 later */ + if (c->c.in_table && (c->c.channel_state == CS_UP)) + bgp_schedule_packet(p->conn, c, PKT_ROUTE_REFRESH); + diff -Nru bird2-2.17.1/debian/patches/backport-12-de64c80 bird2-2.17.1/debian/patches/backport-12-de64c80 --- bird2-2.17.1/debian/patches/backport-12-de64c80 1970-01-01 00:00:00.000000000 +0000 +++ bird2-2.17.1/debian/patches/backport-12-de64c80 2026-04-07 01:07:30.000000000 +0000 @@ -0,0 +1,32 @@ +From de64c80119c14d733e465a0f428f3eff7aee6e74 Mon Sep 17 00:00:00 2001 +From: Maria Matejka +Date: Wed, 25 Jun 2025 13:00:11 +0200 +Subject: BGP: restart on outgoing next hop setting change + +When next hop self / keep / address changed, BGP only reloaded +the exports but it didn't apply the changes. To fix this problem +before actually implementing a proper change detection algorithm, +we restart the protocol if this setting changes. + +Fixes #280. + +diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c +index d38666fab..d8a4a69eb 100644 +--- a/proto/bgp/bgp.c ++++ b/proto/bgp/bgp.c +@@ -2851,10 +2851,13 @@ bgp_channel_reconfigure(struct channel *C, struct channel_config *CC, int *impor + *import_changed = 1; + } + ++ /* Outgoing next hop setting is too complex to update, forcing restart. */ + if (!ipa_equal(new->next_hop_addr, old->next_hop_addr) || + (new->next_hop_self != old->next_hop_self) || +- (new->next_hop_keep != old->next_hop_keep) || +- (new->llnh_format != old->llnh_format) || ++ (new->next_hop_keep != old->next_hop_keep)) ++ return 0; ++ ++ if ((new->llnh_format != old->llnh_format) || + (new->aigp != old->aigp) || + (new->aigp_originate != old->aigp_originate)) + *export_changed = 1; diff -Nru bird2-2.17.1/debian/patches/backport-13-b4e228d bird2-2.17.1/debian/patches/backport-13-b4e228d --- bird2-2.17.1/debian/patches/backport-13-b4e228d 1970-01-01 00:00:00.000000000 +0000 +++ bird2-2.17.1/debian/patches/backport-13-b4e228d 2026-04-07 01:07:30.000000000 +0000 @@ -0,0 +1,52 @@ +From b4e228d141b327fb19b862180f0fd03dc058a782 Mon Sep 17 00:00:00 2001 +From: Maria Matejka +Date: Tue, 29 Jul 2025 14:15:08 +0200 +Subject: BGP: Do not restart when next hop keep/self is changed + +The change in dade7147eb6b62b2d58d478a370baef513d96975 forces BGP to restart +even if next hop self and next hop keep changes, which can be updated just by +reloading export, while explicit next hop address can not. + +Related to #280. + +diff --git a/doc/bird.sgml b/doc/bird.sgml +index 3e024f4c1..6595dc327 100644 +--- a/doc/bird.sgml ++++ b/doc/bird.sgml +@@ -3925,7 +3925,6 @@ direction (re-export of routes to the BGP neighbor): + + + next_hop_addr, old->next_hop_addr) || +- (new->next_hop_self != old->next_hop_self) || +- (new->next_hop_keep != old->next_hop_keep)) ++ if (!ipa_equal(new->next_hop_addr, old->next_hop_addr)) + return 0; + +- if ((new->llnh_format != old->llnh_format) || ++ if ((new->next_hop_self != old->next_hop_self) || ++ (new->next_hop_keep != old->next_hop_keep) || ++ (new->llnh_format != old->llnh_format) || + (new->aigp != old->aigp) || + (new->aigp_originate != old->aigp_originate)) + *export_changed = 1; diff -Nru bird2-2.17.1/debian/patches/backport-14-4be9672 bird2-2.17.1/debian/patches/backport-14-4be9672 --- bird2-2.17.1/debian/patches/backport-14-4be9672 1970-01-01 00:00:00.000000000 +0000 +++ bird2-2.17.1/debian/patches/backport-14-4be9672 2026-04-07 01:07:30.000000000 +0000 @@ -0,0 +1,63 @@ +From 4be967290ee7ca2f6b0439c08e16999e7bbd5f66 Mon Sep 17 00:00:00 2001 +From: Maria Matejka +Date: Sat, 14 Mar 2026 18:42:03 +0100 +Subject: Filter: Document and extend ASPA verification tests + +These extensions minimalistically replicate the downstream bug reported +by Evann DREUMONT. (See next commit.) + +Issue: #355 + +diff --git a/filter/test.conf b/filter/test.conf +index 3df9b6975..18a531ada 100644 +--- a/filter/test.conf ++++ b/filter/test.conf +@@ -2395,10 +2395,19 @@ bt_test_suite(t_roa_check, "Testing ROA"); + + aspa table at; + ++# ASPA structure: ++# ++# ++# 65544 65545 ++# | \ / \ / | ++# 65540 65542 65543 65541 ++# | | ++# 65550 65551 ++ + protocol static + { + aspa { table at; }; +- route aspa 65540 providers 65544; ++ route aspa 65540 providers 65544, 65549; + route aspa 65541 providers 65545; + route aspa 65542 providers 65544, 65545; + route aspa 65543 providers 65544, 65545; +@@ -2440,6 +2449,27 @@ function t_aspa_check() + p3.prepend(65544); + bt_assert(aspa_check(at, p3, false) = ASPA_INVALID); + bt_assert(aspa_check(at, p3, true) = ASPA_INVALID); ++ ++ bgppath p4 = +empty+; ++ p4.prepend(65540); ++ p4.prepend(65544); ++ ++ bt_assert(aspa_check(at, p4, false) = ASPA_VALID); ++ bt_assert(aspa_check(at, p4, true) = ASPA_VALID); ++ ++ p4.prepend(65545); ++ ++ bt_assert(aspa_check(at, p4, false) = ASPA_VALID); ++ bt_assert(aspa_check(at, p4, true) = ASPA_INVALID); ++ ++ p4.prepend(65555); ++ ++ bt_assert(aspa_check(at, p4, false) = ASPA_UNKNOWN); ++ bt_assert(aspa_check(at, p4, true) = ASPA_INVALID); ++ ++ bgppath p5 = +empty+.prepend(65550).prepend(65540).prepend(65549); ++ bt_assert(aspa_check(at, p5, false) = ASPA_VALID); ++ bt_assert(aspa_check(at, p5, true) = ASPA_VALID); + } + + bt_test_suite(t_aspa_check, "Testing ASPA (our tests)"); diff -Nru bird2-2.17.1/debian/patches/backport-15-650e2fa bird2-2.17.1/debian/patches/backport-15-650e2fa --- bird2-2.17.1/debian/patches/backport-15-650e2fa 1970-01-01 00:00:00.000000000 +0000 +++ bird2-2.17.1/debian/patches/backport-15-650e2fa 2026-04-07 01:07:30.000000000 +0000 @@ -0,0 +1,100 @@ +From 650e2fab9968e23bf90baf6a5818d603525bbda1 Mon Sep 17 00:00:00 2001 +From: Evann DREUMONT +Date: Sat, 7 Feb 2026 23:59:12 +0100 +Subject: ASPA: Finish official test case coverage + +This commit implements missing test cases based on the official ASPA +path verification examples to expand coverage. + +Also, one of the custom test was incorrect, because while there is no valid +ASPA this could be seen, from a downstream perspective, as peering. + +This commit was originally a complete fix of the ASPA verification. +Reduced significantly by committer. + +diff --git a/filter/test.conf b/filter/test.conf +index 18a531ada..c21d74614 100644 +--- a/filter/test.conf ++++ b/filter/test.conf +@@ -2447,7 +2447,7 @@ function t_aspa_check() + bgppath p3 = +empty+; + p3.prepend(65541); + p3.prepend(65544); +- bt_assert(aspa_check(at, p3, false) = ASPA_INVALID); ++ bt_assert(aspa_check(at, p3, false) = ASPA_VALID); + bt_assert(aspa_check(at, p3, true) = ASPA_INVALID); + + bgppath p4 = +empty+; +@@ -2484,6 +2484,13 @@ protocol static + route aspa 65543 providers 65546; + route aspa 65544 providers 65546, 65547; + route aspa 65547 transit; ++ route aspa 65548 transit; ++ route aspa 65550 transit; ++ route aspa 65551 providers 65550; ++ route aspa 65552 transit; ++ route aspa 65553 transit; ++ route aspa 65554 providers 65553; ++ route aspa 65555 providers 65554; + } + + function t_aspa_check_official() +@@ -2493,6 +2500,7 @@ function t_aspa_check_official() + bool UP = true; bool DOWN = false; + bgppath p; + ++ # Examples of Upstream Path Verification + # F-G is a lateral peer, we do not prepend + p = +empty+.prepend(A).prepend(C).prepend(F); + bt_assert(aspa_check(at_official, p, UP) = ASPA_VALID); +@@ -2528,6 +2536,50 @@ function t_aspa_check_official() + # E-D is a lateral peer, we do not prepend + p = +empty+.prepend(B).prepend(E); + bt_assert(aspa_check(at_official, p, UP) = ASPA_VALID); ++ ++ # Examples of Downstream Path Verification ++ p = +empty+.prepend(A).prepend(C).prepend(F).prepend(G).prepend(E); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_UNKNOWN); ++ ++ p = +empty+.prepend(A).prepend(D).prepend(G).prepend(E); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_VALID); ++ ++ p = +empty+.prepend(A).prepend(C).prepend(D).prepend(E); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_UNKNOWN); ++ ++ p = +empty+.prepend(A).prepend(C).prepend(D).prepend(G).prepend(E); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_INVALID); ++ ++ p = +empty+.prepend(G).prepend(D).prepend(F).prepend(C); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_UNKNOWN); ++ ++ p = +empty+.prepend(B).prepend(E).prepend(G).prepend(D); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_VALID); ++ ++ p = +empty+.prepend(B).prepend(E).prepend(G).prepend(D).prepend(C); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_INVALID); ++ ++ p = +empty+.prepend(A).prepend(C).prepend(F); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_VALID); ++ ++ # Topology Contains Complex BGP Relationships ++ int H = 65548; int J = 65549; int K = 65550; int L = 65551; ++ int P = 65552; int Q = 65553; int R = 65554; int S = 65555; ++ ++ p = +empty+.prepend(H).prepend(J); ++ bt_assert(aspa_check(at_official, p, UP) = ASPA_INVALID); ++ ++ p = +empty+.prepend(H).prepend(J).prepend(K); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_INVALID); ++ ++ p = +empty+.prepend(P).prepend(Q); ++ bt_assert(aspa_check(at_official, p, UP) = ASPA_INVALID); ++ ++ p = +empty+.prepend(P).prepend(Q); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_VALID); ++ ++ p = +empty+.prepend(P).prepend(Q).prepend(R); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_VALID); + } + + bt_test_suite(t_aspa_check_official, "Testing ASPA (official tests)"); diff -Nru bird2-2.17.1/debian/patches/backport-16-3beb709 bird2-2.17.1/debian/patches/backport-16-3beb709 --- bird2-2.17.1/debian/patches/backport-16-3beb709 1970-01-01 00:00:00.000000000 +0000 +++ bird2-2.17.1/debian/patches/backport-16-3beb709 2026-04-07 01:07:30.000000000 +0000 @@ -0,0 +1,97 @@ +From 3beb709b225b3bc1aceae1763adaf95096efa88a Mon Sep 17 00:00:00 2001 +From: Maria Matejka +Date: Sat, 14 Mar 2026 21:57:46 +0100 +Subject: ASPA: Fix downstream check for two-point apex + +The ASPA algorithm is quite complex if one wants to execute it fast. +Most notably, the performance-critical part is looking up the ASPA +records, and we are trying to reduce that to minimum. + +Yet, in that effort, we missed the fact that in the downstream +algorithm, the down-ramp and up-ramp may touch, i.e. their top ends +have a lateral peering. + +The original idea was to find the point where the down-ramp is +impossible to be extended, and from there on, the algorithm is basically +just the upstream algorithm. But it isn't, most notably with the lateral +peering scenario it is much more complex than this. + +This issue was discovered by several people, and got a fix submitted by +Evann DREUMONT. That fix was correct but replaced the algorithm too +deeply. We don't want to do such large changes (including semantics) +inside the stable versions, and we have some more plans with all of this +considering performance, as soon as more ASPA records emerge. + +This patch therefore simply removes the