notfound 863655 2.3.0+git20140819-1 found 863655 2.6.2~pre+git20161223-3 severity 863655 normal thanks
On Mon, May 29, 2017 at 09:44:13PM +0200, Salvatore Bonaccorso wrote: > Source: openvswitch > Version: 2.3.0+git20140819-1 > Severity: important > Tags: security upstream patch > > Hi, > > the following vulnerability was published for openvswitch. > > CVE-2017-9263[0]: > | In Open vSwitch (OvS) 2.7.0, while parsing an OpenFlow role status > | message, there is a call to the abort() function for undefined role > | status reasons in the function `ofp_print_role_status_message` in > | `lib/ofp-print.c` that may be leveraged toward a remote DoS attack by a > | malicious switch. This doesn't really make sense. For a "malicious switch" to leverage this as a remote DoS, the controller that it talks to has to be implemented using the OVS code in question. OVS 2.3 as packaged for Debian doesn't include a controller, Open vSwitch 2.6.2 includes two controllers. The first one, ovs-testcontroller, is not vulnerable to this in the default configuration, because it does not print such messages even if it receives them, unless it is specially configured to do so. The second one, ovn-controller, only talks to Open vSwitch directly, not to arbitrary switches, and only over a trusted Unix domain socket anyway. In any case, if either of these crashes due to this bug, they automatically restart themselves. So, while it is a good idea to fix this, it's not high severity. _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev