[ovs-dev] Bug#863662: openvswitch: CVE-2017-9265
Moritz Muehlenhoff
jmm at debian.org
Thu Jul 6 20:49:30 UTC 2017
On Mon, May 29, 2017 at 10:16:50PM +0200, Salvatore Bonaccorso wrote:
> Source: openvswitch
> Version: 2.6.2~pre+git20161223-3
> Severity: normal
> Tags: upstream patch security
>
> Hi,
>
> the following vulnerability was published for openvswitch.
>
> CVE-2017-9265[0]:
> | In Open vSwitch (OvS) v2.7.0, there is a buffer over-read while parsing
> | the group mod OpenFlow message sent from the controller in
> | `lib/ofp-util.c` in the function `ofputil_pull_ofp15_group_mod`.
>
> this should be only in the OpenFlow 1.5+ support, not sure the message
> mentions this is not enabled by default. Affected source it as least
> there.
Maintainers, can you please clarify what
| This bug is part of OpenFlow 1.5 support. Open vSwitch does not enable
| OpenFlow 1.5 support by default.
entails, is that something that's not compiled-in in the Debian package
or what "does not support" mean exactly?
Cheers,
Moritt
More information about the dev
mailing list