Comment 45 for bug 1461054

Revision history for this message
Darragh O'Reilly (darragh-oreilly) wrote : Re: Adding 0.0.0.0/0 to allowed address pairs breaks l2 agent (CVE-2015-3221)

Tristan, yes, a user can have a port with an allowed address pair with ip_address ending in /0 without breaking the L2 agent, if none of the port's security groups have their remote_group_id set. If a user has a port like this, and a patch to block new /0 address pairs is applied, the user could still break the agent by changing the port's security groups.

I'm not sure about deleting them - this could affect users. Maybe we could supply a python script for operators that would search for ports with /0 and update them with 2x /1 ?