Debian Bug report logs -
#980132
openvswitch: CVE-2020-27827
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 14 Jan 2021 21:42:01 UTC
Severity: grave
Tags: security, upstream
Found in versions openvswitch/2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12, openvswitch/2.15.0~git20210104.def6eb1ea+dfsg1-3, openvswitch/2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u2
Fixed in version openvswitch/2.15.0~git20210104.def6eb1ea+dfsg1-4
Done: Thomas Goirand <zigo@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>:
Bug#980132; Package src:openvswitch.
(Thu, 14 Jan 2021 21:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>.
(Thu, 14 Jan 2021 21:42:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openvswitch
Version: 2.15.0~git20210104.def6eb1ea+dfsg1-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u2
Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12
Hi,
The following vulnerability was published for openvswitch.
CVE-2020-27827[0]:
| lldp: avoid memory leak from bad packets
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-27827
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27827
[1] https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000269.html
[2] https://github.com/openvswitch/ovs/commit/78e712c0b1dacc2f12d2a03d98f083d8672867f0
Regards,
Salvatore
Marked as found in versions openvswitch/2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 14 Jan 2021 21:42:03 GMT) (full text, mbox, link).
Marked as found in versions openvswitch/2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 14 Jan 2021 21:42:03 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#980132.
(Fri, 15 Jan 2021 07:24:03 GMT) (full text, mbox, link).
Message #12 received at 980132-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #980132 in openvswitch reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/openstack-team/third-party/openvswitch/-/commit/b2467aed2d37594f4f06a59a6340d1f7fcea7524
------------------------------------------------------------------------
* CVE-2020-27827: denial of service attacks in which crafted LLDP packets
could cause memory to be lost when allocating data to handle specific
optional TLVs. Applied upstream patch: lldp: do not leak memory on multiple
instances of TLVs (Closes: #980132).
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/980132
Added tag(s) pending.
Request was from Thomas Goirand <zigo@debian.org>
to 980132-submitter@bugs.debian.org.
(Fri, 15 Jan 2021 07:24:03 GMT) (full text, mbox, link).
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Fri, 15 Jan 2021 07:36:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 15 Jan 2021 07:36:03 GMT) (full text, mbox, link).
Message #19 received at 980132-close@bugs.debian.org (full text, mbox, reply):
Source: openvswitch
Source-Version: 2.15.0~git20210104.def6eb1ea+dfsg1-4
Done: Thomas Goirand <zigo@debian.org>
We believe that the bug you reported is fixed in the latest version of
openvswitch, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 980132@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated openvswitch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 15 Jan 2021 08:10:49 +0100
Source: openvswitch
Architecture: source
Version: 2.15.0~git20210104.def6eb1ea+dfsg1-4
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 980132
Changes:
openvswitch (2.15.0~git20210104.def6eb1ea+dfsg1-4) unstable; urgency=high
.
* CVE-2020-27827: denial of service attacks in which crafted LLDP packets
could cause memory to be lost when allocating data to handle specific
optional TLVs. Applied upstream patch: lldp: do not leak memory on multiple
instances of TLVs (Closes: #980132).
