Debian Bug report logs -
#982493
openvswitch: CVE-2020-35498
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 10 Feb 2021 20:03:01 UTC
Severity: grave
Tags: security, upstream
Found in versions openvswitch/2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u2, openvswitch/2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12, openvswitch/2.15.0~git20210104.def6eb1ea+dfsg1-4, openvswitch/2.10.6+ds1-0+deb10u1
Fixed in version openvswitch/2.15.0~git20210104.def6eb1ea+dfsg1-5
Done: Thomas Goirand <zigo@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>:
Bug#982493; Package src:openvswitch.
(Wed, 10 Feb 2021 20:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>.
(Wed, 10 Feb 2021 20:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openvswitch
Version: 2.15.0~git20210104.def6eb1ea+dfsg1-4
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2.10.6+ds1-0+deb10u1
Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u2
Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12
Hi,
The following vulnerability was published for openvswitch.
CVE-2020-35498[0]:
| Packet parsing vulnerability
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-35498
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35498
[1] https://www.openwall.com/lists/oss-security/2021/02/10/4
Regards,
Salvatore
Marked as found in versions openvswitch/2.10.6+ds1-0+deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 10 Feb 2021 20:03:04 GMT) (full text, mbox, link).
Marked as found in versions openvswitch/2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 10 Feb 2021 20:03:04 GMT) (full text, mbox, link).
Marked as found in versions openvswitch/2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 10 Feb 2021 20:03:05 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#982493.
(Wed, 10 Feb 2021 22:15:04 GMT) (full text, mbox, link).
Message #14 received at 982493-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #982493 in openvswitch reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/openstack-team/third-party/openvswitch/-/commit/e1cad68dfe3a3102c84bd59950ea43dad65653e8
------------------------------------------------------------------------
* CVE-2020-35498: Packet parsing vulnerability. Applied upstream patch:
flow: Support extra padding length.patch (Closes: #982493).
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/982493
Added tag(s) pending.
Request was from Thomas Goirand <zigo@debian.org>
to 982493-submitter@bugs.debian.org.
(Wed, 10 Feb 2021 22:15:04 GMT) (full text, mbox, link).
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Wed, 10 Feb 2021 22:36:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 10 Feb 2021 22:36:05 GMT) (full text, mbox, link).
Message #21 received at 982493-close@bugs.debian.org (full text, mbox, reply):
Source: openvswitch
Source-Version: 2.15.0~git20210104.def6eb1ea+dfsg1-5
Done: Thomas Goirand <zigo@debian.org>
We believe that the bug you reported is fixed in the latest version of
openvswitch, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 982493@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated openvswitch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 10 Feb 2021 22:59:35 +0100
Source: openvswitch
Architecture: source
Version: 2.15.0~git20210104.def6eb1ea+dfsg1-5
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 982493
Changes:
openvswitch (2.15.0~git20210104.def6eb1ea+dfsg1-5) unstable; urgency=high
.
* CVE-2020-35498: Packet parsing vulnerability. Applied upstream patch:
flow: Support extra padding length.patch (Closes: #982493).
Checksums-Sha1:
0dd8d36345cdffd06b6980875e86b157ada9e9d1 3316 openvswitch_2.15.0~git20210104.def6eb1ea+dfsg1-5.dsc
b0436e44a21263978d875af871a5deb18632fa1f 53420 openvswitch_2.15.0~git20210104.def6eb1ea+dfsg1-5.debian.tar.xz
6a7dbfac78d66690e2a4e2052bb0a15e424297c3 20160 openvswitch_2.15.0~git20210104.def6eb1ea+dfsg1-5_amd64.buildinfo
Checksums-Sha256:
6575999f2951f0886aab18b5820f3a03154c4d507b5454f9017102259b4381c1 3316 openvswitch_2.15.0~git20210104.def6eb1ea+dfsg1-5.dsc
595a16f940134d9d9068d3d98d63170c5dc300ca0912473169ec3193291fad4b 53420 openvswitch_2.15.0~git20210104.def6eb1ea+dfsg1-5.debian.tar.xz
9eaa124c1eb1edf519c25726711774c6fc545fc262869976d34b6be9d97b7b6b 20160 openvswitch_2.15.0~git20210104.def6eb1ea+dfsg1-5_amd64.buildinfo
Files:
41deb3766fd506d15b72d0d5c2ea64c2 3316 net optional openvswitch_2.15.0~git20210104.def6eb1ea+dfsg1-5.dsc
09dcd7b6fa76de2bd785e20b73059185 53420 net optional openvswitch_2.15.0~git20210104.def6eb1ea+dfsg1-5.debian.tar.xz
785149532fb8be4bd88ff307a2a7068d 20160 net optional openvswitch_2.15.0~git20210104.def6eb1ea+dfsg1-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmAkWk4ACgkQ1BatFaxr
Q/6x5A/+P5B0LEPT706iXTcbJHvjTCPIfv9+P4V/BRkHWU7E34V7oubhPRVYf73H
hw1CYDBwUaLq2x9pmuqbKRnHzvFLxuaBeCCpDvJvX5MWYzqr+ttzY/zvOmZFj1if
gSa2N1K6BOxhop9XWXudC8ok/WtdLj/MHbNbOuCEtggdiqF8qZoDjMIsIijKIJcx
FUgL0XghT7nWZVwjZbHIouz5fPqTsQYDOvX+hrR7cJMgeOlwXNqAgWJ/qtJ02Mpg
JOmWNZhKQrzThyAxqwxmSD5Uayj1cQELzqARMsvF2N/fxGh4C1R6T5r7VeV6yTMS
nfPKSTw9h9mhb8OJOe1HBzfXb9r9VHzuEbQe0k3ohXV5nQSubI8aXL8gTF1OUccn
DNfeb2SCUc7PjokaxcEzoR3+vxm0I6gQt20sEXI9W1Bb/DOxspJqcBv/wbTNRfMS
kuwD40QvKWXdFK/AeyD9do/ElB8ckgAxy+Ols5kF5IlipbLgbkosKPXqd8jYYWo2
PKrqcQPg5jrJVYyZqksVnIDw5cIrhiov507CWcVS+o5OAksEWgp4SAEJ+q7OLkOm
BO50lIHNN1padCM0/SrHD8Ql47I4CDkZOeCsJERhsxFFJhOo5tuba/2b2dqJy2Dq
OeuHKzdV8uHLxV3DhfQx5wtoQWfqX21jzHYc3tZceGTuIJniF/k=
=PsKe
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Feb 11 08:02:15 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon