Bug#1027273: marked as done (openvswitch: CVE-2022-4337 CVE-2022-4338)

[Debian Bug Tracking System]

Your message dated Tue, 03 Jan 2023 10:37:03 +0000
with message-id <e1pcefh-00eqkt...@fasolo.debian.org>
and subject line Bug#1027273: fixed in openvswitch 3.1.0~git20221212.739bcf2-4
has caused the Debian Bug report #1027273,
regarding openvswitch: CVE-2022-4337 CVE-2022-4338
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1027273: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027273
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: openvswitch
Version: 3.1.0~git20221212.739bcf2-3
Severity: grave
Tags: security upstream
Forwarded: https://github.com/openvswitch/ovs/pull/405
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerabilities were published for openvswitch.

Filling as RC to make sure the fix can reach bookworm release.

CVE-2022-4337[0]:
| Out-of-Bounds Read in Organization Specific TLV

CVE-2022-4338[1]:
| Integer Underflow in Organization Specific TLV

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-4337
    https://www.cve.org/CVERecord?id=CVE-2022-4337
[1] https://security-tracker.debian.org/tracker/CVE-2022-4338
    https://www.cve.org/CVERecord?id=CVE-2022-4338
[2] https://github.com/openvswitch/ovs/pull/405
[3] https://mail.openvswitch.org/pipermail/ovs-dev/2022-December/400596.html
[4] https://www.openwall.com/lists/oss-security/2022/12/20/2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: openvswitch
Source-Version: 3.1.0~git20221212.739bcf2-4
Done: Thomas Goirand <z...@debian.org>

We believe that the bug you reported is fixed in the latest version of
openvswitch, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1027...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated openvswitch package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 03 Jan 2023 10:06:22 +0100
Source: openvswitch
Architecture: source
Version: 3.1.0~git20221212.739bcf2-4
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openst...@tracker.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Closes: 1027273 1027329
Changes:
 openvswitch (3.1.0~git20221212.739bcf2-4) unstable; urgency=high
 .
   * Add dpdk support for riscv64 (Closes: #1027329).
   * CVE-2022-4337 & CVE-2022-4338: Out-of-Bounds Read and Integer Underflow in
     Organization Specific TLV. Added upstream patches (Closes: #1027273).
Checksums-Sha1:
 d3089fa22c5d0ac501d03e0feff289f1cbd97080 3667 
openvswitch_3.1.0~git20221212.739bcf2-4.dsc
 f032d88993dc25484c816b7b985edfc431bf4d24 75216 
openvswitch_3.1.0~git20221212.739bcf2-4.debian.tar.xz
 8b40a033258974a72a60496eeb4a244e5df2fb80 24499 
openvswitch_3.1.0~git20221212.739bcf2-4_amd64.buildinfo
Checksums-Sha256:
 437c147f8c32322a8d2559e1db63ae2f926e4ccc5930dd384111431b748ae170 3667 
openvswitch_3.1.0~git20221212.739bcf2-4.dsc
 621daacf4017229dcd082e4ecd28820b683acbce39f735669d37d4bd4ad06546 75216 
openvswitch_3.1.0~git20221212.739bcf2-4.debian.tar.xz
 09da1375900b3aa950d9fd73fa1b1c212d56c9e9965e9421fcefee6ef2a879ed 24499 
openvswitch_3.1.0~git20221212.739bcf2-4_amd64.buildinfo
Files:
 9ffc5b7ebb745a1295847cd80f553992 3667 net optional 
openvswitch_3.1.0~git20221212.739bcf2-4.dsc
 e4e8960978ea635150714c52cc8a719b 75216 net optional 
openvswitch_3.1.0~git20221212.739bcf2-4.debian.tar.xz
 7571326ebce82a8024195089be21bd0c 24499 net optional 
openvswitch_3.1.0~git20221212.739bcf2-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmO0AAMACgkQ1BatFaxr
Q/5hGQ/+N+AA7UQF31kiLZtp+A+2Dzi8Vvqfd1xhc9DlAaEThjzaZ9CNA7Txzorx
7VBfJfUhZZihclLeUbiTNqfVLZw6LvR7cvWgAbTrwNcPS22ZssV2VUXQdOSckrNt
/WGDVOZkQJIKFS8QmnriKH61i62PxwRMmG+DEpjkXIA0wXyqXQlyAgzJh9iKkwS8
HQyDWNNAdjkriIkEeSPV1AfuwXwhi7uaP17lihuJfnjUP8O8r8b4T6ulnHBl4aUu
VnSzD3JwB/x86uSe1ejvFbIjG9GxIs1m6eLBn6SdpvZ4NNWBqm4byv8k9Qo9EaNt
ORMBnG+EIPCavDHISA9fZ8RsPo+0ZqWhLapfwSwypUrH7Md8v9CBfi9EPPzXi/wS
lFIIG41R+qcgkPEczoQiodXqiar06F7GSAeI1UHb8KQwD86rgtQwPbsV8mJskrMe
VXErcNTUAFuY75fYHq1s0K5W3YnLULFH0zmQ9YzbY/zsGn/62uUcdK8Ulsq5pxED
uGAhJqhmGeScKKiwearyIAeeH+sShkPHRWuWFbUV6t3K0ROix495XGJM7bZMe+W7
NhYp8CUfG3QDAvAckYdURhSJEOfF9piWt/u6fpdkDK15Ew+PS0UiawBDMj4iSD+M
obidRhkho+flK0ZR4W7QEfMyHqZv75jvWqTny7kDcCr0/QDl47I=
=B3OQ
-----END PGP SIGNATURE-----

--- End Message ---