SUSE-SU-2026:20049-1
- Source
- https://www.suse.com/support/update/announcement/2026/suse-su-202620049-1/
- Import Source
- https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:20049-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/SUSE-SU-2026:20049-1
- Upstream
- Related
- Published
- 2026-01-09T10:54:58Z
- Modified
- 2026-03-23T04:52:31.998653Z
- Summary
- Security update for openvswitch
- Details
-
This update for openvswitch fixes the following issues:
Update OpenvSwitch to v3.1.7 and OVN to v23.03.3.
Security issues fixed:
- CVE-2023-3966: ovs: invalid memory access and potential denial of service via specially crafted Geneve packets (bsc#1219465).
- CVE-2023-5366: ovs: OpenFlow rules may be bypassed via specially crafted ICMPv6 Neighbor Advertisement packets sent between virtual machines t(bsc#1216002).
- CVE-2024-2182: ovn: denial of service via injection of specially crafted BFD packets from inside unprivileged workloads (bsc#1255435).
- CVE-2025-0650: ovn: egress ACLs may be bypassed via specially crafted UDP packet (bsc#1236353).
Other updates and bugfixes:
- OpenvSwitch:
- https://www.openvswitch.org/releases/NEWS-3.1.7.txt
- v3.1.7
- Bug fixes
- OVS validated with DPDK 22.11.7.
- v3.1.6
- Bug fixes
- OVS validated with DPDK 22.11.6.
- v3.1.5
- Bug fixes
- OVS validated with DPDK 22.11.5.
- v3.1.4
- Bug fixes
- OVS validated with DPDK 22.11.4.
- OVN:
- https://github.com/ovn-org/ovn/blob/branch-23.03/NEWS
- v23.03.3
- Bug fixes
- Add "garp-max-timeout-sec" config option to vswitchd external-ids to cap the time between when ovn-controller sends gARP packets.
- v23.03.1
- Bug fixes
- CT entries are not flushed by default anymore whenever a load balancer backend is removed. A new, per-LB, option 'ctflush' can be used to restore the previous behavior. Disabled by default.
- Always allow IPv6 Router Discovery, Neighbor Discovery, and Multicast Listener Discovery protocols, regardless of ACLs defined.
- Send ICMP Fragmentation Needed packets back to offending ports when communicating with multichassis ports using frames that don't fit through a tunnel. This is done only for logical switches that are attached to a physical network via a localnet port, in which case multichassis ports may have an effective MTU different from regular ports and hence may need this mechanism to maintain connectivity with other peers in the network.
- ECMP routes use L4SYM dp-hash by default if the datapath supports it. Existing sessions might get re-hashed to a different ECMP path when OVN detects the algorithm support in the datapath during an upgrade or restart of ovn-controller.
- References
-
- https://www.suse.com/support/update/announcement/2026/suse-su-202620049-1/
- https://bugzilla.suse.com/1216002
- https://bugzilla.suse.com/1219465
- https://bugzilla.suse.com/1236353
- https://bugzilla.suse.com/1255435
- https://www.suse.com/security/cve/CVE-2023-3966
- https://www.suse.com/security/cve/CVE-2023-5366
- https://www.suse.com/security/cve/CVE-2024-2182
- https://www.suse.com/security/cve/CVE-2025-0650
Affected packages
SUSE:Linux Micro 6.0 / openvswitch
Package
- Name
- openvswitch
- Purl
- pkg:rpm/suse/openvswitch&distro=SUSE%20Linux%20Micro%206.0
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.1.7-4.1