Debian Bug report logs -
#863661
openvswitch: CVE-2017-9264
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 29 May 2017 20:15:54 UTC
Severity: normal
Tags: patch, security, upstream
Found in version openvswitch/2.6.2~pre+git20161223-3
Fixed in version openvswitch/2.8.1+dfsg1-1
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Open vSwitch developers <dev@openvswitch.org>:
Bug#863661; Package src:openvswitch.
(Mon, 29 May 2017 20:15:56 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Open vSwitch developers <dev@openvswitch.org>.
(Mon, 29 May 2017 20:15:57 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openvswitch
Version: 2.6.2~pre+git20161223-3
Severity: important
Tags: patch upstream security
Hi,
the following vulnerability was published for openvswitch.
CVE-2017-9264[0]:
| In lib/conntrack.c in the firewall implementation in Open vSwitch (OvS)
| 2.6.1, there is a buffer over-read while parsing malformed TCP, UDP,
| and IPv6 packets in the functions `extract_l3_ipv6`, `extract_l4_tcp`,
| and `extract_l4_udp` that can be triggered remotely.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9264
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9264
[1] https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/329323.html
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Open vSwitch developers <dev@openvswitch.org>:
Bug#863661; Package src:openvswitch.
(Mon, 29 May 2017 23:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ben Pfaff <blp@ovn.org>:
Extra info received and forwarded to list. Copy sent to Open vSwitch developers <dev@openvswitch.org>.
(Mon, 29 May 2017 23:39:03 GMT) (full text, mbox, link).
Message #10 received at 863661@bugs.debian.org (full text, mbox, reply):
severity 863661 normal
thanks
On Mon, May 29, 2017 at 10:14:49PM +0200, Salvatore Bonaccorso wrote:
> Source: openvswitch
> Version: 2.6.2~pre+git20161223-3
> Severity: important
> Tags: patch upstream security
>
> Hi,
>
> the following vulnerability was published for openvswitch.
>
> CVE-2017-9264[0]:
> | In lib/conntrack.c in the firewall implementation in Open vSwitch (OvS)
> | 2.6.1, there is a buffer over-read while parsing malformed TCP, UDP,
> | and IPv6 packets in the functions `extract_l3_ipv6`, `extract_l4_tcp`,
> | and `extract_l4_udp` that can be triggered remotely.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
This only affects the userspace datapath, most often used in the context
of DPDK, which isn't enabled in the Debian packaging. In addition, the
fact that it's a buffer overread (which makes it difficult to use to
crash OVS or change its behavior) and the fact that end-to-end TCP
checksum verification would catch it leads me to believe that this is
only "normal" severity, so I'm updating it (with this email).
Thanks,
Ben.
Severity set to 'normal' from 'important'
Request was from Ben Pfaff <blp@ovn.org>
to control@bugs.debian.org.
(Mon, 29 May 2017 23:39:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Open vSwitch developers <dev@openvswitch.org>:
Bug#863661; Package src:openvswitch.
(Tue, 30 May 2017 04:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Open vSwitch developers <dev@openvswitch.org>.
(Tue, 30 May 2017 04:27:04 GMT) (full text, mbox, link).
Message #17 received at 863661@bugs.debian.org (full text, mbox, reply):
Hi
On Mon, May 29, 2017 at 04:35:30PM -0700, Ben Pfaff wrote:
> severity 863661 normal
> thanks
>
> On Mon, May 29, 2017 at 10:14:49PM +0200, Salvatore Bonaccorso wrote:
> > Source: openvswitch
> > Version: 2.6.2~pre+git20161223-3
> > Severity: important
> > Tags: patch upstream security
> >
> > Hi,
> >
> > the following vulnerability was published for openvswitch.
> >
> > CVE-2017-9264[0]:
> > | In lib/conntrack.c in the firewall implementation in Open vSwitch (OvS)
> > | 2.6.1, there is a buffer over-read while parsing malformed TCP, UDP,
> > | and IPv6 packets in the functions `extract_l3_ipv6`, `extract_l4_tcp`,
> > | and `extract_l4_udp` that can be triggered remotely.
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> This only affects the userspace datapath, most often used in the context
> of DPDK, which isn't enabled in the Debian packaging. In addition, the
> fact that it's a buffer overread (which makes it difficult to use to
> crash OVS or change its behavior) and the fact that end-to-end TCP
> checksum verification would catch it leads me to believe that this is
> only "normal" severity, so I'm updating it (with this email).
Thanks for the analysis.
In this case I think normal is ok.
