DescriptionIn OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of packets for instances belonging to other tenants sharing the same network. Only deployments using the linuxbridge backend are affected. This occurs in PyRoute2.add() in internal/command/ip/linux/
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs939288

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-os-vif (PTS)stretch1.2.1-2fixed
bullseye, sid1.17.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-os-vifsourcebuster(not affected)
python-os-vifsourcestretch(not affected)


[buster] - python-os-vif <not-affected> (Vulnerable code introduced in 1.15.0)
[stretch] - python-os-vif <not-affected> (Vulnerable code introduced in 1.15.0)

Search for package or bug name: Reporting problems