OpenStack Security Advisory

  1. Bug #1902917
  2. Comment #47

Comment 47 for bug 1902917

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/stein)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/791500
Committed: https://opendev.org/openstack/neutron/commit/e1fe735e843b5d1bee4fa18e6011121027422203
Submitter: "Zuul (22348)"
Branch: stable/stein

commit e1fe735e843b5d1bee4fa18e6011121027422203
Author: Slawek Kaplonski <email address hidden>
Date: Mon Mar 29 22:21:15 2021 +0200

    [ovs fw] Restrict IPv6 NA and DHCP(v6) IP and MAC source addresses

    Neighbor Advertisments are used to inform other machines of the MAC
    address to use to reach an IPv6. This commits prevents VMs from
    pretending they are assigned IPv6 they should not use.

    It also prevents sending UDP packets with spoofed IP or MAC even using
    DHCP(v6) request ports.

    Co-authored-by: David Sinquin <email address hidden>

    Closes-bug: #1902917

    Conflicts:
        neutron/agent/linux/openvswitch_firewall/firewall.py

    Change-Id: Iffb6643359562487414460f5a7e19a7fae9f935c
    (cherry picked from commit ca7822e2108c151bda992ef8a6d454ec2c6d890e)