CVE-2019-15753

NameCVE-2019-15753
DescriptionIn OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of packets for instances belonging to other tenants sharing the same network. Only deployments using the linuxbridge backend are affected. This occurs in PyRoute2.add() in internal/command/ip/linux/impl_pyroute2.py.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs939288

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-os-vif (PTS)stretch1.2.1-2fixed
buster1.11.1-1fixed
sid1.15.1-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-os-vifsource(unstable)(unfixed)low939288
python-os-vifsourcebuster(not affected)
python-os-vifsourcestretch(not affected)

Notes

[buster] - python-os-vif <not-affected> (Vulnerable code introduced in 1.15.0)
[stretch] - python-os-vif <not-affected> (Vulnerable code introduced in 1.15.0)
https://security.openstack.org/ossa/OSSA-2019-004.html
https://launchpad.net/bugs/1837252

Search for package or bug name: Reporting problems