On Mon, May 29, 2017 at 10:16:50PM +0200, Salvatore Bonaccorso wrote: > Source: openvswitch > Version: 2.6.2~pre+git20161223-3 > Severity: normal > Tags: upstream patch security > > Hi, > > the following vulnerability was published for openvswitch. > > CVE-2017-9265[0]: > | In Open vSwitch (OvS) v2.7.0, there is a buffer over-read while parsing > | the group mod OpenFlow message sent from the controller in > | `lib/ofp-util.c` in the function `ofputil_pull_ofp15_group_mod`. > > this should be only in the OpenFlow 1.5+ support, not sure the message > mentions this is not enabled by default. Affected source it as least > there.
Maintainers, can you please clarify what | This bug is part of OpenFlow 1.5 support. Open vSwitch does not enable | OpenFlow 1.5 support by default. entails, is that something that's not compiled-in in the Debian package or what "does not support" mean exactly? Cheers, Moritt