Version in base suite: 3.1.0-2 Base version: openvswitch_3.1.0-2 Target version: openvswitch_3.1.0-2+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openvswitch/openvswitch_3.1.0-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openvswitch/openvswitch_3.1.0-2+deb12u1.dsc changelog | 14 patches/CVE-2023-3966-netdev-offload-tc_Check_geneve_metadata_length.patch | 138 +++++ patches/CVE-2023-5366-Fix-missing-masks-on-a-final-stage-with-ports-trie.patch | 231 ++++++++++ patches/series | 2 4 files changed, 385 insertions(+) diff -Nru openvswitch-3.1.0/debian/changelog openvswitch-3.1.0/debian/changelog --- openvswitch-3.1.0/debian/changelog 2023-04-11 09:54:40.000000000 +0000 +++ openvswitch-3.1.0/debian/changelog 2024-02-18 15:46:26.000000000 +0000 @@ -1,3 +1,17 @@ +openvswitch (3.1.0-2+deb12u1) bookworm-security; urgency=medium + + * CVE-2023-5366: A flaw was found in Open vSwitch that allows ICMPv6 Neighbor + Advertisement packets between virtual machines to bypass OpenFlow rules. + This issue may allow a local attacker to create specially crafted packets + with a modified or spoofed target IP address field that can redirect ICMPv6 + traffic to arbitrary IP addresses. Added upstream patch: "Fix missing masks + on a final stage with ports trie". + * CVE-2023-3966: Invalid memory access in Geneve with HW offload. Added + upstream patch: netdev-offload-tc: Check geneve metadata length + (Closes: #1063492). + + -- Thomas Goirand Sun, 18 Feb 2024 16:46:26 +0100 + openvswitch (3.1.0-2) unstable; urgency=high * CVE-2023-1668: Remote traffic denial of service via crafted packets with IP diff -Nru openvswitch-3.1.0/debian/patches/CVE-2023-3966-netdev-offload-tc_Check_geneve_metadata_length.patch openvswitch-3.1.0/debian/patches/CVE-2023-3966-netdev-offload-tc_Check_geneve_metadata_length.patch --- openvswitch-3.1.0/debian/patches/CVE-2023-3966-netdev-offload-tc_Check_geneve_metadata_length.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvswitch-3.1.0/debian/patches/CVE-2023-3966-netdev-offload-tc_Check_geneve_metadata_length.patch 2024-02-18 15:46:26.000000000 +0000 @@ -0,0 +1,138 @@ +Author: Timothy Redaelli +Date: Thu, 23 Nov 2023 19:47:54 +0100 +Description: CVE-2023-3966 netdev-offload-tc: Check geneve metadata length. + Currently ovs-vswitchd crashes, with hw offloading enabled, if a geneve + packet with corrupted metadata is received, because the metadata header + is not verified correctly. + . + This commit adds a check for geneve metadata length and, if the header + is wrong, the packet is not sent to flower. + . + It also includes a system-traffic test for geneve packets with corrupted + metadata. + . +Fixes: a468645c6d33 ("lib/tc: add geneve with option match offload") +Reported-by: Haresh Khandelwal +Signed-off-by: Timothy Redaelli +Signed-off-by: Ilya Maximets +Bug-Debian: https://bugs.debian.org/1063492 +Origin: upstream, https://github.com/openvswitch/ovs/commit/91e621bd5abab19954bec09c7d27c59acdf607b1.patch +Last-Update: 2024-02-18 + +Index: openvswitch/lib/netdev-offload-tc.c +=================================================================== +--- openvswitch.orig/lib/netdev-offload-tc.c ++++ openvswitch/lib/netdev-offload-tc.c +@@ -1719,12 +1719,12 @@ test_key_and_mask(struct match *match) + return 0; + } + +-static void ++static int + flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + struct flow_tnl *tnl_mask) + { + struct geneve_opt *opt, *opt_mask; +- int len, cnt = 0; ++ int tot_opt_len, len, cnt = 0; + + /* 'flower' always has an exact match on tunnel metadata length, so having + * it in a wrong format is not acceptable unless it is empty. */ +@@ -1740,7 +1740,7 @@ flower_match_to_tun_opt(struct tc_flower + memset(&tnl_mask->metadata.present.map, 0, + sizeof tnl_mask->metadata.present.map); + } +- return; ++ return 0; + } + + tnl_mask->flags &= ~FLOW_TNL_F_UDPIF; +@@ -1754,7 +1754,7 @@ flower_match_to_tun_opt(struct tc_flower + sizeof tnl_mask->metadata.present.len); + + if (!tnl->metadata.present.len) { +- return; ++ return 0; + } + + memcpy(flower->key.tunnel.metadata.opts.gnv, tnl->metadata.opts.gnv, +@@ -1768,7 +1768,16 @@ flower_match_to_tun_opt(struct tc_flower + * also not masks, but actual lengths in the 'flower' structure. */ + len = flower->key.tunnel.metadata.present.len; + while (len) { ++ if (len < sizeof *opt) { ++ return EOPNOTSUPP; ++ } ++ + opt = &flower->key.tunnel.metadata.opts.gnv[cnt]; ++ tot_opt_len = sizeof *opt + opt->length * 4; ++ if (len < tot_opt_len) { ++ return EOPNOTSUPP; ++ } ++ + opt_mask = &flower->mask.tunnel.metadata.opts.gnv[cnt]; + + opt_mask->length = opt->length; +@@ -1776,6 +1785,8 @@ flower_match_to_tun_opt(struct tc_flower + cnt += sizeof(struct geneve_opt) / 4 + opt->length; + len -= sizeof(struct geneve_opt) + opt->length * 4; + } ++ ++ return 0; + } + + static void +@@ -2213,7 +2224,11 @@ netdev_tc_flow_put(struct netdev *netdev + tnl_mask->flags &= ~(FLOW_TNL_F_DONT_FRAGMENT | FLOW_TNL_F_CSUM); + + if (!strcmp(netdev_get_type(netdev), "geneve")) { +- flower_match_to_tun_opt(&flower, tnl, tnl_mask); ++ err = flower_match_to_tun_opt(&flower, tnl, tnl_mask); ++ if (err) { ++ VLOG_WARN_RL(&warn_rl, "Unable to parse geneve options"); ++ return err; ++ } + } + flower.tunnel = true; + } else { +Index: openvswitch/tests/system-offloads-traffic.at +=================================================================== +--- openvswitch.orig/tests/system-offloads-traffic.at ++++ openvswitch/tests/system-offloads-traffic.at +@@ -742,3 +742,36 @@ recirc_id(),in_port(3),eth_type( + + OVS_TRAFFIC_VSWITCHD_STOP + AT_CLEANUP ++ ++AT_SETUP([offloads - handling of geneve corrupted metadata - offloads enabled]) ++OVS_CHECK_GENEVE() ++ ++OVS_TRAFFIC_VSWITCHD_START( ++ [_ADD_BR([br-underlay]) -- \ ++ set bridge br0 other-config:hwaddr=f2:ff:00:00:00:01 -- \ ++ set bridge br-underlay other-config:hwaddr=f2:ff:00:00:00:02], ++ [], [-- set Open_vSwitch . other_config:hw-offload=true]) ++ ++AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"]) ++AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"]) ++ ++ADD_NAMESPACES(at_ns0) ++ ++dnl Set up underlay link from host into the namespace using veth pair. ++ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03) ++AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"]) ++AT_CHECK([ip link set dev br-underlay up]) ++ ++dnl Set up tunnel endpoints on OVS outside the namespace and with a native ++dnl linux device inside the namespace. ++ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24]) ++ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24], ++ [vni 0], [address f2:ff:00:00:00:04]) ++ ++NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 03 08 00 45 00 00 52 00 01 00 00 40 11 1f f7 ac 1f 01 01 ac 1f 01 64 de c1 17 c1 00 3e 59 e9 01 00 65 58 00 00 00 00 00 03 00 02 f2 ff 00 00 00 01 f2 ff 00 00 00 04 08 00 45 00 00 1c 00 01 00 00 40 01 64 7a 0a 01 01 01 0a 01 01 64 08 00 f7 ff 00 00 00 00 > /dev/null]) ++ ++OVS_WAIT_UNTIL([grep -q 'Invalid Geneve tunnel metadata' ovs-vswitchd.log]) ++ ++OVS_TRAFFIC_VSWITCHD_STOP(["/Invalid Geneve tunnel metadata on bridge br0 while processing icmp,in_port=1,vlan_tci=0x0000,dl_src=f2:ff:00:00:00:04,dl_dst=f2:ff:00:00:00:01,nw_src=10.1.1.1,nw_dst=10.1.1.100,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=8,icmp_code=0/d ++/Unable to parse geneve options/d"]) ++AT_CLEANUP diff -Nru openvswitch-3.1.0/debian/patches/CVE-2023-5366-Fix-missing-masks-on-a-final-stage-with-ports-trie.patch openvswitch-3.1.0/debian/patches/CVE-2023-5366-Fix-missing-masks-on-a-final-stage-with-ports-trie.patch --- openvswitch-3.1.0/debian/patches/CVE-2023-5366-Fix-missing-masks-on-a-final-stage-with-ports-trie.