SUSE-SU-2026:20061-1

This update for openvswitch fixes the following issues:

Update OpenvSwitch to v3.1.7 and OVN to v23.03.3:

Security issues fixed:

• CVE-2023-3966: ovs: invalid memory access and potential denial of service via specially crafted Geneve packets (bsc#1219465).
• CVE-2023-5366: ovs: OpenFlow rules may be bypassed via specially crafted ICMPv6 Neighbor Advertisement packets sent between virtual machines t(bsc#1216002).
• CVE-2024-2182: ovn: denial of service via injection of specially crafted BFD packets from inside unprivileged workloads (bsc#1255435).
• CVE-2025-0650: ovn: egress ACLs may be bypassed via specially crafted UDP packet (bsc#1236353).

Other updates and bugfixes:

• OpenvSwitch upstream bugfix updates:

  • https://www.openvswitch.org/releases/NEWS-3.1.7.txt
  • v3.1.7
    • Bug fixes
    • OVS validated with DPDK 22.11.7.
  • v3.1.6
    • Bug fixes
    • OVS validated with DPDK 22.11.6.
  • v3.1.5
    • Bug fixes
    • OVS validated with DPDK 22.11.5.
  • v3.1.4
    • Bug fixes
    • OVS validated with DPDK 22.11.4.

• OVN upstream bugfix updates:

  • https://github.com/ovn-org/ovn/blob/branch-23.03/NEWS
  • v23.03.3
    • Bug fixes
    • Add "garp-max-timeout-sec" config option to vswitchd external-ids to cap the time between when ovn-controller sends gARP packets.
  • v23.03.1
    • Bug fixes
    • CT entries are not flushed by default anymore whenever a load balancer backend is removed. A new, per-LB, option 'ct_flush' can be used to restore the previous behavior. Disabled by default.
    • Always allow IPv6 Router Discovery, Neighbor Discovery, and Multicast Listener Discovery protocols, regardless of ACLs defined.
    • Send ICMP Fragmentation Needed packets back to offending ports when communicating with multichassis ports using frames that don't fit through a tunnel. This is done only for logical switches that are attached to a physical network via a localnet port, in which case multichassis ports may have an...