[Git][security-tracker-team/security-tracker][master] 4 commits: add note for CVE-2018-17206 in branch-2.6 of openvswitch

Fri Feb 19 22:03:30 GMT 2021


Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a82c5281 by Thorsten Alteholz at 2021-02-19T23:01:15+01:00
add note for CVE-2018-17206 in branch-2.6 of openvswitch

- - - - -
b09e8ff8 by Thorsten Alteholz at 2021-02-19T23:01:16+01:00
add note for CVE-2018-17204 in branch-2.6 of openvswitch

- - - - -
875f7684 by Thorsten Alteholz at 2021-02-19T23:01:17+01:00
uploading new point release in Stretch fixes some CVEs

- - - - -
25c770d7 by Thorsten Alteholz at 2021-02-19T23:02:58+01:00
Reserve DLA-2571-1 for openvswitch

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -28062,7 +28062,6 @@ CVE-2020-27827 [lldp: avoid memory leak from bad packets]
 	[buster] - lldpd <no-dsa> (Minor issue)
 	[stretch] - lldpd <no-dsa> (Minor issue)
 	- openvswitch 2.15.0~git20210104.def6eb1ea+dfsg1-4 (bug #980132)
-	[stretch] - openvswitch <no-dsa> (Minor issue)
 	NOTE: https://github.com/openvswitch/ovs/pull/337
 	NOTE: https://github.com/lldpd/lldpd/commit/a8d3c90feca548fc0656d95b5d278713db86ff61
 	NOTE: https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000269.html
@@ -160285,11 +160284,11 @@ CVE-2018-17207 (An issue was discovered in Snap Creek Duplicator before 1.2.42.
 	NOT-FOR-US: Snap Creek Duplicator
 CVE-2018-17206 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The ...)
 	- openvswitch 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-1
-	[stretch] - openvswitch <no-dsa> (Minor issue)
 	[jessie] - openvswitch <not-affected> (Vulnerable code does not exist; no such function)
 	NOTE: https://github.com/openvswitch/ovs/commit/5026a263d7846077eee540de42192d27da513226 (master)
 	NOTE: https://github.com/openvswitch/ovs/commit/20626d38c1a1d4cebb5a6911ea3cb6a7f4f993f8 (branch-2.8)
 	NOTE: https://github.com/openvswitch/ovs/commit/9237a63c47bd314b807cda0bd2216264e82edbe8 (branch-2.7)
+	NOTE: https://github.com/openvswitch/ovs/commit/ee47d61ba1c97cf67a68f0191dec1f93bfafc0a0 (branch-2.6)
 CVE-2018-17205 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, aff ...)
 	- openvswitch 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-1
 	[stretch] - openvswitch <not-affected> (Vulnerable code introduced later)
@@ -160299,11 +160298,11 @@ CVE-2018-17205 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.
 	NOTE: https://github.com/openvswitch/ovs/commit/0befd1f3745055c32940f5faf9559be6a14395e6 (branch-2.7)
 CVE-2018-17204 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, aff ...)
 	- openvswitch 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-1
-	[stretch] - openvswitch <no-dsa> (Minor issue)
 	[jessie] - openvswitch <not-affected> (Vulnerable code does not exist; no such function)
 	NOTE: https://github.com/openvswitch/ovs/commit/9740d81d94888cb158fa99a9366fe2b32b3e4aaa (master)
 	NOTE: https://github.com/openvswitch/ovs/commit/8976ea1d680ab7a2d726a50e5666aa8fefd24168 (branch-2.8)
 	NOTE: https://github.com/openvswitch/ovs/commit/4af6da3b275b764b1afe194df6499b33d2bf4cde (branch-2.7)
+	NOTE: https://github.com/openvswitch/ovs/commit/fbe37f3ccc819a044a500fb5da13d3e53596c2a7 (branch-2.6)
 	NOTE: ovs-vswitchd does not enable support for OpenFlow 1.5 by default.
 CVE-2018-17203
 	REJECTED
@@ -232834,7 +232833,6 @@ CVE-2017-9215
 CVE-2017-9214 (In Open vSwitch (OvS) 2.7.0, while parsing an OFPT_QUEUE_GET_CONFIG_RE ...)
 	[experimental] - openvswitch 2.8.1+dfsg1-1
 	- openvswitch 2.8.1+dfsg1-2 (bug #863228)
-	[stretch] - openvswitch <no-dsa> (Minor issue)
 	[jessie] - openvswitch <not-affected> (Vulnerable code not present)
 	[wheezy] - openvswitch <not-affected> (Vulnerable code not present)
 	NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2017-May/332711.html
@@ -292977,7 +292975,6 @@ CVE-2015-8011 (Buffer overflow in the lldp_decode function in daemon/protocols/l
 	[wheezy] - lldpd <not-affected> (Vulnerable code not present)
 	[squeeze] - lldpd <not-affected> (Vulnerable code not present)
 	- openvswitch 2.15.0~git20210104.def6eb1ea+dfsg1-1
-	[stretch] - openvswitch <no-dsa> (Minor issue)
 	NOTE: https://github.com/lldpd/lldpd/commit/dd4f16e7e816f2165fba76e3d162cd8d2978dcb2
 	NOTE: https://www.openwall.com/lists/oss-security/2015/10/16/2
 	NOTE: https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000268.html


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[19 Feb 2021] DLA-2571-1 openvswitch - security update
+	{CVE-2015-8011 CVE-2017-9214 CVE-2018-17204 CVE-2018-17206 CVE-2020-27827 CVE-2020-35498}
+	[stretch] - openvswitch 2.6.10-0+deb9u1
 [20 Feb 2021] DLA-2570-1 screen - security update
 	{CVE-2021-26937}
 	[stretch] - screen 4.5.0-6+deb9u1


=====================================
data/dla-needed.txt
=====================================
@@ -77,8 +77,6 @@ openldap (Uktarsh)
   NOTE: 20210215: update ready at https://salsa.debian.org/openldap-team/openldap/-/commits/stretch.
   NOTE: 20210215: waiting to see if anything else comes up. (utkarsh)
 --
-openvswitch (Thorsten Alteholz)
---
 php-pear
 --
 python-pysaml2 (Abhijith PA)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a4dd28903f5e9a1a697ad08621e093c1123b9519...25c770d7498025393afeabe607f45770074be37b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a4dd28903f5e9a1a697ad08621e093c1123b9519...25c770d7498025393afeabe607f45770074be37b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210219/d76fe056/attachment-0001.html>
