[SECURITY] [DLA 2571-1] openvswitch security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2571-1] openvswitch security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Fri, 19 Feb 2021 22:10:32 +0000 (UTC)
Message-id: <[🔎] alpine.DEB.2.21.2102192203390.1212@postfach.intern.alteholz.me>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2571-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Thorsten Alteholz
February 19, 2021                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : openvswitch
Version        : 2.6.10-0+deb9u1
CVE ID         : CVE-2015-8011 CVE-2017-9214 CVE-2018-17204 CVE-2018-17206
                 CVE-2020-27827 CVE-2020-35498

Several issues have been found in openvswitch, a production quality,multilayer, software-based, Ethernet virtual switch.


CVE-2020-35498

    Denial of service attacks, in which crafted network packets
    could cause the packet lookup to ignore network header fields
    from layers 3 and 4. The crafted network packet is an ordinary
    IPv4 or IPv6 packet with Ethernet padding length above 255 bytes.
    This causes the packet sanity check to abort parsing header
    fields after layer 2.

CVE-2020-27827

    Denial of service attacks using crafted LLDP packets.

CVE-2018-17206

    Buffer over-read issue during BUNDLE action decoding.

CVE-2018-17204

    Assertion failure due to not validating information (group type
    and command) in OF1.5 decoder.

CVE-2017-9214

    Buffer over-read that is caused by an unsigned integer underflow.

CVE-2015-8011

    Buffer overflow in the lldp_decode function in
    daemon/protocols/lldp.c in lldpd before 0.8.0 allows remote
    attackers to cause a denial of service (daemon crash) and
    possibly execute arbitrary code via vectors involving large
    management addresses and TLV boundaries.


For Debian 9 stretch, these problems have been fixed in version
2.6.10-0+deb9u1. This version is a new upstream point release.

We recommend that you upgrade your openvswitch packages.

For the detailed security status of openvswitch please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openvswitch

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmAwN1hfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEfNsBAAqaoDikgBC38Jlxc7C2F07vo7QkxqEkWMIu0qOQ7EkykphE0jhiif2BSA
oZWcAl3FlZsBkN2+hUrUwpmuQf9r3q7nt35WHdefRBm2WlrZCIY5x4770FDtuEjJ
VEbGM973QvLjc7ZPqCvpHOuKbZM29wsDIRkv/mWlpH+zdWjoedCEx1UfCAptCbxr
8UOjNDeXFS095l6WqDZtcku22FtTGBO+IdaKoQpXLVnU/AKn5yjML5QduyjqrbPc
ST5K53UDfuhgBaJhOHPCkyeWi8dbWaulKpH8QL4BGjVGy+rb5K1f4iJIuNMVpiVB
Gw0UqYdR7UMSY6CJSdUJGTck6UejllRDMtgb6dJifyFONuj9tgHgvW1SxJ+yEtyc
c6nOrUv/Engi4wS1RkYQbksVcAZXpG7ETRsrQ65c1xY0mxfbDGT2PlkGWwVz6XNg
2l8HD3rk67Kg9Pgt9w7dUBUrYLuVTgCm0APCMpjUnYRAo/WbrEYOKEjaPe0e78Cv
2CbkcEMb6DhRuDr7qY4Xm65OZc6dISac66OZpwksV9nRdaBPB4dKgD06aqMAGkUa
FNqqLt+YeigtHsOUFV31dbtv6Un2eSiN0kiFiXuka3FGJM9n0+9/Bw1lBwTE1wyi
+ir2/ELFvcHpWcmjT4ZWQm3OLJJw98BMz7XX04lMjrcFTHSRUms=
=b5B+
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2570-1] screen security update
Next by Date: [SECURITY] [DLA 2572-1] wpa security update
Previous by thread: [SECURITY] [DLA 2570-1] screen security update
Next by thread: [SECURITY] [DLA 2572-1] wpa security update
Index(es):
- Date
- Thread