On Thu, Jul 06, 2017 at 10:49:30PM +0200, Moritz Muehlenhoff wrote: > On Mon, May 29, 2017 at 10:16:50PM +0200, Salvatore Bonaccorso wrote: > > Source: openvswitch > > Version: 2.6.2~pre+git20161223-3 > > Severity: normal > > Tags: upstream patch security > > > > Hi, > > > > the following vulnerability was published for openvswitch. > > > > CVE-2017-9265[0]: > > | In Open vSwitch (OvS) v2.7.0, there is a buffer over-read while parsing > > | the group mod OpenFlow message sent from the controller in > > | `lib/ofp-util.c` in the function `ofputil_pull_ofp15_group_mod`. > > > > this should be only in the OpenFlow 1.5+ support, not sure the message > > mentions this is not enabled by default. Affected source it as least > > there. > > Maintainers, can you please clarify what > > | This bug is part of OpenFlow 1.5 support. Open vSwitch does not enable > | OpenFlow 1.5 support by default. > > entails, is that something that's not compiled-in in the Debian package > or what "does not support" mean exactly?
OpenFlow 1.5 support is incomplete in OVS 2.7, which makes it not very useful. So an administrator has to enable it explicitly, and probably won't (because it's not very useful). _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
