This update for openvswitch fixes the following issues:
Update OpenvSwitch to v3.1.7 and OVN to v23.03.3.
Security issues fixed:
- CVE-2023-3966: ovs: invalid memory access and potential denial of service via specially crafted Geneve packets
(bsc#1219465).
- CVE-2023-5366: ovs: OpenFlow rules may be bypassed via specially crafted ICMPv6 Neighbor Advertisement packets sent
between virtual machines t(bsc#1216002).
- CVE-2024-2182: ovn: denial of service via injection of specially crafted BFD packets from inside unprivileged
workloads (bsc#1255435).
- CVE-2025-0650: ovn: egress ACLs may be bypassed via specially crafted UDP packet (bsc#1236353).
Other updates and bugfixes:
- OpenvSwitch:
- https://www.openvswitch.org/releases/NEWS-3.1.7.txt
- v3.1.7
- Bug fixes
- OVS validated with DPDK 22.11.7.
- v3.1.6
- Bug fixes
- OVS validated with DPDK 22.11.6.
- v3.1.5
- Bug fixes
- OVS validated with DPDK 22.11.5.
- v3.1.4
- Bug fixes
- OVS validated with DPDK 22.11.4.
- OVN:
- https://github.com/ovn-org/ovn/blob/branch-23.03/NEWS
- v23.03.3
- Bug fixes
- Add "garp-max-timeout-sec" config option to vswitchd external-ids to cap the time between when ovn-controller
sends gARP packets.
- v23.03.1
- Bug fixes
- CT entries are not flushed by default anymore whenever a load balancer backend is removed. A new, per-LB, option
'ct_flush' can be used to restore the previous behavior. Disabled by default.
- Always allow IPv6 Router Discovery, Neighbor Discovery, and Multicast Listener Discovery protocols, regardless of
ACLs defined.
- Send ICMP Fragmentation Needed packets back to offending ports when communicating with multichassis ports using
frames that don't fit through a tunnel. This is done only for logical switches that are attached to a physical
network via a localnet port, in which case multichassis ports may have an effective MTU different from regular
ports...