DebianDEBIAN:DLA-2571-1:B14CA[SECURITY] [DLA 2571-1] openvswitch security update
4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
69.1%
Debian LTS Advisory DLA-2571-1 [email protected]
https://www.debian.org/lts/security/ Thorsten Alteholz
February 19, 2021 https://wiki.debian.org/LTS
Package : openvswitch
Version : 2.6.10-0+deb9u1
CVE ID : CVE-2015-8011 CVE-2017-9214 CVE-2018-17204 CVE-2018-17206
CVE-2020-27827 CVE-2020-35498
Several issues have been found in openvswitch, a production quality,
multilayer, software-based, Ethernet virtual switch.
CVE-2020-35498
Denial of service attacks, in which crafted network packets
could cause the packet lookup to ignore network header fields
from layers 3 and 4. The crafted network packet is an ordinary
IPv4 or IPv6 packet with Ethernet padding length above 255 bytes.
This causes the packet sanity check to abort parsing header
fields after layer 2.
CVE-2020-27827
Denial of service attacks using crafted LLDP packets.
CVE-2018-17206
Buffer over-read issue during BUNDLE action decoding.
CVE-2018-17204
Assertion failure due to not validating information (group type
and command) in OF1.5 decoder.
CVE-2017-9214
Buffer over-read that is caused by an unsigned integer underflow.
CVE-2015-8011
Buffer overflow in the lldp_decode function in
daemon/protocols/lldp.c in lldpd before 0.8.0 allows remote
attackers to cause a denial of service (daemon crash) and
possibly execute arbitrary code via vectors involving large
management addresses and TLV boundaries.
For Debian 9 stretch, these problems have been fixed in version
2.6.10-0+deb9u1. This version is a new upstream point release.
We recommend that you upgrade your openvswitch packages.
For the detailed security status of openvswitch please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openvswitch
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 9 | amd64 | openvswitch-ipsec | < 2.6.10-0+deb9u1 | openvswitch-ipsec_2.6.10-0+deb9u1_amd64.deb |
| Debian | 9 | armhf | openvswitch-dev | < 2.6.10-0+deb9u1 | openvswitch-dev_2.6.10-0+deb9u1_armhf.deb |
| Debian | 9 | i386 | openvswitch-dev | < 2.6.10-0+deb9u1 | openvswitch-dev_2.6.10-0+deb9u1_i386.deb |
| Debian | 9 | amd64 | ovn-common | < 2.6.10-0+deb9u1 | ovn-common_2.6.10-0+deb9u1_amd64.deb |
| Debian | 9 | armhf | ovn-controller-vtep | < 2.6.10-0+deb9u1 | ovn-controller-vtep_2.6.10-0+deb9u1_armhf.deb |
| Debian | 9 | i386 | openvswitch-common | < 2.6.10-0+deb9u1 | openvswitch-common_2.6.10-0+deb9u1_i386.deb |
| Debian | 9 | armel | openvswitch-switch | < 2.6.10-0+deb9u1 | openvswitch-switch_2.6.10-0+deb9u1_armel.deb |
| Debian | 9 | armel | ovn-central | < 2.6.10-0+deb9u1 | ovn-central_2.6.10-0+deb9u1_armel.deb |
| Debian | 9 | armel | ovn-controller-vtep | < 2.6.10-0+deb9u1 | ovn-controller-vtep_2.6.10-0+deb9u1_armel.deb |
| Debian | 9 | armhf | openvswitch-common | < 2.6.10-0+deb9u1 | openvswitch-common_2.6.10-0+deb9u1_armhf.deb |
Related
4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
69.1%