diff -Nru openvswitch-2.5.5/debian/changelog openvswitch-2.5.5/debian/changelog
--- openvswitch-2.5.5/debian/changelog	2018-08-22 08:36:55.000000000 +0000
+++ openvswitch-2.5.5/debian/changelog	2018-10-04 15:45:25.000000000 +0000
@@ -1,3 +1,16 @@
+openvswitch (2.5.5-0ubuntu0.16.04.2) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: assertion failure when decoding a group mod
+    - debian/patches/CVE-2018-17204.patch: don't assert-fail decoding bad
+      OF1.5 group mod type or command in lib/ofp-util.c.
+    - CVE-2018-17204
+  * SECURITY UPDATE: buffer overread during BUNDLE action decoding
+    - debian/patches/CVE-2018-17206.patch: avoid overread in
+      lib/ofp-actions.c.
+    - CVE-2018-17206
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 04 Oct 2018 11:45:07 -0400
+
 openvswitch (2.5.5-0ubuntu0.16.04.1) xenial; urgency=medium
 
   * Bump nofiles to 1048576 for ovs daemons (LP: #1737866).
diff -Nru openvswitch-2.5.5/debian/patches/CVE-2018-17204.patch openvswitch-2.5.5/debian/patches/CVE-2018-17204.patch
--- openvswitch-2.5.5/debian/patches/CVE-2018-17204.patch	1970-01-01 00:00:00.000000000 +0000
+++ openvswitch-2.5.5/debian/patches/CVE-2018-17204.patch	2018-10-04 15:44:59.000000000 +0000
@@ -0,0 +1,43 @@
+From 94b443070fea2a15bc4768c35d59d46892cdc901 Mon Sep 17 00:00:00 2001
+From: Ben Pfaff <blp@ovn.org>
+Date: Thu, 5 Jul 2018 15:28:51 -0700
+Subject: [PATCH] ofp-group: Don't assert-fail decoding bad OF1.5 group mod
+ type or command.
+
+When decoding a group mod, the current code validates the group type and
+command after the whole group mod has been decoded.  The OF1.5 decoder,
+however, tries to use the type and command earlier, when it might still be
+invalid.  This caused an assertion failure (via OVS_NOT_REACHED).  This
+commit fixes the problem.
+
+ovs-vswitchd does not enable support for OpenFlow 1.5 by default.
+
+Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9249
+Signed-off-by: Ben Pfaff <blp@ovn.org>
+Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
+---
+ lib/ofp-util.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: openvswitch-2.5.5/lib/ofp-util.c
+===================================================================
+--- openvswitch-2.5.5.orig/lib/ofp-util.c	2018-10-04 11:44:56.840368348 -0400
++++ openvswitch-2.5.5/lib/ofp-util.c	2018-10-04 11:44:56.836368339 -0400
+@@ -8280,7 +8280,7 @@ parse_group_prop_ntr_selection_method(st
+                      "for select groups");
+         return OFPERR_OFPBPC_BAD_VALUE;
+     default:
+-        OVS_NOT_REACHED();
++        return OFPERR_OFPGMFC_BAD_TYPE;
+     }
+ 
+     switch (group_cmd) {
+@@ -8294,7 +8294,7 @@ parse_group_prop_ntr_selection_method(st
+                      "for add and delete group modifications");
+         return OFPERR_OFPBPC_BAD_VALUE;
+     default:
+-        OVS_NOT_REACHED();
++        return OFPERR_OFPGMFC_BAD_COMMAND;
+     }
+ 
+     if (payload->size < sizeof *prop) {
diff -Nru openvswitch-2.5.5/debian/patches/CVE-2018-17206.patch openvswitch-2.5.5/debian/patches/CVE-2018-17206.patch
--- openvswitch-2.5.5/debian/patches/CVE-2018-17206.patch	1970-01-01 00:00:00.000000000 +0000
+++ openvswitch-2.5.5/debian/patches/CVE-2018-17206.patch	2018-10-04 15:45:02.000000000 +0000
@@ -0,0 +1,36 @@
+From e1b5444c2f2ed4bda2c75597468f067ae104319d Mon Sep 17 00:00:00 2001
+From: Ben Pfaff <blp@ovn.org>
+Date: Mon, 25 Jun 2018 13:07:43 -0700
+Subject: [PATCH] ofp-actions: Avoid buffer overread in BUNDLE action decoding.
+
+Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9052
+Signed-off-by: Ben Pfaff <blp@ovn.org>
+Acked-by: Justin Pettit <jpettit@ovn.org>
+---
+ lib/ofp-actions.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
+index 36bbc00d27..16e5b3986c 100644
+--- a/lib/ofp-actions.c
++++ b/lib/ofp-actions.c
+@@ -1081,12 +1081,13 @@ decode_bundle(bool load, const struct nx_action_bundle *nab,
+                      load ? "bundle_load" : "bundle", slaves_size,
+                      bundle->n_slaves * sizeof(ovs_be16), bundle->n_slaves);
+         error = OFPERR_OFPBAC_BAD_LEN;
+-    }
+-
+-    for (i = 0; i < bundle->n_slaves; i++) {
+-        ofp_port_t ofp_port = u16_to_ofp(ntohs(((ovs_be16 *)(nab + 1))[i]));
+-        ofpbuf_put(ofpacts, &ofp_port, sizeof ofp_port);
+-        bundle = ofpacts->header;
++    } else {
++        for (i = 0; i < bundle->n_slaves; i++) {
++            ofp_port_t ofp_port
++                = u16_to_ofp(ntohs(((ovs_be16 *)(nab + 1))[i]));
++            ofpbuf_put(ofpacts, &ofp_port, sizeof ofp_port);
++            bundle = ofpacts->header;
++        }
+     }
+ 
+     ofpact_update_len(ofpacts, &bundle->ofpact);
diff -Nru openvswitch-2.5.5/debian/patches/series openvswitch-2.5.5/debian/patches/series
--- openvswitch-2.5.5/debian/patches/series	2018-08-22 08:35:31.000000000 +0000
+++ openvswitch-2.5.5/debian/patches/series	2018-10-04 15:45:02.000000000 +0000
@@ -1,3 +1,5 @@
 ovs-ctl-dpdk.patch
 system-dpdk.patch
 CVE-2017-9263.patch
+CVE-2018-17204.patch
+CVE-2018-17206.patch