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvswitch-3.1.0/debian/patches/CVE-2023-5366-Fix-missing-masks-on-a-final-stage-with-ports-trie.patch 2024-02-18 15:46:26.000000000 +0000 @@ -0,0 +1,231 @@ +From 694c7b4e097c4d89e23ea9b3c7b677b4fcbe0459 Mon Sep 17 00:00:00 2001 +From: Ilya Maximets +Date: Fri, 17 Feb 2023 21:09:59 +0100 +Subject: [PATCH] classifier: Fix missing masks on a final stage with ports + trie. + +Flow lookup doesn't include masks of the final stage in a resulting +flow wildcards in case that stage had L4 ports match. Only the result +of ports trie lookup is added to the mask. It might be sufficient in +many cases, but it's not correct, because ports trie is not how we +decided that the packet didn't match in this subtable. In fact, we +used a full subtable mask in order to determine that, so all the +subtable mask bits has to be added. + +Ports trie can still be used to adjust ports' mask, but it is not +sufficient to determine that the packet didn't match. + +Assuming we have following 2 OpenFlow rules on the bridge: + + table=0, priority=10,tcp,tp_dst=80,tcp_flags=+psh actions=drop + table=0, priority=0 actions=output(1) + +The first high priority rule supposed to drop all the TCP data traffic +sent on port 80. The handshake, however, is allowed for forwarding. + +Both 'tcp_flags' and 'tp_dst' are on the final stage in the flow. +Since the stage mask from that stage is not incorporated into the flow +wildcards and only ports mask is getting updated, we have the following +megaflow for the SYN packet that has no match on 'tcp_flags': + + $ ovs-appctl ofproto/trace br0 "in_port=br0,tcp,tp_dst=80,tcp_flags=syn" + + Megaflow: recirc_id=0,eth,tcp,in_port=LOCAL,nw_frag=no,tp_dst=80 + Datapath actions: 1 + +If this flow is getting installed into datapath flow table, all the +packets for port 80, regardless of TCP flags, will be forwarded. + +Incorporating all the looked at bits from the final stage into the +stages map in order to get all the necessary wildcards. Ports mask +has to be updated as a last step, because it doesn't cover the full +64-bit slot in the flowmap. + +With this change, in the example above, OVS is producing correct +flow wildcards including match on TCP flags: + + Megaflow: recirc_id=0,eth,tcp,in_port=LOCAL,nw_frag=no,tp_dst=80,tcp_flags=-psh + Datapath actions: 1 + +This way only -psh packets will be forwarded, as expected. + +This issue affects all other fields on stage 4, not only TCP flags. +Tests included to cover tcp_flags, nd_target and ct_tp_src/dst. +First two are frequently used, ct ones are sharing the same flowmap +slot with L4 ports, so important to test. + +Before the pre-computation of stage masks, flow wildcards were updated +during lookup, so there was no issue. The bits of the final stage was +lost with introduction of 'stages_map'. + +Recent adjustment of segment boundaries exposed 'tcp_flags' to the issue. + +Reported-at: https://github.com/openvswitch/ovs-issues/issues/272 +Fixes: ca44218515f0 ("classifier: Adjust segment boundary to execute prerequisite processing.") +Fixes: fa2fdbf8d0c1 ("classifier: Pre-compute stage masks.") +Acked-by: Aaron Conole +Signed-off-by: Ilya Maximets +--- + lib/classifier.c | 25 ++++++++++--- + tests/classifier.at | 88 +++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 108 insertions(+), 5 deletions(-) + +diff --git a/lib/classifier.c b/lib/classifier.c +index 