Package: openvswitch Version: 2.6.2~pre+git20161223-3 Severity: important Tags: patch upstream security
Hi the following vulnerability was published for openvswitch. CVE-2017-9214[0]: | In Open vSwitch (OvS) 2.7.0, while parsing an | OFPT_QUEUE_GET_CONFIG_REPLY type OFP 1.0 message, there is a buffer | over-read that is caused by an unsigned integer underflow in the | function `ofputil_pull_queue_get_config_reply10` in `lib/ofp-util.c`. The code around the ofputil_pull_queue_get_config_reply* functions has changed quite a bit since the version in stable, so I'm unsure if the issue si there as well. Needs confirmation since similar checks are done. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-9214 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9214 [1] https://mail.openvswitch.org/pipermail/ovs-dev/2017-May/332711.html Please adjust the affected versions in the BTS as needed. Regards, Salvatore