[Secure-testing-team] Bug#863662: openvswitch: CVE-2017-9265
Salvatore Bonaccorso
carnil at debian.org
Mon May 29 20:16:50 UTC 2017
Source: openvswitch
Version: 2.6.2~pre+git20161223-3
Severity: normal
Tags: upstream patch security
Hi,
the following vulnerability was published for openvswitch.
CVE-2017-9265[0]:
| In Open vSwitch (OvS) v2.7.0, there is a buffer over-read while parsing
| the group mod OpenFlow message sent from the controller in
| `lib/ofp-util.c` in the function `ofputil_pull_ofp15_group_mod`.
this should be only in the OpenFlow 1.5+ support, not sure the message
mentions this is not enabled by default. Affected source it as least
there.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9265
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9265
[1] https://mail.openvswitch.org/pipermail/ovs-dev/2017-May/332965.html
Regards,
Salvatore
More information about the Secure-testing-team
mailing list