Regards,
Salvatore
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Thu, 26 Oct 2017 09:03:22 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 26 Oct 2017 09:03:22 GMT) (full text, mbox, link).
Message #22 received at 863661-close@bugs.debian.org (full text, mbox, reply):
Source: openvswitch
Source-Version: 2.8.1+dfsg1-1
We believe that the bug you reported is fixed in the latest version of
openvswitch, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 863661@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated openvswitch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 20 Oct 2017 22:06:41 +0200
Source: openvswitch
Binary: openvswitch-common openvswitch-dbg openvswitch-dev openvswitch-ipsec openvswitch-pki openvswitch-switch openvswitch-testcontroller openvswitch-vtep ovn-central ovn-controller-vtep ovn-host python-openvswitch python3-openvswitch
Architecture: source amd64 all
Version: 2.8.1+dfsg1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
openvswitch-common - Open vSwitch common components
openvswitch-dbg - Debug symbols for Open vSwitch packages
openvswitch-dev - Open vSwitch development package
openvswitch-ipsec - Open vSwitch GRE-over-IPsec support
openvswitch-pki - Open vSwitch public key infrastructure dependency package
openvswitch-switch - Open vSwitch switch implementations
openvswitch-testcontroller - Simple controller for testing OpenFlow setups
openvswitch-vtep - Open vSwitch VTEP utilities
ovn-central - OVN central components
ovn-controller-vtep - OVN vtep controller
ovn-host - OVN host components
python-openvswitch - Python bindings for Open vSwitch
python3-openvswitch - Python 3 bindings for Open vSwitch
Closes: 771507 863228 863655 863661 863662 877543 878249 878757
Changes:
openvswitch (2.8.1+dfsg1-1) experimental; urgency=medium
.
* New upstream release (Closes: #878249):
- Fixes CVE-2017-9214 (Closes: #863228).
- Fixes CVE-2017-14970 (Closes: #877543).
- Fixes CVE-2017-9263 (Closes: #863655).
- Fixes CVE-2017-9264 (Closes: #863661).
- Fixes CVE-2017-9265 (Closes: #863662).
* Ran wrap-and-sort -bast.
* Add libopenvswitch and libopenvswitch-dev.
* Updated VCS URLs.
* Switched to debhelper 10.
* Added openstack-pkg-tools as build-depends.
* Standards-Version is now 4.1.1.
* Added dh-python as build-depends.
* Added 2 debian/*.service files (Closes: #878757, #771507).
* Added Python 3 support.
* Added debian/README.source explaining why we're marking the version as
+dfsg1 (ie: because we remove the upstream debian folder).
* Removed patches.
* Patch upstream Makefile.am to not include debian/automake.mk.
* Remove openvswitch-test package.
* Simplify packaging by installing all binaries in openvswitch-common.
* Removed build-depends on dh-autoreconf, satisfied by debhelper >= 10.
* Fixed build-depends on automake.
* Fixed runtime depends on openvswitch-common in openvswitch-pki.
* Removed openvswitch-test package, now provided by openvswitch-common.
* Switch debian/copyright to parsable format.
* Add export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow in debian/rules.
* Removed ovn-docker package, now provided by openvswitch-common.
* Manually correctly installs ovs-vsctl-bashcomp.bash.
* Add myself as uploader.
* Added a watch file.
* Init scripts now sourcing LSB functions.
* Change priority from extra to optional, as per policy 4.0.1.
* Remove ovn-common package, now provided by openvswitch-common.
* Change Maintainer: to be Debian OpenStack.
