Security Update: Muli-Router Looking Glass (MRLG) version 5.5.0 released

I was contacted by Luca Bruno a couple of months ago regarding the
fastping.c utility that has been included with MRLG for the past 14 years.
It seems that fastping.c is vulnerable to a crafted attack that can cause
remote memory overwrite/corruption.

The fastping.c utility was only used by MRLG in the outside chance that the
"router" in question was Zebra/Quagga. Based on Google results, this is a
very minuscule minority of installations that utilize MRLG.

I was OCONUS with limited connectivity when Luca contacted me, in addition
to being up to my eyeballs dealing with a Southeast Asia network redesign.

Last night, I had some downtime and was able to put together a (superior?)
replacement for fastping.c that utilizes the existing ping utility on the
MRLG host system while emulating the Cisco IOS ping facility.

I have released MRLG 5.5.0 as of Sat Sep 27 03:16:28 UTC 2014. It is a
(nearly) drop-in replacement for all previous versions of MRLG that
addresses the issue that Luca Bruno and Mariano Graziano brought to light
in CVE-2014-3931. See:

The latest MRLG (5.5.0) is available at

I know that the details of this CVE was published at: and

There are likely many other locations at which CVE-2014-3931 is detailed.

I ask that the NANOG community make it known - via whatever channels - that
this vulnerability has been addressed and mitigated and that you please
point folks to for the latest code.

Many thanks!