Hi On Mon, May 29, 2017 at 04:35:30PM -0700, Ben Pfaff wrote: > severity 863661 normal > thanks > > On Mon, May 29, 2017 at 10:14:49PM +0200, Salvatore Bonaccorso wrote: > > Source: openvswitch > > Version: 2.6.2~pre+git20161223-3 > > Severity: important > > Tags: patch upstream security > > > > Hi, > > > > the following vulnerability was published for openvswitch. > > > > CVE-2017-9264[0]: > > | In lib/conntrack.c in the firewall implementation in Open vSwitch (OvS) > > | 2.6.1, there is a buffer over-read while parsing malformed TCP, UDP, > > | and IPv6 packets in the functions `extract_l3_ipv6`, `extract_l4_tcp`, > > | and `extract_l4_udp` that can be triggered remotely. > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > This only affects the userspace datapath, most often used in the context > of DPDK, which isn't enabled in the Debian packaging. In addition, the > fact that it's a buffer overread (which makes it difficult to use to > crash OVS or change its behavior) and the fact that end-to-end TCP > checksum verification would catch it leads me to believe that this is > only "normal" severity, so I'm updating it (with this email).
Thanks for the analysis. In this case I think normal is ok. Regards, Salvatore
