| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| ovs-ctl-ipsec.patch | Don't monitor ipsec daemon For Ubuntu systemd will monitor the ovs-monitor-ipsec daemon so there is no need to spawn a separate monitor thread to deal with restarts. Doing so has the side effect of confusing systemd into monitoring the wrong process. =================================================================== |
James Page <james.page@ubuntu.com> | not-needed | |||
| CVE-2023-1668_ofproto-dpif-xlate_Always_mask_ip_proto_field.patch | CVE-2023-1668: ofproto-dpif-xlate: Always mask ip proto field. The ofproto layer currently treats nw_proto field as overloaded to mean both that a proper nw layer exists, as well as the value contained in the header for the nw proto. However, this is incorrect behavior as relevant standards permit that any value, including '0' should be treated as a valid value. . Because of this overload, when the ofproto layer builds action list for a packet with nw_proto of 0, it won't build the complete action list that we expect to be built for the packet. That will cause a bad behavior where all packets passing the datapath will fall into an incomplete action set. . The fix here is to unwildcard nw_proto, allowing us to preserve setting actions for protocols which we know have support for the actions we program. This means that a traffic which contains nw_proto == 0 cannot cause connectivity breakage with other traffic on the link. diff --git a/include/openvswitch/meta-flow.h b/include/openvswitch/meta-flow.h index 045dce8f5fa..3b0220aaa25 100644 |
Aaron Conole <aconole@redhat.com> | no | debian | upstream, https://github.com/openvswitch/ovs/commit/61b39d8c4797f1b668e4d5e5350d639fca6082a9.patch | 2023-04-11 |