Checksums-Sha1:
40bbe7f1fac09641d9bc1e00b3dc1601fb41ca63 3237 openvswitch_2.8.1+dfsg1-1.dsc
ddbee020007e4a1317a50717242bbb697481d9aa 3526228 openvswitch_2.8.1+dfsg1.orig.tar.xz
d10b014529d91dca3dc1e522d01960268c03fc36 46356 openvswitch_2.8.1+dfsg1-1.debian.tar.xz
3d961ffc2c5dc2626aaf87974d96c48c6df4fe2c 1606732 openvswitch-common_2.8.1+dfsg1-1_amd64.deb
d0f3f39f2a0953cf4057e76ece54b77bea6cbf45 5282008 openvswitch-dbg_2.8.1+dfsg1-1_amd64.deb
d7059580ec57f38323a08b272eb1d919ffb26ca0 1487180 openvswitch-dev_2.8.1+dfsg1-1_amd64.deb
8222ba18fc5bd0990bcb7320f377a6b4f2968bfa 40252 openvswitch-ipsec_2.8.1+dfsg1-1_amd64.deb
c3168c74c33562ccd30a965c0208fbbf4d117803 33760 openvswitch-pki_2.8.1+dfsg1-1_all.deb
08309b10a6a460d5b5a6e06561b76702f8c7b586 56124 openvswitch-switch_2.8.1+dfsg1-1_amd64.deb
03146c62cb51d82b49ffdb4a0cfced1495505252 37104 openvswitch-testcontroller_2.8.1+dfsg1-1_amd64.deb
8b9b96d2e6b475f98d1893a815e7695db6c684b4 41836 openvswitch-vtep_2.8.1+dfsg1-1_amd64.deb
8e90a31d41c07d115480035b684c0ca8f2e1205d 14395 openvswitch_2.8.1+dfsg1-1_amd64.buildinfo
435d2d2072ca942e15744e17b2cccdce5fe38980 37016 ovn-central_2.8.1+dfsg1-1_amd64.deb
f2fe46ab59e0ef825524fc2bb3fa866f3a409e92 33872 ovn-controller-vtep_2.8.1+dfsg1-1_amd64.deb
f7f854c7b52551449f05565863f8d898784d72e8 34764 ovn-host_2.8.1+dfsg1-1_amd64.deb
f371d2e4c58b8b870b24228f94856bad1b9fe8c8 103268 python-openvswitch_2.8.1+dfsg1-1_all.deb
97907bb5989e532192b04be3b956a457dbacca35 94340 python3-openvswitch_2.8.1+dfsg1-1_all.deb
Checksums-Sha256:
9160a286e6c0f4d3f150673ff4dc297927f523401e503ddb5ac5669c46d4f87f 3237 openvswitch_2.8.1+dfsg1-1.dsc
e8e61f417bdaf160abebd0a0713e610a8faf5f464ac4547c59fa796e8c48b7d2 3526228 openvswitch_2.8.1+dfsg1.orig.tar.xz
d55b3b03d7012e5aba2b4430c4f27ee583fd996f48a7d93972ec24575f50a69f 46356 openvswitch_2.8.1+dfsg1-1.debian.tar.xz
b0f5e5080c41b4aeec83e3992e08d9114da7e0f78092b33c257a8297dd990466 1606732 openvswitch-common_2.8.1+dfsg1-1_amd64.deb
47e8302d67dd71679c0587827995a1330438881d8260a059e07de97f49aa2193 5282008 openvswitch-dbg_2.8.1+dfsg1-1_amd64.deb
43a50f59c576d03da04c6a5654cff415d6d64466d2b53dce55cc3c5df04cd6b2 1487180 openvswitch-dev_2.8.1+dfsg1-1_amd64.deb
491e9635c977a77d183dbca7d8d2b035f7fe62446204874f308db9cf8b52e121 40252 openvswitch-ipsec_2.8.1+dfsg1-1_amd64.deb
d7f185128d3391e9bf5ab6709fe54d243cda2fd8102b6ee462c6f96d3cb30de4 33760 openvswitch-pki_2.8.1+dfsg1-1_all.deb
4d386ac4148328af59054587aa1c889198b5e1ae6b98549eb56bc8c4df04bc7f 56124 openvswitch-switch_2.8.1+dfsg1-1_amd64.deb
1d3eb2c546a2e62fe58d01c7e442b9a06d8974802760e60b9c54cc6822e024ff 37104 openvswitch-testcontroller_2.8.1+dfsg1-1_amd64.deb
707db91308ccb3617e7f05758ac6a6c802f952ba2c9b6577b598537eb17eaa62 41836 openvswitch-vtep_2.8.1+dfsg1-1_amd64.deb
70cf8d3701986910f3efca3ccfebad72335d64fea15758558a05e27326a3d66d 14395 openvswitch_2.8.1+dfsg1-1_amd64.buildinfo
8cd17842bea2e6aedcd14abefcced178d9db3abca1f66ed5becaec7b4e0e323d 37016 ovn-central_2.8.1+dfsg1-1_amd64.deb