0a89626cc30..18dbfc83ad4 100644 +--- a/lib/classifier.c ++++ b/lib/classifier.c +@@ -1695,6 +1695,8 @@ find_match_wc(const struct cls_subtable *subtable, ovs_version_t version, + const struct cls_match *rule = NULL; + struct flowmap stages_map = FLOWMAP_EMPTY_INITIALIZER; + unsigned int mask_offset = 0; ++ bool adjust_ports_mask = false; ++ ovs_be32 ports_mask; + int i; + + /* Try to finish early by checking fields in segments. */ +@@ -1722,6 +1724,9 @@ find_match_wc(const struct cls_subtable *subtable, ovs_version_t version, + subtable->index_maps[i], flow, wc)) { + goto no_match; + } ++ /* Accumulate the map used so far. */ ++ stages_map = flowmap_or(stages_map, subtable->index_maps[i]); ++ + hash = flow_hash_in_minimask_range(flow, &subtable->mask, + subtable->index_maps[i], + &mask_offset, &basis); +@@ -1731,14 +1736,16 @@ find_match_wc(const struct cls_subtable *subtable, ovs_version_t version, + * unwildcarding all the ports bits, use the ports trie to figure out a + * smaller set of bits to unwildcard. */ + unsigned int mbits; +- ovs_be32 value, plens, mask; ++ ovs_be32 value, plens; + +- mask = miniflow_get_ports(&subtable->mask.masks); +- value = ((OVS_FORCE ovs_be32 *)flow)[TP_PORTS_OFS32] & mask; ++ ports_mask = miniflow_get_ports(&subtable->mask.masks); ++ value = ((OVS_FORCE ovs_be32 *) flow)[TP_PORTS_OFS32] & ports_mask; + mbits = trie_lookup_value(&subtable->ports_trie, &value, &plens, 32); + +- ((OVS_FORCE ovs_be32 *)&wc->masks)[TP_PORTS_OFS32] |= +- mask & be32_prefix_mask(mbits); ++ ports_mask &= be32_prefix_mask(mbits); ++ ports_mask |= ((OVS_FORCE ovs_be32 *) &wc->masks)[TP_PORTS_OFS32]; ++ ++ adjust_ports_mask = true; + + goto no_match; + } +@@ -1751,6 +1758,14 @@ find_match_wc(const struct cls_subtable *subtable, ovs_version_t version, + /* Unwildcard the bits in stages so far, as they were used in determining + * there is no match. */ + flow_wildcards_fold_minimask_in_map(wc, &subtable->mask, stages_map); ++ if (adjust_ports_mask) { ++ /* This has to be done after updating flow wildcards to overwrite ++ * the ports mask back. We can't simply disable the corresponding bit ++ * in the stages map, because it has 64-bit resolution, i.e. one ++ * bit covers not only tp_src/dst, but also ct_tp_src/dst, which are ++ * not covered by the trie. */ ++ ((OVS_FORCE ovs_be32 *) &wc->masks)[TP_PORTS_OFS32] = ports_mask; ++ } + return NULL; + } + +diff --git a/tests/classifier.at b/tests/classifier.at +index f652b59837b..de2705653e0 100644 +--- a/tests/classifier.at ++++ b/tests/classifier.at +@@ -65,6 +65,94 @@ Datapath actions: 2 + OVS_VSWITCHD_STOP + AT_CLEANUP + ++AT_SETUP([flow classifier - lookup segmentation - final stage]) ++OVS_VSWITCHD_START ++add_of_ports br0 1 2 3 ++AT_DATA([flows.txt], [dnl ++table=0 in_port=1 priority=33,tcp,tp_dst=80,tcp_flags=+psh,action=output(2) ++table=0 in_port=1 priority=0,ip,action=drop ++table=0 in_port=2 priority=16,icmp6,nw_ttl=255,icmp_type=135,icmp_code=0,nd_target=1000::1 ,action=output(1) ++table=0 in_port=2 priority=0,ip,action=drop ++table=0 in_port=3 action=resubmit(,1) ++table=1 in_port=3 priority=45,ct_state=+trk+rpl,ct_nw_proto=6,ct_tp_src=3/0x1,tcp,tp_dst=80,tcp_flags=+psh,action=output(2) ++table=1 in_port=3 priority=10,ip,action=drop ++]) ++AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) ++ ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80,tcp_flags=syn'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=80,tcp_flags=-psh ++Datapath actions: drop ++]) ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80,tcp_flags=syn|ack'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=80,tcp_flags=-psh ++Datapath actions: drop ++]) ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80,tcp_flags=ack|psh'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=80,tcp_flags=+psh ++Datapath actions: 2 ++]) ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=80,tcp_flags=-psh ++Datapath actions: drop ++]) ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=79'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=0x40/0xfff0,tcp_flags=-psh ++Datapath actions: drop ++]) ++ ++dnl Having both the port and the tcp flags in the resulting megaflow below ++dnl is redundant, but that is how ports trie logic is implemented. ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=81'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=81,tcp_flags=-psh ++Datapath actions: drop ++]) ++ ++dnl nd_target is redundant in the megaflow below and it is also not relevant ++dnl for an icmp reply. Datapath may discard that match, but it is OK as long ++dnl as we have prerequisites (icmp_type) in the match as well. ++AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=2,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,nw_ttl=255,icmpv6_type=128,icmpv6_code=0"], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,icmp6,in_port=2,nw_ttl=255,nw_frag=no,icmp_type=0x80/0xfc,nd_target=:: ++Datapath actions: drop ++]) ++ ++AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=2,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,nw_ttl=255,icmpv6_type=135,icmpv6_code=0"], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,icmp6,in_port=2,nw_ttl=255,nw_frag=no,icmp_type=0x87/0xff,icmp_code=0x0/0xff,nd_target=:: ++Datapath actions: drop ++]) ++AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=2,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,nw_ttl=255,icmpv6_type=135,icmpv6_code=0,nd_target=1000::1"], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,icmp6,in_port=2,nw_ttl=255,nw_frag=no,icmp_type=0x87/0xff,icmp_code=0x0/0xff,nd_target=1000::1 ++Datapath actions: 1 ++]) ++AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=2,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,nw_ttl=255,icmpv6_type=135,icmpv6_code=0,nd_target=1000::2"], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,icmp6,in_port=2,nw_ttl=255,nw_frag=no,icmp_type=0x87/0xff,icmp_code=0x0/0xff,nd_target=1000::2 ++Datapath actions: drop ++]) ++ ++dnl Check that ports' mask doesn't affect ct ports. ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=3,ct_state=trk|rpl,ct_nw_proto=6,ct_tp_src=3,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80,tcp_flags=psh'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,ct_state=+rpl+trk,ct_nw_proto=6,ct_tp_src=0x1/0x1,eth,tcp,in_port=3,nw_frag=no,tp_dst=80,tcp_flags=+psh ++Datapath actions: 2 ++]) ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=3,ct_state=trk|rpl,ct_nw_proto=6,ct_tp_src=3,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=79,tcp_flags=psh'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,ct_state=+rpl+trk,ct_nw_proto=6,ct_tp_src=0x1/0x1,eth,tcp,in_port=3,nw_frag=no,tp_dst=0x40/0xfff0,tcp_flags=+psh ++Datapath actions: drop ++]) ++ ++OVS_VSWITCHD_STOP ++AT_CLEANUP ++ + AT_BANNER([flow classifier prefix lookup]) + AT_SETUP([flow classifier - prefix lookup]) + OVS_VSWITCHD_START diff -Nru openvswitch-3.1.0/debian/patches/series openvswitch-3.1.0/debian/patches/series --- openvswitch-3.1.0/debian/patches/series 2023-04-11 09:54:40.000000000 +0000 +++ openvswitch-3.1.0/debian/patches/series 2024-02-18 15:46:26.000000000 +0000 @@ -1,2 +1,4 @@ ovs-ctl-ipsec.patch CVE-2023-1668_ofproto-dpif-xlate_Always_mask_ip_proto_field.patch +CVE-2023-5366-Fix-missing-masks-on-a-final-stage-with-ports-trie.patch +CVE-2023-3966-netdev-offload-tc_Check_geneve_metadata_length.patch