Hi Thomas, On Fri, Jan 15, 2021 at 09:29:47AM +0100, Thomas Goirand wrote: > On 1/14/21 10:38 PM, Salvatore Bonaccorso wrote: > > Source: openvswitch > > Version: 2.15.0~git20210104.def6eb1ea+dfsg1-3 > > Severity: grave > > Tags: security upstream > > Justification: user security hole > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > <t...@security.debian.org> > > Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u2 > > Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12 > > > > Hi, > > > > The following vulnerability was published for openvswitch. > > > > CVE-2020-27827[0]: > > | lldp: avoid memory leak from bad packets > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2020-27827 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27827 > > [1] > > https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000269.html > > [2] > > https://github.com/openvswitch/ovs/commit/78e712c0b1dacc2f12d2a03d98f083d8672867f0 > > > > Regards, > > Salvatore > > Hi Salvatore, > > Thanks for the bug report. > > Please find, attached, the debdiff to fix the CVE in Buster. Note that > Unstable/Sid has already been patched. > > Please allow me to upload this to buster-security.
Thanks, this is probably fine for a DSA. *but* please respin the package and include the fix for CVE-2015-8011 as well, this is fixed in unstable already. For details and upstream commit see: https://security-tracker.debian.org/tracker/CVE-2015-8011 (while at it, please set urgency=high for consistency). Can you repost a debdiff with the CVE-2015-8011 fix as well? Can you test the package in production? Regards, Salvatore