Hi Thomas, On Fri, Jan 15, 2021 at 01:59:18PM +0100, Salvatore Bonaccorso wrote: > Hi Thomas, > > On Fri, Jan 15, 2021 at 09:29:47AM +0100, Thomas Goirand wrote: > > On 1/14/21 10:38 PM, Salvatore Bonaccorso wrote: > > > Source: openvswitch > > > Version: 2.15.0~git20210104.def6eb1ea+dfsg1-3 > > > Severity: grave > > > Tags: security upstream > > > Justification: user security hole > > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > <t...@security.debian.org> > > > Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u2 > > > Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12 > > > > > > Hi, > > > > > > The following vulnerability was published for openvswitch. > > > > > > CVE-2020-27827[0]: > > > | lldp: avoid memory leak from bad packets > > > > > > If you fix the vulnerability please also make sure to include the > > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > > > For further information see: > > > > > > [0] https://security-tracker.debian.org/tracker/CVE-2020-27827 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27827 > > > [1] > > > https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000269.html > > > [2] > > > https://github.com/openvswitch/ovs/commit/78e712c0b1dacc2f12d2a03d98f083d8672867f0 > > > > > > Regards, > > > Salvatore > > > > Hi Salvatore, > > > > Thanks for the bug report. > > > > Please find, attached, the debdiff to fix the CVE in Buster. Note that > > Unstable/Sid has already been patched. > > > > Please allow me to upload this to buster-security. > > Thanks, this is probably fine for a DSA. > > *but* please respin the package and include the fix for CVE-2015-8011 > as well, this is fixed in unstable already. > > For details and upstream commit see: > https://security-tracker.debian.org/tracker/CVE-2015-8011 > > (while at it, please set urgency=high for consistency). > > Can you repost a debdiff with the CVE-2015-8011 fix as well? > > Can you test the package in production?
Actually about the DSA need of both issue I would like to clarify first one aspect: https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000268.html We have found that Open vSwitch is subject to a remote code execution exploit when LLDP processing is enabled on an interface. By default, interfaces are not configured to process LLDP messages. (which probably reduces to denial of service with source fortification) https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000269.html We have found that Open vSwitch is subject to a denial of service exploit when LLDP processing is enabled on an interface. By default, interfaces are not configured to process LLDP messages. What is your take here on the use of the LLDP processing beeing enabled? Regards, Salvatore
