Backporting for neutron seems simple: the patch applies cleanly to stable/ocata which is the oldest version upstream supports.
Since I also have an interest in earlier releases that may still be supported by Red Hat, I also checked that the patch applies with some adjustments up to liberty. As for earlier releases, they are probably not affected because they don't include https://review.openstack.org/#/q/I5ef9665770df3a9bbaf79049b219fadd73e20309 that made neutron ovs agent skip tagging ports as dead if they don't have a tag in the first place.
Which makes me think that we should make sure that the CVE fix doesn't break the assumptions that the patch I linked to above made. The concern there is, as far as I understand, is that drop flows are left on the bridge even after port is gone, which may hinder performance etal.
Backporting for neutron seems simple: the patch applies cleanly to stable/ocata which is the oldest version upstream supports.
Since I also have an interest in earlier releases that may still be supported by Red Hat, I also checked that the patch applies with some adjustments up to liberty. As for earlier releases, they are probably not affected because they don't include https:/ /review. openstack. org/#/q/ I5ef9665770df3a 9bbaf79049b219f add73e20309 that made neutron ovs agent skip tagging ports as dead if they don't have a tag in the first place.
Which makes me think that we should make sure that the CVE fix doesn't break the assumptions that the patch I linked to above made. The concern there is, as far as I understand, is that drop flows are left on the bridge even after port is gone, which may hinder performance etal.