Checksums-Sha1:
e33b619719cf56c41a03c1e766c19e1deaef062f 3316 openvswitch_2.15.0~git20210104.def6eb1ea+dfsg1-4.dsc
e308d11989329b67edab9aa869f5638ec5f665c2 51812 openvswitch_2.15.0~git20210104.def6eb1ea+dfsg1-4.debian.tar.xz
e475261b8146323dd8c5bd854ae453cd523d6f66 20149 openvswitch_2.15.0~git20210104.def6eb1ea+dfsg1-4_amd64.buildinfo
Checksums-Sha256:
489bdd6986556f695b83a613f4c68b7eff5bf7b7c3f6e8055d18a735eb206065 3316 openvswitch_2.15.0~git20210104.def6eb1ea+dfsg1-4.dsc
0a3ca785405097595c3eb9cd9dd02d80a41c3250b7413665b633fbc7888ea13f 51812 openvswitch_2.15.0~git20210104.def6eb1ea+dfsg1-4.debian.tar.xz
baf4c9940d0978c681bbd97616bdb029fc81f3e7c8beedb44364684a5dd7fb8f 20149 openvswitch_2.15.0~git20210104.def6eb1ea+dfsg1-4_amd64.buildinfo
Files:
8b5ef8b5ed85c223fd70270ec030b779 3316 net optional openvswitch_2.15.0~git20210104.def6eb1ea+dfsg1-4.dsc
b034af24d3ec42c0abb836dd45babd27 51812 net optional openvswitch_2.15.0~git20210104.def6eb1ea+dfsg1-4.debian.tar.xz
3b58fac1f3d852458682b0431bbcbe3f 20149 net optional openvswitch_2.15.0~git20210104.def6eb1ea+dfsg1-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmABQoYACgkQ1BatFaxr
Q/5ONQ/8CsqAkytviEIoJM54JKfzCuCQwEJ6EZL+Js4kIsFMs5e3m66MEPb0JHIR
VlxD2ID8wOaYW1mw8HMWThjW9kvssZcduIgl3ayl7amh/DbyVC8xAFDADwmO8B2L
JzTFfh/JtnKqkZpAajBMvkPZ5sL7NKMIdmg2jKVCYpIP2TTwNLk3D9AOFIaTHYRz
YEAeLzp2JiQlokQCYBpwbg2gla7EvuuY4YyDb5nFMfwG4G8p6ajCFLtxJNbgatAN
/DTHLsNiUHT8xqCFxD8KmDq5Zz26ZVBEm9vn56xYHKIvkOf/EbzND2bwsa9UoCf9
QgKtq0cIF/MFacud/WQg9ObydvCCWN0VjiIwwvDnmyihmqhQeDdyIVkD2c/vnFud
CbgdHhQSltNNrj0/XY/6v7GgJv0dYmDcuRnr6IcxBOsPKk1xKuMptvT7jn0wM3Xi
c84ktEDP8fny4n8iY/9zPnPf7VC2Qaj8eNrcMkraVQCb1jmKEBTOMaZUjKyGu5Wn
OqqLmHb7NvHV86QvF3F05VTeqqaSK4ldSLMYQtWXm4jxfQOt+oFWzQ0u62L1Sw40
hohEyvxnsTjSFWbpQoqQ921xtf0eAP6cjKQ3ANoHA1K+ArHcTb9OzxR8pCRXHg2D
hLPNyX6utAh4lFgKxoGgUJii9ILH8uF/uEKFBSfch8cYM8UzAto=
=2GQX
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>:
Bug#980132; Package src:openvswitch.
(Fri, 15 Jan 2021 08:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenStack <team+openstack@tracker.debian.org>.
(Fri, 15 Jan 2021 08:33:04 GMT) (full text, mbox, link).
Message #24 received at 980132@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 1/14/21 10:38 PM, Salvatore Bonaccorso wrote:
> Source: openvswitch
> Version: 2.15.0~git20210104.def6eb1ea+dfsg1-3
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u2
> Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12
>
> Hi,
>
> The following vulnerability was published for openvswitch.
>
> CVE-2020-27827[0]:
> | lldp: avoid memory leak from bad packets
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2020-27827
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27827
> [1] https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000269.html
> [2] https://github.com/openvswitch/ovs/commit/78e712c0b1dacc2f12d2a03d98f083d8672867f0
>
> Regards,
> Salvatore
Hi Salvatore,
Thanks for the bug report.
Please find, attached, the debdiff to fix the CVE in Buster. Note that
Unstable/Sid has already been patched.
Please allow me to upload this to buster-security.
Cheers,
Thomas Goirand (zigo)
[openvswitch_2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u3.debdiff (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>:
Bug#980132; Package src:openvswitch.
(Fri, 15 Jan 2021 13:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenStack <team+openstack@tracker.debian.org>.
(Fri, 15 Jan 2021 13:03:04 GMT) (full text, mbox, link).
Message #29 received at 980132@bugs.debian.org (full text, mbox, reply):
Hi Thomas,
On Fri, Jan 15, 2021 at 09:29:47AM +0100, Thomas Goirand wrote:
> On 1/14/21 10:38 PM, Salvatore Bonaccorso wrote:
> > Source: openvswitch
> > Version: 2.15.0~git20210104.def6eb1ea+dfsg1-3
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> > X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> > Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u2
> > Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12
> >
> > Hi,
> >
> > The following vulnerability was published for openvswitch.
> >
> > CVE-2020-27827[0]:
> > | lldp: avoid memory leak from bad packets
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2020-27827
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27827
> > [1] https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000269.html
> > [2] https://github.com/openvswitch/ovs/commit/78e712c0b1dacc2f12d2a03d98f083d8672867f0
> >
> > Regards,
> > Salvatore
>
> Hi Salvatore,
>
> Thanks for the bug report.
>
> Please find, attached, the debdiff to fix the CVE in Buster. Note that
> Unstable/Sid has already been patched.
>
> Please allow me to upload this to buster-security.
Thanks, this is probably fine for a DSA.
*but* please respin the package and include the fix for CVE-2015-8011
as well, this is fixed in unstable already.
For details and upstream commit see:
https://security-tracker.debian.org/tracker/CVE-2015-8011
(while at it, please set urgency=high for consistency).
Can you repost a debdiff with the CVE-2015-8011 fix as well?
Can you test the package in production?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>:
Bug#980132; Package src:openvswitch.
(Fri, 15 Jan 2021 20:24:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenStack <team+openstack@tracker.debian.org>.
(Fri, 15 Jan 2021 20:24:02 GMT) (full text, mbox, link).
Message #34 received at 980132@bugs.debian.org (full text, mbox, reply):
Hi Thomas,
On Fri, Jan 15, 2021 at 01:59:18PM +0100, Salvatore Bonaccorso wrote:
> Hi Thomas,
>
> On Fri, Jan 15, 2021 at 09:29:47AM +0100, Thomas Goirand wrote:
> > On 1/14/21 10:38 PM, Salvatore Bonaccorso wrote:
> > > Source: openvswitch
> > > Version: 2.15.0~git20210104.def6eb1ea+dfsg1-3
> > > Severity: grave
> > > Tags: security upstream
> > > Justification: user security hole
> > > X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> > > Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u2
> > > Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12
> > >
> > > Hi,
> > >
> > > The following vulnerability was published for openvswitch.
> > >
> > > CVE-2020-27827[0]:
> > > | lldp: avoid memory leak from bad packets
> > >
> > > If you fix the vulnerability please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > >
> > > For further information see:
> > >
> > > [0] https://security-tracker.debian.org/tracker/CVE-2020-27827
> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27827
> > > [1] https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000269.html
> > > [2] https://github.com/openvswitch/ovs/commit/78e712c0b1dacc2f12d2a03d98f083d8672867f0
> > >
> > > Regards,
> > > Salvatore
> >
> > Hi Salvatore,
> >
> > Thanks for the bug report.
> >
> > Please find, attached, the debdiff to fix the CVE in Buster. Note that
> > Unstable/Sid has already been patched.
> >
> > Please allow me to upload this to buster-security.
>
> Thanks, this is probably fine for a DSA.
>
> *but* please respin the package and include the fix for CVE-2015-8011
> as well, this is fixed in unstable already.
>
> For details and upstream commit see:
> https://security-tracker.debian.org/tracker/CVE-2015-8011
>
> (while at it, please set urgency=high for consistency).
>
> Can you repost a debdiff with the CVE-2015-8011 fix as well?
>
> Can you test the package in production?
Actually about the DSA need of both issue I would like to clarify
first one aspect:
https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000268.html
We have found that Open vSwitch is subject to a remote code execution
exploit when LLDP processing is enabled on an interface. By default,
interfaces are not configured to process LLDP messages.
(which probably reduces to denial of service with source
fortification)
https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000269.html
We have found that Open vSwitch is subject to a denial of service
exploit when LLDP processing is enabled on an interface. By default,
interfaces are not configured to process LLDP messages.
What is your take here on the use of the LLDP processing beeing
enabled?
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Jan 25 08:10:57 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon