Embargo ends: Monday, March 28 Multiple versions of Open vSwitch are vulnerable to remote buffer overflow attacks, in which crafted MPLS packets could overflow the buffer reserved for MPLS labels in an OVS internal data structure. The MPLS packets that trigger the vulnerability and the potential for exploitation vary depending on version: - Open vSwitch 2.1.x and earlier are not vulnerable. - In Open vSwitch 2.2.x and 2.3.x, the MPLS buffer overflow can be exploited for arbitrary remote code execution. - In Open vSwitch 2.4.x, the MPLS buffer overflow does not obviously lead to a remote code execution exploit, but testing shows that it can allow a remote denial of service. - Open vSwitch 2.5.x is not vulnerable. Mitigation ========== For any version of Open vSwitch, preventing MPLS packets from reaching Open vSwitch mitigates the vulnerability. We do not recommend attempting to mitigate the vulnerability this way because of the following difficulties: - Open vSwitch obtains packets before the iptables host firewall, so iptables on the Open vSwitch host cannot ordinarily block the vulnerability. - If Open vSwitch is configured to support tunnels, MPLS packets encapsulated within tunnels must also be prevented from reaching the host. - If Open vSwitch runs on a hypervisor, MPLS packets from VMs can also trigger the vulnerability. We believe that Open vSwitch 2.4 is subject to denial of service only when debug logging is enabled. By default, debug logging is not enabled. Users most commonly enable debug logging at runtime using the "ovs-appctl" utility. When this is the case, the buffer overflow will crash the ovs-vswitchd daemon once, and then when it automatically restarts debug logging will be disabled; thus, in this situation, the vulnerability can only cause a single, brief interruption in service. Debug logging can also be enabled persistently using a command-line flag; in this situation, a stream of crafted MPLS packets could cause an extended denial of service. Fix === Patches to fix these vulnerabilities in Open vSwitch 2.3.x and 2.4.x are appended. The patch for Open vSwitch 2.3.x also applies to and is effective for Open vSwitch 2.2.x. Recommendation ============== We recommend that users of Open vSwitch 2.3.x or 2.4.x apply the respective patch, or upgrade to Open vSwitch 2.5.0. For Open vSwitch 2.4.x only, if it cannot be upgraded expeditiously, we recommend verifying that debug logging is not enabled on the command line. This is not effective mitigation for Open vSwitch 2.3.x. Open vSwitch 2.2.x was never officially released. If users of prerelease versions exist, we recommend that they upgrade to Open vSwitch 2.5.0.
As 2.5.0 is in tree, I'd like to do a fast stablereq on that (amd64/x86) and remove all older releases.
adding arch sec liaisons for fast stablereq of =net-misc/openvswitch-2.5.0
stable for both.
removed bad versions openvswitch-2.3.0.ebuild openvswitch-2.3.1.ebuild openvswitch-2.3.2.ebuild openvswitch-2.4.0.ebuild cleanup done removing arch contacts
issue public at http://www.openwall.com/lists/oss-security/2016/03/29/1
@ Security: Waiting for GLSA...
This issue was resolved and addressed in GLSA 201701-07 at https://security.gentoo.org/glsa/201701-07 by GLSA coordinator Thomas Deutschmann (whissi).