CVE-2017-14970 (https://nvd.nist.gov/vuln/detail/CVE-2017-14970): In lib/ofp-util.c in Open vSwitch (OvS) before 2.8.1, there are multiple memory leaks while parsing malformed OpenFlow group mod messages. References: https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/339085.html https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/339086.html @ Maintainer(s): Please confirm that this package is vulnerable. Bug 632656 for the package dev-python/ovs might also be vulnerable.
Do we need a separate one for ovs, both openvswitch and ovs are actually in the same repo. Also yes, it's vulnerable.
I've added 2.8.1 to the tree btw, it's fine to fast stable
(In reply to Matthew Thode ( prometheanfire ) from comment #2) > I've added 2.8.1 to the tree btw, it's fine to fast stable Awesome, thanks for your work. @Arches, please proceed, thank you! Gentoo Security Padawan Daj Uan (jmbailey/mbailey_j)
An automated check of this bug failed - repoman reported dependency errors (41 lines truncated): > dependency.bad net-misc/openvswitch/openvswitch-2.8.1.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['~dev-python/ovs-2.7.2[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-)]'] > dependency.bad net-misc/openvswitch/openvswitch-2.8.1.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['~dev-python/ovs-2.7.2[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-)]'] > dependency.bad net-misc/openvswitch/openvswitch-2.8.1.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['~dev-python/ovs-2.7.2[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-)]']
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fc5efc6dea906b88030f2615c75b2a8314ced3cc commit fc5efc6dea906b88030f2615c75b2a8314ced3cc Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-07 03:02:06 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-07 03:02:06 +0000 net-misc/openvswitch: amd64 stable Bug: https://bugs.gentoo.org/633420 Package-Manager: Portage-2.3.28, Repoman-2.3.9 net-misc/openvswitch/openvswitch-2.8.1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=65e0a4984d74651fa75bf1ad7f8db98a6c3aed69 commit 65e0a4984d74651fa75bf1ad7f8db98a6c3aed69 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-07 03:01:36 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-07 03:01:36 +0000 dev-python/ovs: amd64 stable Bug: https://bugs.gentoo.org/633420 Package-Manager: Portage-2.3.28, Repoman-2.3.9 dev-python/ovs/ovs-2.7.2.ebuild | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)}
x86 has a newer version (2.10.0-r1) stable. @maintainers, please clean vulnerable.
cleaned up, 2.8.1 and 2.10.0-r1 remain (both stable amd64 and x86)
(In reply to Matthew Thode ( prometheanfire ) from comment #7) > cleaned up, 2.8.1 and 2.10.0-r1 remain (both stable amd64 and x86) thanks, Matthew!
