Update to Open vSwitch 2.7.2

Add a symlink of the OCF script in the OCF resources folder Resolves: #1472800
8 years ago · 5fb65cc83c
parent 0b4ccf3665
commit 5fb65cc83c
5 changed files with 13 additions and 70 deletions
--- a/.gitignore
+++ b/.gitignore
@ -23,3 +23,4 @@
 /dpdk-16.11.1.tar.gz
 /dpdk-16.11.2.tar.gz
 /openvswitch-2.7.1.tar.gz
 /openvswitch-2.7.2.tar.gz
--- a/openvswitch-CVE-2017-9263.patch
+++ b/openvswitch-CVE-2017-9263.patch
@ -1,31 +0,0 @@
 From ebeef5b165fff88eff987628b5d849a6bffd017b Mon Sep 17 00:00:00 2001
 From: Ben Pfaff <blp@ovn.org>
 Date: Fri, 26 May 2017 13:22:26 -0700
 Subject: [PATCH] ofp-print: Don't abort on unknown reason in role status
 message.
 A buggy or malicious switch could send a role status message with a bad
 reason code, which if printed by OVS would cause it to abort.  This fixes
 the problem.
 Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
 Signed-off-by: Ben Pfaff <blp@ovn.org>
 Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>
 ---
 lib/ofp-print.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/lib/ofp-print.c b/lib/ofp-print.c
 index c03af61c3f..796039e728 100644
 --- a/lib/ofp-print.c
 +++ b/lib/ofp-print.c
@@ -2098,7 +2098,8 @@ ofp_print_role_status_message(struct ds *string, const struct ofp_header *oh)
         break;
     case OFPCRR_N_REASONS:
     default:
 -        OVS_NOT_REACHED();
 +        ds_put_cstr(string, "(unknown)");
 +        break;
     }
 }
--- a/openvswitch-CVE-2017-9265.patch
+++ b/openvswitch-CVE-2017-9265.patch
@ -1,33 +0,0 @@
 From 050f90662dde1da1ee3cdd209a9b65196a808811 Mon Sep 17 00:00:00 2001
 From: Ben Pfaff <blp@ovn.org>
 Date: Fri, 26 May 2017 12:59:06 -0700
 Subject: [PATCH] ofp-util: Check length of buckets in
 ofputil_pull_ofp15_group_mod().
 This code blindly read forward for the number of bytes specified by the
 message without checking that it was in range.
 This bug is part of OpenFlow 1.5 support.  Open vSwitch does not enable
 OpenFlow 1.5 support by default.
 Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
 Signed-off-by: Ben Pfaff <blp@ovn.org>
 Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>
 ---
 lib/ofp-util.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/lib/ofp-util.c b/lib/ofp-util.c
 index 92c17f4837..39ab8362d0 100644
 --- a/lib/ofp-util.c
 +++ b/lib/ofp-util.c
@@ -9418,6 +9418,9 @@ ofputil_pull_ofp15_group_mod(struct ofpbuf *msg, enum ofp_version ofp_version,
     }
     bucket_list_len = ntohs(ogm->bucket_array_len);
 +    if (bucket_list_len > msg->size) {
 +        return OFPERR_OFPBRC_BAD_LEN;
 +    }
     error = ofputil_pull_ofp15_buckets(msg, bucket_list_len, ofp_version,
                                        gm->type, &gm->buckets);
     if (error) {
--- a/openvswitch.spec
+++ b/openvswitch.spec
@ -29,8 +29,8 @@
 %define dpdksver %(echo %{dpdkver} | cut -d. -f-2)
 Name: openvswitch
-Version: 2.7.1
+Version: 2.7.2
-Release: 2%{?snapshot}%{?dist}
+Release: 1%{?snapshot}%{?dist}
 Summary: Open vSwitch daemon/database/utilities
 # Nearly all of openvswitch is ASL 2.0.  The bugtool is LGPLv2+, and the
@ -42,9 +42,6 @@ Source0: http://openvswitch.org/releases/%{name}-%{version}%{?snap_gitsha}.tar.g
 Source1: http://fast.dpdk.org/rel/dpdk-%{dpdkver}.tar.gz
 Source2: ovs-snapshot.sh
 Patch1: openvswitch-CVE-2017-9263.patch
 Patch2: openvswitch-CVE-2017-9265.patch
 %if %{with dpdk}
 %define dpdkarches x86_64 i686 aarch64 ppc64le
@ -364,6 +361,10 @@ install -p -m 0644 rhel/usr_lib_firewalld_services_ovn-central-firewall-service.
 install -p -m 0644 rhel/usr_lib_firewalld_services_ovn-host-firewall-service.xml \
        $RPM_BUILD_ROOT%{_prefix}/lib/firewalld/services/ovn-host-firewall-service.xml
 install -d -m 0755 $RPM_BUILD_ROOT%{_prefix}/lib/ocf/resource.d/ovn
 ln -s %{_datadir}/openvswitch/scripts/ovndb-servers.ocf \
      $RPM_BUILD_ROOT%{_prefix}/lib/ocf/resource.d/ovn/ovndb-servers
 touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/conf.db
 touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/system-id.conf
@ -627,6 +628,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/ovn-sbctl.8*
 %{_mandir}/man5/ovn-nb.5*
 %{_mandir}/man5/ovn-sb.5*
 %{_prefix}/lib/ocf/resource.d/ovn/ovndb-servers
 %files ovn-central
 %{_bindir}/ovn-northd
@ -648,6 +650,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_unitdir}/ovn-controller-vtep.service
 %changelog
 * Wed Jul 19 2017 Timothy Redaelli <tredaelli@redhat.com> - 2.7.2-1
 - Update to Open vSwitch 2.7.2
 - Add a symlink of the OCF script in the OCF resources folder
 * Fri Jul 14 2017 Timothy Redaelli <tredaelli@redhat.com> - 2.7.1-2
 - Backport fix for CVE-2017-9263 (#1457327)
 - Backport fix for CVE-2017-9265 (#1457335)
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 SHA512 (openvswitch-2.7.2.tar.gz) = 790a715dd31729893a1c21af4197400b7362569d15cb763cbbab82830c5f5168d2dea0cb40282faa17734a2ad967bc40d02b8f4f92ea585164386d2aa0719470
 SHA512 (dpdk-16.11.2.tar.gz) = b0b103f7f45620e7e4e4601ac57781104e6764cdb1d31ece29162c9588e0cd6de0cf4be5e1988bb7493ca43fdd476bc100e6c42edc6763dcf9c77475c3ac7317
 SHA512 (openvswitch-2.7.1.tar.gz) = eb3446088fdc368eadb88e7b7124764e0a23be41a50b7045f2a621770b2064b3cfa6ed482e9d72d0d2a4cb527df1196f69e4340377b9327f8f2e227c4b19f01f