Version 3.3.9 is fixing a CVE:
v3.3.9 - 31 Mar 2026
--------------------
- Bug fixes
- DPDK:
* OVS validated with DPDK 23.11.6.
- Security:
* Fixed buffer overflow during conntrack processing of alg=ftp in
userspace datapath (CVE-2026-34956).
This indicates that it should go through the security team, or at least
be built with just security enabled, copied to proposed, and then
released to both updates and security. Or something like that.
Has the security team been approached? I also checked 3.3.0-1ubuntu3.2
currently in noble-security, but I don't see a mention of this CVE in
d/changelog.
I'm subscribing ubuntu-security to the bug, and marking it as incomplete
to highlight that more information (and possibly a process change) is
needed.
** CVE added: https://cve.org/CVERecord?id=CVE-2026-34956
** Changed in: openvswitch (Ubuntu Noble)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2147329
Title:
[SRU] openvswitch 3.3.9 point release
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2147329/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