8c81c7abf7670c29eb82b6f5220e1aaac800dd75b86f9260ae966908579cd00f 33872 ovn-controller-vtep_2.8.1+dfsg1-1_amd64.deb
ed3e990cf8addb18a6f5d803f085f28123b3b80affe0bf98814b5233b4044d06 34764 ovn-host_2.8.1+dfsg1-1_amd64.deb
111d9991470ef85a0bcdf36a5b88748e22070f9d2a54fd86151028a93bfc9069 103268 python-openvswitch_2.8.1+dfsg1-1_all.deb
cd22487fc5dc92f51427cfb812cf8d9872eaae44ebafab8b63ccf4e77c86e62a 94340 python3-openvswitch_2.8.1+dfsg1-1_all.deb
Files:
0f6d8e9265b63963f09933cd3165ae51 3237 net optional openvswitch_2.8.1+dfsg1-1.dsc
07d3648a888f410e1d2d8b433394d41d 3526228 net optional openvswitch_2.8.1+dfsg1.orig.tar.xz
860062cb5c67cf269fe84da1c01cced1 46356 net optional openvswitch_2.8.1+dfsg1-1.debian.tar.xz
043e1daa97ff7d61bf5937ddc75f7b0d 1606732 net optional openvswitch-common_2.8.1+dfsg1-1_amd64.deb
ddfeedd2cc6e9e19420835f3c2a37f1a 5282008 debug optional openvswitch-dbg_2.8.1+dfsg1-1_amd64.deb
2b6edd7f9137bcae0d003e4acf9c1f8d 1487180 net optional openvswitch-dev_2.8.1+dfsg1-1_amd64.deb
5251139e50f810bcc854d9077938c88e 40252 net optional openvswitch-ipsec_2.8.1+dfsg1-1_amd64.deb
2e611c44a86c6c4197f85ae095316a75 33760 net optional openvswitch-pki_2.8.1+dfsg1-1_all.deb
bd02cbd56a52a1565604458a0a822dd7 56124 net optional openvswitch-switch_2.8.1+dfsg1-1_amd64.deb
2cda0aeeeddf79bc004ee2469ef6f7a5 37104 net optional openvswitch-testcontroller_2.8.1+dfsg1-1_amd64.deb
b9bcaa2a235eb66076c15014c33d03ed 41836 net optional openvswitch-vtep_2.8.1+dfsg1-1_amd64.deb
6e431ce4c417ff571078783cd8159473 14395 net optional openvswitch_2.8.1+dfsg1-1_amd64.buildinfo
378b5b1dd704e51ebace74c6873319de 37016 net optional ovn-central_2.8.1+dfsg1-1_amd64.deb
e06253172f977dc5cdb642eff9b2029b 33872 net optional ovn-controller-vtep_2.8.1+dfsg1-1_amd64.deb
076fd285510a8cea33dc7f03c960f9ec 34764 net optional ovn-host_2.8.1+dfsg1-1_amd64.deb
cc579eff35d7a4596df200c536d4c792 103268 python optional python-openvswitch_2.8.1+dfsg1-1_all.deb
4c61690e9ed29c14dc9ef2d21c1422f0 94340 python optional python3-openvswitch_2.8.1+dfsg1-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAlnxHjkQHHppZ29AZGVi
aWFuLm9yZwAKCRDUFq0VrGtD/iLbD/4xdXr9fCUkOw8cQZcdlbBkCYALJiFxDde4
Iq7l3YH+57ldTDh+RA0iDuiOek8/z5rgLVjS9Lc6RTLcZeub0CspSCf1JdHeTEBO
5NBaY0f0Q8/R9RL5It6+osCmywgUfHc2+6kRWrCKPK7d09PkSEixP577tLBs4Ge/
hgFlq0RVDMiVB8fXLRCx9venGO3rJkMFifQXksDaO14joEBEtUcj6ZXpGAy+3FGV
1BshrTjnC75ZGAcdN5pe6cV+dVItUFCQyRNGUUQ0QNd9nABcg2ZoBMiS2s24nBld
QdfVgzhTCtzpxg2SeWau4dYG0WUyMU7BkO33CkalW4LgptdbdlpcF2flnCiC9hK5
Iai5gnABu8NiJt2jRyCPYysX8D3E0na+pNuazkfnHB+WFY70pJOKPQOaVg5Hm7mz
SIr6XmNLRRVOdSC9OpCoOAfhwrN8bDjfud3JiyPcD3l2VBLWn0Gd0NCcaQPHwZHe
6CvpAGWVClkyysCaWuRdKLjbCME9A4onA6+oA3F7W8pj6xeE9WKfTr64G0XxvSji
oDV0MY/RucqrXQxQW/KqtvOlOTu6VMlXpbHMatcNxBpNeBY3Y3jLO8Djzo3O97bW
z+Vi8420XgXx8vcepZwcrpljSY9ESQbVQVqc4e1apYKTdvoej3P5CAlq2eE63Qn6
upKy2ASfNA==
=skuV
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 06 Feb 2018 07:29:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:18:46 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon