Control: tags -1 fixed-upstream
According to this announcment [1], CVE-2023-3966 and CVE-2023-5366 are
fixed with versions
Latest stable:
https://www.openvswitch.org/releases/openvswitch-3.2.2.tar.gz
Current LTS series:
https://www.openvswitch.org/releases/openvswitch-2.17.9.tar.gz
Other:
https://www.openvswitch.org/releases/openvswitch-3.1.4.tar.gz
https://www.openvswitch.org/releases/openvswitch-3.0.6.tar.gz
[1]
https://mail.openvswitch.org/pipermail/ovs-announce/2024-February/000338.html
As sid has currently a git snapshot, it is not clear to me if that has
been fixed there too.
On Thu, 08 Feb 2024 22:35:46 +0100 Salvatore Bonaccorso
<car...@debian.org> wrote:
> Source: openvswitch
> Version: 3.3.0~git20240118.e802fe7-3
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: car...@debian.org, Debian Security Team
<t...@security.debian.org>
> Control: found -1 3.1.0-2
>
> Hi,
>
> The following vulnerability was published for openvswitch.
>
> CVE-2023-3966[0]:
> | Invalid memory access in Geneve with HW offload
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2023-3966
> https://www.cve.org/CVERecord?id=CVE-2023-3966
> [1] https://www.openwall.com/lists/oss-security/2024/02/08/3
> [2]
https://mail.openvswitch.org/pipermail/ovs-dev/2024-February/411702.html
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>
>