force_upstream shortcut from +where the down ramp is terminated, fixes the downstream code so that +it works without that shortcut, and explicitly allows the two-apex +downstream scenario. + +Original-By: Evann DREUMONT + +diff --git a/nest/rt-table.c b/nest/rt-table.c +index ed364d351..1d50e5d05 100644 +--- a/nest/rt-table.c ++++ b/nest/rt-table.c +@@ -432,44 +432,40 @@ end_of_aspa:; + else if (!found) + { + /* Extend max-downstream (min-downstream is stopped by unknown) */ +- max_down = ap+1; ++ if (max_down == ap) ++ max_down = ap+1; + + /* Move min-upstream (can't include unknown) */ + min_up = ap; + } + +- /* ASPA exists and downstream may be extended */ +- else if (down) +- { +- /* Extending max-downstream always */ +- max_down = ap+1; +- +- /* Extending min-downstream unless unknown seen */ +- if (min_down == ap) +- min_down = ap+1; +- +- /* Downstream only */ +- if (!up) +- min_up = max_up = ap; +- } +- +- /* No extension for downstream, force upstream only from now */ ++ /* ASPA exists */ + else + { +- force_upstream = 1; ++ /* Downstream may be extended by this AS */ ++ if (down) ++ { ++ /* Extending max-downstream unless invalid seen */ ++ if (max_down == ap) ++ max_down = ap+1; ++ ++ /* Extending min-downstream unless unknown seen */ ++ if (min_down == ap) ++ min_down = ap+1; ++ } + +- /* Not even upstream, move the ending here */ ++ /* Move upstream end unless extensible */ + if (!up) + min_up = max_up = ap; + } + } + + /* Is the path surely valid? */ +- if (min_up <= min_down) ++ if (min_up <= min_down + !force_upstream) + return ASPA_VALID; + + /* Is the path maybe valid? */ +- if (max_up <= max_down) ++ if (max_up <= max_down + !force_upstream) + return ASPA_UNKNOWN; + + /* Now there is surely a valley there. */ diff -Nru bird2-2.17.1/debian/patches/backport-17-954b305 bird2-2.17.1/debian/patches/backport-17-954b305 --- bird2-2.17.1/debian/patches/backport-17-954b305 1970-01-01 00:00:00.000000000 +0000 +++ bird2-2.17.1/debian/patches/backport-17-954b305 2026-04-07 01:07:30.000000000 +0000 @@ -0,0 +1,31 @@ +From 954b30568a5e18d5b99b13d9157ae0e902b4bf7b Mon Sep 17 00:00:00 2001 +From: Maria Matejka +Date: Thu, 19 Mar 2026 12:01:15 +0100 +Subject: Log: Set a reasonable lower bound for the log file size limit + +The log rotation needs a minimal file size. The 16 kB limit imposed +by this commit effectively allows about 150 lines to fit into one file, +and by that all the accompanying log messages (e.g. with debug latency) +fit into there and don't cause another rotation. + +Issue: #370 + +diff --git a/sysdep/unix/config.Y b/sysdep/unix/config.Y +index f4e70d198..be85848de 100644 +--- a/sysdep/unix/config.Y ++++ b/sysdep/unix/config.Y +@@ -48,7 +48,13 @@ syslog_name: + + log_limit: + /* empty */ +- | expr text { this_log->limit = $1; this_log->backup = $2; } ++ | expr text { ++ if ($1 < 16384) ++ cf_error("Log file size limit too low, must be at least 16384."); ++ ++ this_log->limit = $1; ++ this_log->backup = $2; ++ } + ; + + log_file: diff -Nru bird2-2.17.1/debian/patches/series bird2-2.17.1/debian/patches/series --- bird2-2.17.1/debian/patches/series 2025-12-17 23:21:35.000000000 +0000 +++ bird2-2.17.1/debian/patches/series 2026-04-07 01:07:30.000000000 +0000 @@ -2,3 +2,16 @@ backport-02-067f361d backport-03-f8770e81 backport-04-c4d54c21 +backport-05-1867ffa +backport-06-9c7d028 +backport-07-cad5353 +backport-08-b143f6e +backport-09-f7eb6f1 +backport-10-87a77ae +backport-11-3c83997 +backport-12-de64c80 +backport-13-b4e228d +backport-14-4be9672 +backport-15-650e2fa +backport-16-3beb709 +backport-17-954b305