- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2571-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Thorsten Alteholz
February 19, 2021                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : openvswitch
Version        : 2.6.10-0+deb9u1
CVE ID         : CVE-2015-8011 CVE-2017-9214 CVE-2018-17204 CVE-2018-17206
                  CVE-2020-27827 CVE-2020-35498


Several issues have been found in openvswitch, a production quality, 
multilayer, software-based, Ethernet virtual switch.

CVE-2020-35498

     Denial of service attacks, in which crafted network packets
     could cause the packet lookup to ignore network header fields
     from layers 3 and 4. The crafted network packet is an ordinary
     IPv4 or IPv6 packet with Ethernet padding length above 255 bytes.
     This causes the packet sanity check to abort parsing header
     fields after layer 2.

CVE-2020-27827

     Denial of service attacks using crafted LLDP packets.

CVE-2018-17206

     Buffer over-read issue during BUNDLE action decoding.

CVE-2018-17204

     Assertion failure due to not validating information (group type
     and command) in OF1.5 decoder.

CVE-2017-9214

     Buffer over-read that is caused by an unsigned integer underflow.

CVE-2015-8011

     Buffer overflow in the lldp_decode function in
     daemon/protocols/lldp.c in lldpd before 0.8.0 allows remote
     attackers to cause a denial of service (daemon crash) and
     possibly execute arbitrary code via vectors involving large
     management addresses and TLV boundaries.


For Debian 9 stretch, these problems have been fixed in version
2.6.10-0+deb9u1. This version is a new upstream point release.

We recommend that you upgrade your openvswitch packages.

For the detailed security status of openvswitch please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/openvswitch

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-2571-1: openvswitch security update

February 19, 2021
Several issues have been found in openvswitch, a production quality, multilayer, software-based, Ethernet virtual switch

Summary

Several issues have been found in openvswitch, a production quality,
multilayer, software-based, Ethernet virtual switch.

CVE-2020-35498

Denial of service attacks, in which crafted network packets
could cause the packet lookup to ignore network header fields
from layers 3 and 4. The crafted network packet is an ordinary
IPv4 or IPv6 packet with Ethernet padding length above 255 bytes.
This causes the packet sanity check to abort parsing header
fields after layer 2.

CVE-2020-27827

Denial of service attacks using crafted LLDP packets.

CVE-2018-17206

Buffer over-read issue during BUNDLE action decoding.

CVE-2018-17204

Assertion failure due to not validating information (group type
and command) in OF1.5 decoder.

CVE-2017-9214

Buffer over-read that is caused by an unsigned integer underflow.

CVE-2015-8011

Buffer overflow in the lldp_decode function in
daemon/protocols/lldp.c in lldpd before 0.8.0 allows remote
attackers to cause a denial of service (daemon crash) and
possibly execute arbitrary code via vectors involving large
management addresses and TLV boundaries.


For Debian 9 stretch, these problems have been fixed in version
2.6.10-0+deb9u1. This version is a new upstream point release.

We recommend that you upgrade your openvswitch packages.

For the detailed security status of openvswitch please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/openvswitch

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



Severity
Package : openvswitch
Version : 2.6.10-0+deb9u1
CVE ID : CVE-2015-8011 CVE-2017-9214 CVE-2018-17204 CVE-2018-17206

Related News

19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved