Package: openvswitch
Version: 2.6.2~pre+git20161223-3
Severity: important
Tags: patch upstream security
Hi
the following vulnerability was published for openvswitch.
CVE-2017-9214[0]:
| In Open vSwitch (OvS) 2.7.0, while parsing an
| OFPT_QUEUE_GET_CONFIG_REPLY type OFP 1.0 message, there is a buffer
| over-read that is caused by an unsigned integer underflow in the
| function `ofputil_pull_queue_get_config_reply10` in `lib/ofp-util.c`.
The code around the ofputil_pull_queue_get_config_reply* functions has
changed quite a bit since the version in stable, so I'm unsure if the
issue si there as well. Needs confirmation since similar checks are
done.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9214
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9214
[1] https://mail.openvswitch.org/pipermail/ovs-dev/2017-May/332711.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore