HI Ben, On Mon, May 29, 2017 at 01:35:58PM -0700, Ben Pfaff wrote: > notfound 863655 2.3.0+git20140819-1 > found 863655 2.6.2~pre+git20161223-3 > severity 863655 normal > thanks > > On Mon, May 29, 2017 at 09:44:13PM +0200, Salvatore Bonaccorso wrote: > > Source: openvswitch > > Version: 2.3.0+git20140819-1 > > Severity: important > > Tags: security upstream patch > > > > Hi, > > > > the following vulnerability was published for openvswitch. > > > > CVE-2017-9263[0]: > > | In Open vSwitch (OvS) 2.7.0, while parsing an OpenFlow role status > > | message, there is a call to the abort() function for undefined role > > | status reasons in the function `ofp_print_role_status_message` in > > | `lib/ofp-print.c` that may be leveraged toward a remote DoS attack by a > > | malicious switch. > > This doesn't really make sense. For a "malicious switch" to leverage > this as a remote DoS, the controller that it talks to has to be > implemented using the OVS code in question. OVS 2.3 as packaged for > Debian doesn't include a controller, > > Open vSwitch 2.6.2 includes two controllers. The first one, > ovs-testcontroller, is not vulnerable to this in the default > configuration, because it does not print such messages even if it > receives them, unless it is specially configured to do so. The second > one, ovn-controller, only talks to Open vSwitch directly, not to > arbitrary switches, and only over a trusted Unix domain socket anyway. > In any case, if either of these crashes due to this bug, they > automatically restart themselves.
Thanks for your reply (much appreciated) and this analysis! I adjusted the security-tracker information. > So, while it is a good idea to fix this, it's not high severity. Yes might be ok indeed. Regards, Salvatore _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev