CVE-2019-15753

NameCVE-2019-15753
DescriptionIn OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of packets for instances belonging to other tenants sharing the same network. Only deployments using the linuxbridge backend are affected. This occurs in PyRoute2.add() in internal/command/ip/linux/impl_pyroute2.py.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs939288

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-os-vif (PTS)buster1.11.1-1fixed
bullseye2.2.0-2fixed
bookworm3.0.0-2fixed
sid, trixie3.5.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-os-vifsourcestretch(not affected)
python-os-vifsourcebuster(not affected)
python-os-vifsource(unstable)1.15.2-1low939288

Notes

[buster] - python-os-vif <not-affected> (Vulnerable code introduced in 1.15.0)
[stretch] - python-os-vif <not-affected> (Vulnerable code introduced in 1.15.0)
https://security.openstack.org/ossa/OSSA-2019-004.html
https://launchpad.net/bugs/1837252
Search for package or bug name: Reporting problems