diff -Nru ovn-22.03.3/debian/changelog ovn-22.03.3/debian/changelog --- ovn-22.03.3/debian/changelog 2023-09-07 08:17:55.000000000 +0000 +++ ovn-22.03.3/debian/changelog 2024-03-09 00:42:46.000000000 +0000 @@ -1,3 +1,12 @@ +ovn (22.03.3-0ubuntu0.22.04.2) jammy-security; urgency=medium + + * SECURITY UPDATE: Insufficient validation of incoming BFD packets + - debian/patches/CVE-2024-2182.patch: set check_tnl_key for BFD on + tunnel ifaces in controller/bfd.c, tests/ovn.at. + - CVE-2024-2182 + + -- Marc Deslauriers Fri, 08 Mar 2024 19:42:46 -0500 + ovn (22.03.3-0ubuntu0.22.04.1) jammy; urgency=medium * New upstream version 22.03.3 (LP: #2034675). diff -Nru ovn-22.03.3/debian/patches/CVE-2024-2182.patch ovn-22.03.3/debian/patches/CVE-2024-2182.patch --- ovn-22.03.3/debian/patches/CVE-2024-2182.patch 1970-01-01 00:00:00.000000000 +0000 +++ ovn-22.03.3/debian/patches/CVE-2024-2182.patch 2024-03-09 00:42:39.000000000 +0000 @@ -0,0 +1,134 @@ +From 44732293193551b2fabee307ca142a8afca5f20a Mon Sep 17 00:00:00 2001 +From: Frode Nordahl +Date: Thu, 8 Feb 2024 09:48:12 +0100 +Subject: [PATCH ovn branch-22.03] controller: Set check_tnl_key for BFD on + tunnel ifaces. + +The OVS BFD configuration option `check_tnl_key` controls whether +OVS should consider the tunnel key before processing BFD control +messages. The OVN pipeline design ensures traffic originating +from a logical port will have a non-zero tunnel key. + +Always set `check_tnl_key` to "true" to avoid processing of +BFD control messages originating from a logical port. + +Signed-off-by: Frode Nordahl +Signed-off-by: Dumitru Ceara +--- + controller/bfd.c | 3 +++ + tests/ovn.at | 22 +++++++++++----------- + 2 files changed, 14 insertions(+), 11 deletions(-) + +--- a/controller/bfd.c ++++ b/controller/bfd.c +@@ -235,6 +235,9 @@ bfd_run(const struct ovsrec_interface_ta + if (mult) { + smap_add(&bfd, "mult", mult); + } ++ /* `check_tnl_key` must always be set to "true" to avoid processing of ++ * BFD control messages originating from a logical port. */ ++ smap_add(&bfd, "check_tnl_key", "true"); + } + + /* Enable or disable bfd */ +--- a/tests/ovn.at ++++ b/tests/ovn.at +@@ -13105,7 +13105,7 @@ as gw1 + for chassis in gw2 hv1 hv2; do + echo "checking gw1 -> $chassis" + AT_CHECK([ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0],[0], +- [[enable=true ++ [[check_tnl_key=true enable=true + ]]) + done + +@@ -13115,7 +13115,7 @@ as gw2 + for chassis in gw1 hv1 hv2; do + echo "checking gw2 -> $chassis" + AT_CHECK([ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0],[0], +- [[enable=true ++ [[check_tnl_key=true enable=true + ]]) + done + +@@ -13124,7 +13124,7 @@ as hv1 + for chassis in gw1 gw2; do + echo "checking hv1 -> $chassis" + AT_CHECK([ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0],[0], +- [[enable=true ++ [[check_tnl_key=true enable=true + ]]) + done + # make sure BFD is not enabled to hv2, we don't need it +@@ -13138,7 +13138,7 @@ as hv2 + for chassis in gw1 gw2; do + echo "checking hv2 -> $chassis" + AT_CHECK([ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0],[0], +- [[enable=true ++ [[check_tnl_key=true enable=true + ]]) + done + # make sure BFD is not enabled to hv1, we don't need it +@@ -13178,7 +13178,7 @@ for chassis in gw1 hv1 hv2; do + echo "checking gw2 -> $chassis" + OVS_WAIT_UNTIL([ + bfd_cfg=$(ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0) +- test "$bfd_cfg" = "enable=true min_rx=2000" ++ test "$bfd_cfg" = "check_tnl_key=true enable=true min_rx=2000" + ]) + done + ovn-nbctl --wait=hv set NB_Global . options:"bfd-min-tx"=1500 +@@ -13186,7 +13186,7 @@ for chassis in gw1 hv1 hv2; do + echo "checking gw2 -> $chassis" + OVS_WAIT_UNTIL([ + bfd_cfg=$(ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0) +- test "$bfd_cfg" = "enable=true min_rx=2000 min_tx=1500" ++ test "$bfd_cfg" = "check_tnl_key=true enable=true min_rx=2000 min_tx=1500" + ]) + done + ovn-nbctl remove NB_Global . options "bfd-min-rx" +@@ -13195,7 +13195,7 @@ for chassis in gw1 hv1 hv2; do + echo "checking gw2 -> $chassis" + OVS_WAIT_UNTIL([ + bfd_cfg=$(ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0) +- test "$bfd_cfg" = "enable=true min_tx=1500 mult=15" ++ test "$bfd_cfg" = "check_tnl_key=true enable=true min_tx=1500 mult=15" + ]) + done + +@@ -13331,7 +13331,7 @@ as gw1 + for chassis in gw2 hv1 hv2; do + echo "checking gw1 -> $chassis" + AT_CHECK([ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0],[0], +- [[enable=true ++ [[check_tnl_key=true enable=true + ]]) + done + +@@ -13340,7 +13340,7 @@ as gw2 + for chassis in gw1 hv1 hv2; do + echo "checking gw2 -> $chassis" + AT_CHECK([ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0],[0], +- [[enable=true ++ [[check_tnl_key=true enable=true + ]]) + done + +@@ -13349,7 +13349,7 @@ as hv1 + for chassis in gw1 gw2; do + echo "checking hv1 -> $chassis" + AT_CHECK([ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0],[0], +- [[enable=true ++ [[check_tnl_key=true enable=true + ]]) + done + # make sure BFD is not enabled to hv2, we don't need it +@@ -13362,7 +13362,7 @@ as hv2 + for chassis in gw1 gw2; do + echo "checking hv2 -> $chassis" + AT_CHECK([ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0],[0], +- [[enable=true ++ [[check_tnl_key=true enable=true + ]]) + done + # make sure BFD is not enabled to hv1, we don't need it diff -Nru ovn-22.03.3/debian/patches/series ovn-22.03.3/debian/patches/series --- ovn-22.03.3/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ ovn-22.03.3/debian/patches/series 2024-03-09 00:42:35.000000000 +0000 @@ -0,0 +1 @@ +CVE-2024-2182.patch