SUSE alert SUSE-SU-2026:20061-1 (openvswitch)

From:
             
 
SLE-SECURITY-UPDATES <null@suse.de>
To:
             
 
sle-security-updates@lists.suse.com
Subject:
             
 
SUSE-SU-2026:20061-1: important: Security update for openvswitch
Date:
             
 
Thu, 15 Jan 2026 08:31:00 -0000
Message-ID:
             
 
<176846586069.28753.9728933406288467349@smelt2.prg2.suse.org>


# Security update for openvswitch

Announcement ID: SUSE-SU-2026:20061-1  
Release Date: 2026-01-08T14:44:35Z  
Rating: important  
References:

  * bsc#1216002
  * bsc#1219465
  * bsc#1236353
  * bsc#1255435

  
Cross-References:

  * CVE-2023-3966
  * CVE-2023-5366
  * CVE-2024-2182
  * CVE-2025-0650

  
CVSS scores:

  * CVE-2023-3966 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2023-3966 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2023-3966 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2023-5366 ( SUSE ):  7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
  * CVE-2023-5366 ( NVD ):  5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
  * CVE-2024-2182 ( SUSE ):  6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  * CVE-2024-2182 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  * CVE-2025-0650 ( SUSE ):  9.2
    CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  * CVE-2025-0650 ( SUSE ):  8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2025-0650 ( NVD ):  8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

  
Affected Products:

  * SUSE Linux Micro 6.1

  
  
An update that solves four vulnerabilities can now be installed.

## Description:

This update for openvswitch fixes the following issues:

Update OpenvSwitch to v3.1.7 and OVN to v23.03.3:

Security issues fixed:

  * CVE-2023-3966: ovs: invalid memory access and potential denial of service
    via specially crafted Geneve packets (bsc#1219465).
  * CVE-2023-5366: ovs: OpenFlow rules may be bypassed via specially crafted
    ICMPv6 Neighbor Advertisement packets sent between virtual machines
    t(bsc#1216002).
  * CVE-2024-2182: ovn: denial of service via injection of specially crafted BFD
    packets from inside unprivileged workloads (bsc#1255435).
  * CVE-2025-0650: ovn: egress ACLs may be bypassed via specially crafted UDP
    packet (bsc#1236353).

Other updates and bugfixes:

  * OpenvSwitch upstream bugfix updates:
  * https://www.openvswitch.org/releases/NEWS-3.1.7.txt
  * v3.1.7
    * Bug fixes
    * OVS validated with DPDK 22.11.7.
  * v3.1.6
    * Bug fixes
    * OVS validated with DPDK 22.11.6.
  * v3.1.5
    * Bug fixes
    * OVS validated with DPDK 22.11.5.
  * v3.1.4

    * Bug fixes
    * OVS validated with DPDK 22.11.4.
  * OVN upstream bugfix updates:

  * https://github.com/ovn-org/ovn/blob/branch-23.03/NEWS
  * v23.03.3
    * Bug fixes
    * Add "garp-max-timeout-sec" config option to vswitchd external-ids to cap the time between
when ovn-controller sends gARP packets.
  * v23.03.1
    * Bug fixes
    * CT entries are not flushed by default anymore whenever a load balancer backend is removed. A
new, per-LB, option 'ct_flush' can be used to restore the previous behavior. Disabled by default.
    * Always allow IPv6 Router Discovery, Neighbor Discovery, and Multicast Listener Discovery
protocols, regardless of ACLs defined.
    * Send ICMP Fragmentation Needed packets back to offending ports when communicating with
multichassis ports using frames that don't fit through a tunnel. This is done only for logical
switches that are attached to a physical network via a localnet port, in which case multichassis
ports may have an effective MTU different from regular ports and hence may need this mechanism to
maintain connectivity with other peers in the network.
    * ECMP routes use L4_SYM dp-hash by default if the datapath supports it. Existing sessions
might get re-hashed to a different ECMP path when OVN detects the algorithm support in the datapath
during an upgrade or restart of ovn-controller.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Micro 6.1  
    zypper in -t patch SUSE-SLE-Micro-6.1-367=1

## Package List:

  * SUSE Linux Micro 6.1 (aarch64 ppc64le s390x x86_64)
    * libopenvswitch-3_1-0-debuginfo-3.1.7-slfo.1.1_2.1
    * openvswitch-debuginfo-3.1.7-slfo.1.1_2.1
    * libopenvswitch-3_1-0-3.1.7-slfo.1.1_2.1
    * openvswitch-debugsource-3.1.7-slfo.1.1_2.1
    * openvswitch-3.1.7-slfo.1.1_2.1

## References:

  * https://www.suse.com/security/cve/CVE-2023-3966.html
  * https://www.suse.com/security/cve/CVE-2023-5366.html
  * https://www.suse.com/security/cve/CVE-2024-2182.html
  * https://www.suse.com/security/cve/CVE-2025-0650.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1216002
  * https://bugzilla.suse.com/show_bug.cgi?id=1219465
  * https://bugzilla.suse.com/show_bug.cgi?id=1236353
  * https://bugzilla.suse.com/show_bug.cgi?id=1255435



Attachment: None (type=text/html)
(HTML attachment elided)