Version in base suite: 23.03.0-1
Version in overlay suite: 23.03.1-1~deb12u1

Base version: ovn_23.03.1-1~deb12u1
Target version: ovn_23.03.1-1~deb12u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/ovn/ovn_23.03.1-1~deb12u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/o/ovn/ovn_23.03.1-1~deb12u2.dsc

 changelog                   |    8 +++++
 patches/CVE-2024-2182.patch |   69 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1 
 3 files changed, 78 insertions(+)

diff -Nru ovn-23.03.1/debian/changelog ovn-23.03.1/debian/changelog
--- ovn-23.03.1/debian/changelog	2023-09-08 07:02:09.000000000 +0000
+++ ovn-23.03.1/debian/changelog	2024-03-12 13:49:48.000000000 +0000
@@ -1,3 +1,11 @@
+ovn (23.03.1-1~deb12u2) bookworm; urgency=medium
+
+  * Team upload.
+  * CVE-2024-2182: Fix insufficient validation of incoming BFD packets
+    (LP: #2053113).
+
+ -- Frode Nordahl <fnordahl@ubuntu.com>  Tue, 12 Mar 2024 14:49:48 +0100
+
 ovn (23.03.1-1~deb12u1) bookworm; urgency=medium
 
   * Team upload.
diff -Nru ovn-23.03.1/debian/patches/CVE-2024-2182.patch ovn-23.03.1/debian/patches/CVE-2024-2182.patch
--- ovn-23.03.1/debian/patches/CVE-2024-2182.patch	1970-01-01 00:00:00.000000000 +0000
+++ ovn-23.03.1/debian/patches/CVE-2024-2182.patch	2024-03-12 13:49:48.000000000 +0000
@@ -0,0 +1,69 @@
+From 019940f6222272c1fdd0553e3c2a4153aabefd0a Mon Sep 17 00:00:00 2001
+From: Frode Nordahl <frode.nordahl@canonical.com>
+Date: Thu, 8 Feb 2024 09:48:12 +0100
+Subject: [PATCH ovn branch-23.03] controller: Set check_tnl_key for BFD on
+ tunnel ifaces.
+
+The OVS BFD configuration option `check_tnl_key` controls whether
+OVS should consider the tunnel key before processing BFD control
+messages.  The OVN pipeline design ensures traffic originating
+from a logical port will have a non-zero tunnel key.
+
+Always set `check_tnl_key` to "true" to avoid processing of
+BFD control messages originating from a logical port.
+
+Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
+Signed-off-by: Dumitru Ceara <dceara@redhat.com>
+---
+ controller/bfd.c | 3 +++
+ tests/ovn.at     | 6 +++---
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/controller/bfd.c b/controller/bfd.c
+index cf011e382..f47333191 100644
+--- a/controller/bfd.c
++++ b/controller/bfd.c
+@@ -235,6 +235,9 @@ bfd_run(const struct ovsrec_interface_table *interface_table,
+         if (mult) {
+             smap_add(&bfd, "mult", mult);
+         }
++        /* `check_tnl_key` must always be set to "true" to avoid processing of
++         * BFD control messages originating from a logical port. */
++        smap_add(&bfd, "check_tnl_key", "true");
+     }
+ 
+     /* Enable or disable bfd */
+diff --git a/tests/ovn.at b/tests/ovn.at
+index 581286a4b..775b654de 100644
+--- a/tests/ovn.at
++++ b/tests/ovn.at
+@@ -13414,7 +13414,7 @@ for chassis in gw1 hv1 hv2; do
+     echo "checking gw2 -> $chassis"
+     OVS_WAIT_UNTIL([
+     bfd_cfg=$(ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0)
+-    test "$bfd_cfg" = "enable=true min_rx=2000"
++    test "$bfd_cfg" = "check_tnl_key=true enable=true min_rx=2000"
+ ])
+ done
+ ovn-nbctl --wait=hv set NB_Global . options:"bfd-min-tx"=1500
+@@ -13422,7 +13422,7 @@ for chassis in gw1 hv1 hv2; do
+     echo "checking gw2 -> $chassis"
+     OVS_WAIT_UNTIL([
+     bfd_cfg=$(ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0)
+-    test "$bfd_cfg" = "enable=true min_rx=2000 min_tx=1500"
++    test "$bfd_cfg" = "check_tnl_key=true enable=true min_rx=2000 min_tx=1500"
+ ])
+ done
+ ovn-nbctl remove NB_Global . options "bfd-min-rx"
+@@ -13431,7 +13431,7 @@ for chassis in gw1 hv1 hv2; do
+     echo "checking gw2 -> $chassis"
+     OVS_WAIT_UNTIL([
+     bfd_cfg=$(ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0)
+-    test "$bfd_cfg" = "enable=true min_tx=1500 mult=15"
++    test "$bfd_cfg" = "check_tnl_key=true enable=true min_tx=1500 mult=15"
+ ])
+ done
+ 
+-- 
+2.43.0
+
diff -Nru ovn-23.03.1/debian/patches/series ovn-23.03.1/debian/patches/series
--- ovn-23.03.1/debian/patches/series	2023-09-08 07:02:09.000000000 +0000
+++ ovn-23.03.1/debian/patches/series	2024-03-12 13:49:48.000000000 +0000
@@ -1,2 +1,3 @@
 0001-vif-plug-representor-Log-reason-for-failure-during-u.patch
 0002-vif-plug-representor-Lower-severity-of-set-udev-recv.patch
+CVE-2024-2182.patch