Version 3.6.3 is fixing a CVE:
v3.6.3 - 31 Mar 2026
--------------------
- Bug fixes
- DPDK:
* OVS validated with DPDK 24.11.4.
- Security:
* Fixed buffer overflow during conntrack processing of alg=ftp in
userspace datapath (CVE-2026-34956).
This indicates that it should go through the security team, or at least
be built with just security enabled, copied to proposed, and then
released to both updates and security. Or something like that.
Has the security team been approached? I also don't see a current
openvswitch upload to questing-security, so the security team hasn't
patched this (yet?).
I'm subscribing ubuntu-security to the bug, and marking it as incomplete
to highlight that more information (and possibly a process change) is
needed.
** CVE added: https://cve.org/CVERecord?id=CVE-2026-34956
** Changed in: openvswitch (Ubuntu Questing)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2154007
Title:
[SRU] openvswitch 3.6.3 point release
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2154007/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
