[Bug 1837252] Please test proposed package

Wed Jan 6 07:52:25 UTC 2021

Hello James, or anyone else affected,

Accepted python-os-vif into stein-proposed. The package will build now
and be available in the Ubuntu Cloud Archive in a few hours, and then in
the -proposed repository.

Please help us by testing this new package. To enable the -proposed
repository:

  sudo add-apt-repository cloud-archive:stein-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-stein-needed to verification-stein-done. If it does
not fix the bug for you, please add a comment stating that, and change
the tag to verification-stein-failed. In either case, details of your
testing will help us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!

** Changed in: cloud-archive/stein
       Status: Triaged => Fix Committed

** Tags added: verification-stein-needed

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1837252

Title:
  [OSSA-2019-004] Ageing time of 0 disables linuxbridge MAC learning
  (CVE-2019-15753)

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive stein series:
  Fix Committed
Status in neutron:
  Invalid
Status in OpenStack Compute (nova):
  Invalid
Status in os-vif:
  Fix Released
Status in os-vif stein series:
  Fix Committed
Status in os-vif trunk series:
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  Release: OpenStack Stein
  Driver: LinuxBridge

  Using Stein w/ the LinuxBridge mech driver/agent, we have found that
  traffic is being flooded across bridges. Using tcpdump inside an
  instance, you can see unicast traffic for other instances.

  We have confirmed the macs table shows the aging timer set to 0 for
  permanent entries, and the bridge is NOT learning new MACs:

  root at lab-compute01:~# brctl showmacs brqd0084ac0-f7
  port no	mac addr		is local?	ageing timer
    5	24:be:05:a3:1f:e1	yes		   0.00
    5	24:be:05:a3:1f:e1	yes		   0.00
    1	fe:16:3e:02:62:18	yes		   0.00
    1	fe:16:3e:02:62:18	yes		   0.00
    7	fe:16:3e:07:65:47	yes		   0.00
    7	fe:16:3e:07:65:47	yes		   0.00
    4	fe:16:3e:1d:d6:33	yes		   0.00
    4	fe:16:3e:1d:d6:33	yes		   0.00
    9	fe:16:3e:2b:2f:f0	yes		   0.00
    9	fe:16:3e:2b:2f:f0	yes		   0.00
    8	fe:16:3e:3c:42:64	yes		   0.00
    8	fe:16:3e:3c:42:64	yes		   0.00
   10	fe:16:3e:5c:a6:6c	yes		   0.00
   10	fe:16:3e:5c:a6:6c	yes		   0.00
    2	fe:16:3e:86:9c:dd	yes		   0.00
    2	fe:16:3e:86:9c:dd	yes		   0.00
    6	fe:16:3e:91:9b:45	yes		   0.00
    6	fe:16:3e:91:9b:45	yes		   0.00
   11	fe:16:3e:b3:30:00	yes		   0.00
   11	fe:16:3e:b3:30:00	yes		   0.00
    3	fe:16:3e:dc:c3:3e	yes		   0.00
    3	fe:16:3e:dc:c3:3e	yes		   0.00

  root at lab-compute01:~# bridge fdb show | grep brqd0084ac0-f7
  01:00:5e:00:00:01 dev brqd0084ac0-f7 self permanent
  fe:16:3e:02:62:18 dev tap74af38f9-2e master brqd0084ac0-f7 permanent
  fe:16:3e:02:62:18 dev tap74af38f9-2e vlan 1 master brqd0084ac0-f7 permanent
  fe:16:3e:86:9c:dd dev tapb00b3c18-b3 master brqd0084ac0-f7 permanent
  fe:16:3e:86:9c:dd dev tapb00b3c18-b3 vlan 1 master brqd0084ac0-f7 permanent
  fe:16:3e:dc:c3:3e dev tap7284d235-2b master brqd0084ac0-f7 permanent
  fe:16:3e:dc:c3:3e dev tap7284d235-2b vlan 1 master brqd0084ac0-f7 permanent
  fe:16:3e:1d:d6:33 dev tapbeb9441a-99 vlan 1 master brqd0084ac0-f7 permanent
  fe:16:3e:1d:d6:33 dev tapbeb9441a-99 master brqd0084ac0-f7 permanent
  24:be:05:a3:1f:e1 dev eno1.102 vlan 1 master brqd0084ac0-f7 permanent
  24:be:05:a3:1f:e1 dev eno1.102 master brqd0084ac0-f7 permanent
  fe:16:3e:91:9b:45 dev tapc8ad2cec-90 master brqd0084ac0-f7 permanent
  fe:16:3e:91:9b:45 dev tapc8ad2cec-90 vlan 1 master brqd0084ac0-f7 permanent
  fe:16:3e:07:65:47 dev tap86e2c412-24 master brqd0084ac0-f7 permanent
  fe:16:3e:07:65:47 dev tap86e2c412-24 vlan 1 master brqd0084ac0-f7 permanent
  fe:16:3e:3c:42:64 dev tap37bcb70e-9e master brqd0084ac0-f7 permanent
  fe:16:3e:3c:42:64 dev tap37bcb70e-9e vlan 1 master brqd0084ac0-f7 permanent
  fe:16:3e:2b:2f:f0 dev tap40f6be7c-2d vlan 1 master brqd0084ac0-f7 permanent
  fe:16:3e:2b:2f:f0 dev tap40f6be7c-2d master brqd0084ac0-f7 permanent
  fe:16:3e:b3:30:00 dev tap6548bacb-c0 vlan 1 master brqd0084ac0-f7 permanent
  fe:16:3e:b3:30:00 dev tap6548bacb-c0 master brqd0084ac0-f7 permanent
  fe:16:3e:5c:a6:6c dev tap61107236-1e vlan 1 master brqd0084ac0-f7 permanent
  fe:16:3e:5c:a6:6c dev tap61107236-1e master brqd0084ac0-f7 permanent

  The ageing time for the bridge is set to 0:

  root at lab-compute01:~# brctl showstp brqd0084ac0-f7
  brqd0084ac0-f7
   bridge id		8000.24be05a31fe1
   designated root	8000.24be05a31fe1
   root port		   0			path cost		   0
   max age		  20.00			bridge max age		  20.00
   hello time		   2.00			bridge hello time	   2.00
   forward delay		   0.00			bridge forward delay	   0.00
   ageing time		   0.00
   hello timer		   0.00			tcn timer		   0.00
   topology change timer	   0.00			gc timer		   0.00
   flags

  The default ageing time of 300 is being overridden by the value set
  here:

  Stein: https://github.com/openstack/os-
  vif/blob/stable/stein/os_vif/internal/command/ip/linux/impl_pyroute2.py#L89

  Master: https://github.com/openstack/os-
  vif/blob/master/os_vif/internal/ip/linux/impl_pyroute2.py#L89

  I am not sure of the behavior in OVS environments using the iptables
  firewall, but I have confirmed the 'qbr' bridges also have a ageing
  time of 0 (formerly 300).

  Please let me know if you have any questions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1837252/+subscriptions