[SRU] Open vSwitch 2.4.1, 2.3.3 stable updates

Bug #1575119 reported by James Page on 2016-04-26
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Cloud Archive
Undecided
Unassigned
Kilo
High
Unassigned
Liberty
High
Unassigned
openvswitch (Ubuntu)
Undecided
Unassigned
Wily
High
Unassigned

Bug Description

The Open vSwitch team is pleased to announce the release of Open vSwitch 2.4.1:

 http://openvswitch.org/releases/openvswitch-2.4.1.tar.gz

and Open vSwitch 2.3.3:

 http://openvswitch.org/releases/openvswitch-2.3.3.tar.gz

Both of these releases contain bug fixes. Most importantly, they address a remote execution vulnerability in MPLS parsing (CVE-2016-2074):

 http://openvswitch.org/pipermail/announce/2016-March/000082.html

We recommend immediately upgrading to a patched version. If you do not want the other fixes, the advisory above contain patches that may be applied to the previous releases.

Note that Open vSwitch 2.5.x is not affected by this issue.

We would like to thank the reporters: Kashyap Thimmaraju and Bhargava Shastry.

Enjoy!

--The Open vSwitch Team

CVE References

James Page (james-page) on 2016-04-26
Changed in openvswitch (Ubuntu):
status: New → Invalid
Changed in openvswitch (Ubuntu Wily):
importance: Undecided → High
status: New → Triaged
Changed in cloud-archive:
status: New → Invalid

Hello James, or anyone else affected,

Accepted openvswitch into wily-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openvswitch/2.4.1-0ubuntu0.15.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in openvswitch (Ubuntu Wily):
status: Triaged → Fix Committed
tags: added: verification-needed
James Page (james-page) wrote :

Hello James, or anyone else affected,

Accepted openvswitch into liberty-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:liberty-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-liberty-needed to verification-liberty-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-liberty-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-liberty-needed
James Page (james-page) on 2016-06-08
tags: added: verification-done verification-liberty-done
removed: verification-liberty-needed verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openvswitch - 2.4.1-0ubuntu0.15.10.1

---------------
openvswitch (2.4.1-0ubuntu0.15.10.1) wily; urgency=medium

  * New upstream point release (LP: #1575119):
    - CVE-2016-2074: MPLS buffer overflow vulnerabilities.

 -- James Page <email address hidden> Tue, 26 Apr 2016 06:25:44 -0500

Changed in openvswitch (Ubuntu Wily):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for openvswitch has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

James Page (james-page) wrote :

The verification of the Stable Release Update for openvswitch has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

James Page (james-page) wrote :

This bug was fixed in the package openvswitch - 2.4.1-0ubuntu0.15.10.1~cloud0
---------------

 openvswitch (2.4.1-0ubuntu0.15.10.1~cloud0) trusty-liberty; urgency=medium
 .
   * New upstream release for the Ubuntu Cloud Archive.
 .
 openvswitch (2.4.1-0ubuntu0.15.10.1) wily; urgency=medium
 .
   * New upstream point release (LP: #1575119):
     - CVE-2016-2074: MPLS buffer overflow vulnerabilities.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers