CVE-2020-27827

NameCVE-2020-27827
DescriptionA flaw was found in multiple versions of OpenvSwitch. Specially crafted LLDP packets can cause memory to be lost when allocating data to handle specific optional TLVs, potentially causing a denial of service. The highest threat from this vulnerability is to system availability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2571-1, DLA-3389-1, DSA-4836-1
Debian Bugs980132

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lldpd (PTS)buster1.0.3-1vulnerable
buster (security)1.0.3-1+deb10u2fixed
bullseye (security), bullseye1.0.11-1+deb11u2fixed
bookworm, bookworm (security)1.0.16-1+deb12u1fixed
sid, trixie1.0.18-1fixed
openvswitch (PTS)buster2.10.7+ds1-0+deb10u1fixed
buster (security)2.10.7+ds1-0+deb10u5fixed
bullseye2.15.0+ds1-2+deb11u4fixed
bullseye (security)2.15.0+ds1-2+deb11u5fixed
bookworm3.1.0-2fixed
bookworm (security)3.1.0-2+deb12u1fixed
trixie3.3.0~git20240118.e802fe7-3fixed
sid3.3.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lldpdsourcebuster1.0.3-1+deb10u1DLA-3389-1
lldpdsource(unstable)1.0.8-1
openvswitchsourcestretch2.6.10-0+deb9u1DLA-2571-1
openvswitchsourcebuster2.10.6+ds1-0+deb10u1DSA-4836-1
openvswitchsource(unstable)2.15.0~git20210104.def6eb1ea+dfsg1-4980132

Notes

[stretch] - lldpd <no-dsa> (Minor issue)
https://github.com/openvswitch/ovs/pull/337
https://github.com/lldpd/lldpd/commit/a8d3c90feca548fc0656d95b5d278713db86ff61
https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000269.html
https://github.com/openvswitch/ovs/commit/78e712c0b1dacc2f12d2a03d98f083d8672867f0
Search for package or bug name: Reporting problems