-
neutron (2:12.1.1-0ubuntu8.1) bionic-security; urgency=medium
* SECURITY UPDATE: IPv6 impersonation in Open vSwitch firewall rules
- debian/patches/CVE-2021-20267-1.patch: allow egress ICMPv6 only for
known addresses in
doc/source/contributor/internals/openvswitch_firewall.rst,
neutron/agent/linux/openvswitch_firewall/firewall.py,
neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py.
- debian/patches/CVE-2021-20267-2.patch: restrict IPv6 NA and DHCP(v6)
IP and MAC source addresses in neutron/agent/firewall.py,
neutron/agent/linux/openvswitch_firewall/firewall.py,
neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py.
- CVE-2021-20267
* SECURITY UPDATE: hardware address impersonation with ebtables-nft
- debian/patches/CVE-2021-38598.patch: make ARP protection commands
compatible with "ebtables-nft" in
neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py,
neutron/tests/unit/plugins/ml2/drivers/linuxbridge/agent/test_arp_protect.py.
- CVE-2021-38598
* SECURITY UPDATE: dnsmasq reconfiguration issue
- debian/patches/CVE-2021-40085.patch: remove dhcp_extra_opt value
after first newline character in neutron/agent/linux/dhcp.py,
neutron/tests/unit/agent/linux/test_dhcp.py.
- CVE-2021-40085
* SECURITY UPDATE: memory consumption via API requests
- debian/patches/CVE-2021-40797.patch: don't use singleton in
routes.middleware.RoutesMiddleware in neutron/api/extensions.py.
- CVE-2021-40797
* SECURITY UPDATE: uncontrolled resource consumption flaw
- debian/patches/CVE-2022-3277.patch: do not allow a tenant to create a
default SG for another one in neutron/db/securitygroups_db.py,
neutron/tests/unit/db/test_securitygroups_db.py.
- CVE-2022-3277
-- Marc Deslauriers <email address hidden> Tue, 18 Apr 2023 11:23:51 -0400
-
neutron (2:12.1.1-0ubuntu8) bionic; urgency=medium
* Backport fix for TCP checksum issue (LP: #1832021)
- d/p/0001-Workaround-for-TCP-checksum-issue-with-ovs-dpdk-and-.patch
-- erlon <email address hidden> Mon, 26 Apr 2021 14:01:49 -0300
-
neutron (2:12.1.1-0ubuntu7) bionic; urgency=medium
* Handle OVSFWPortNotFound and OVSFWTagNotFound in ovs firewall
- d/p/0001-Handle-OVSFWPortNotFound-and-OVSFWTagNotFound-in-ovs.patch
(LP: #1849098).
neutron (2:12.1.1-0ubuntu6) bionic; urgency=medium
* Do not initialize snat-ns twice (LP: #1850779)
- d/p/0001-Do-not-initialize-snat-ns-twice.patch
neutron (2:12.1.1-0ubuntu5) bionic; urgency=medium
* Backport fix for dvr-snat missig rfp interfaces (LP: #1894843)
- d/p/0001-Fix-deletion-of-rfp-interfaces-when-router-is-re-ena.patch
-- Seyeong Kim <email address hidden> Mon, 03 May 2021 17:15:28 +0900
-
neutron (2:12.1.1-0ubuntu4) bionic; urgency=medium
* Fix interrupt of VLAN traffic on reboot of neutron-ovs-agent:
- d/p/0001-ovs-agent-signal-to-plugin-if-tunnel-refresh-needed.patch (LP: #1853613)
- d/p/0002-Do-not-block-connection-between-br-int-and-br-phys-o.patch (LP: #1869808)
- d/p/0003-Ensure-that-stale-flows-are-cleaned-from-phys_bridge.patch (LP: #1864822)
- d/p/0004-DVR-Reconfigure-re-created-physical-bridges-for-dvr-.patch (LP: #1864822)
- d/p/0005-Ensure-drop-flows-on-br-int-at-agent-startup-for-DVR.patch (LP: #1887148)
- d/p/0006-Don-t-check-if-any-bridges-were-recrected-when-OVS-w.patch (LP: #1864822)
- d/p/0007-Not-remove-the-running-router-when-MQ-is-unreachable.patch (LP: #1871850)
-- Edward Hope-Morley <email address hidden> Mon, 22 Feb 2021 16:55:40 +0000
-
neutron (2:12.1.1-0ubuntu3) bionic; urgency=medium
[ Chris MacNaughton ]
* d/control: Update VCS paths for move to lp:~ubuntu-openstack-dev.
[ Corey Bryant ]
* d/p/ovs-fw-remote-sg-ids-left-behind.patch: Cherry-picked from upstream
stable/queens to ensure proper cleanup of remote security group IDs when
a security group is removed (LP: #1881157).
-- Corey Bryant <email address hidden> Tue, 24 Nov 2020 10:33:03 -0500
-
neutron (2:12.1.1-0ubuntu2) bionic; urgency=medium
* d/p/Ensure-fip-ip-rules-deleted-when-fip-removed.patch
Backport fix for dvr fip ip rule cleanup (LP: #1891673)
-- Edward Hope-Morley <email address hidden> Tue, 08 Sep 2020 17:55:17 +0100
-
neutron (2:12.1.1-0ubuntu1) bionic; urgency=medium
* d/watch: Update to point at opendev.
* New stable point release for OpenStack Queens (LP: #1893234).
-- Chris MacNaughton <email address hidden> Fri, 28 Aug 2020 12:02:47 +0000
-
neutron (2:12.1.0-0ubuntu1) bionic; urgency=medium
[ Sahid Orentino Ferdjaoui ]
* New stable point release for OpenStack Queens (LP: #1838288).
* d/p/bug1826419.patch: Dropped. Fixed in 12.1.0.
* d/p/revert-iptables-tcp-checksum-fill-code.patch: Dropped.
Fixed in 12.1.0.
[ Corey Bryant ]
* d/p/metadata-use-requests-for-comms-with-nova-api.patch: Dropped.
Fixed in 12.1.0.
-- Corey Bryant <email address hidden> Mon, 29 Jul 2019 11:49:51 -0400
-
neutron (2:12.0.6-0ubuntu3) bionic; urgency=medium
* d/p/metadata-use-requests-for-comms-with-nova-api.patch: Restore patch
from https://review.openstack.org/#/c/599541/ to enable cert management
where IP addresses are used in subject alternate names (LP: #1838263).
-- Corey Bryant <email address hidden> Mon, 29 Jul 2019 10:18:05 -0400
-
neutron (2:12.0.6-0ubuntu2) bionic; urgency=medium
* d/p/revert-iptables-tcp-checksum-fill-code.patch: Cherry-picked
from upstream to revert invalid use of iptables -j CHECKSUM
(LP: #1722584).
-- Corey Bryant <email address hidden> Mon, 17 Jun 2019 13:30:49 -0400
-
neutron (2:12.0.6-0ubuntu1) bionic; urgency=medium
[ Sahid Orentino Ferdjaoui ]
* New stable point release for OpenStack Queens (LP: #1830341).
* d/p/set-initial-ha-router-state-in-neutron-keepalived-st.patch,
d/p/fix-KeyError-in-OVS-firewall.patch,
d/p/metadata-use-requests-for-comms-with-nova-api.patch,
d/p/Spawn-metadata-proxy-on-dvr-ha-standby-routers.patch,
d/p/bug1823038.patch: Dropped. Fixed in upstream release.
[ James Page ]
* d/p/bug1826419.patch: Cherry pick fix to revert incorrect changes to
internal DNS behaviour (LP: #1826419).
-- Sahid Orentino Ferdjaoui <email address hidden> Fri, 24 May 2019 11:10:37 +0200
-
neutron (2:12.0.5-0ubuntu5) bionic; urgency=medium
* Backport fix for dvr+l3ha metadata service not available
- d/p/Spawn-metadata-proxy-on-dvr-ha-standby-routers.patch (LP: #1606741)
-- Corey Bryant <email address hidden> Mon, 13 May 2019 14:55:41 -0400
-
neutron (2:12.0.5-0ubuntu4) bionic; urgency=medium
* d/p/bug1823038.patch: Cherry pick fix to ensure that None is not
passed as an argument when spawning the neutron-keepalived-state-change
agent (LP: #1823038).
neutron (2:12.0.5-0ubuntu3) bionic; urgency=medium
* d/p/fix-KeyError-in-OVS-firewall.patch: Cherry-picked from upstream
to prevent neutron ovs agent from crashing due to creation of two
security groups that both use the same remote security group, where
the first group's port range is a subset of the second (LP: #1813007).
* d/p/set-initial-ha-router-state-in-neutron-keepalived-st.patch:
Cherry-picked from upstream stable/rocky branch to ensure proper
detection of MASTER HA router by neutron-keepalived-state-change
(LP: #1818614).
-- James Page <email address hidden> Tue, 09 Apr 2019 10:59:22 +0100
-
neutron (2:12.0.5-0ubuntu3) bionic; urgency=medium
* d/p/fix-KeyError-in-OVS-firewall.patch: Cherry-picked from upstream
to prevent neutron ovs agent from crashing due to creation of two
security groups that both use the same remote security group, where
the first group's port range is a subset of the second (LP: #1813007).
* d/p/set-initial-ha-router-state-in-neutron-keepalived-st.patch:
Cherry-picked from upstream stable/rocky branch to ensure proper
detection of MASTER HA router by neutron-keepalived-state-change
(LP: #1818614).
-- Corey Bryant <email address hidden> Mon, 25 Mar 2019 16:06:30 -0400
-
neutron (2:12.0.5-0ubuntu2) bionic; urgency=medium
* d/p/set-initial-ha-router-state-in-neutron-keepalived-st.patch:
Cherry-picked from upstream stable/rocky branch to ensure proper
detection of MASTER HA router by neutron-keepalived-state-change
(LP: #1818614).
-- Corey Bryant <email address hidden> Mon, 25 Mar 2019 16:06:30 -0400
-
neutron (2:12.0.5-0ubuntu1) bionic; urgency=medium
* New stable point release for OpenStack Queens (LP: #1795424).
* d/p/metadata-use-requests-for-comms-with-nova-api.patch: Cherry-picked
from https://review.openstack.org/#/c/599541/ to enable cert management
where IP addresses are used in subject alternate names (LP: #1790598).
-- Corey Bryant <email address hidden> Tue, 06 Nov 2018 11:43:51 -0500
-
neutron (2:12.0.4-0ubuntu1) bionic; urgency=medium
* New stable point release for OpenStack Queens (LP: #1795424).
* d/p/metadata-use-requests-for-comms-with-nova-api.patch: Cherry-picked
from https://review.openstack.org/#/c/599541/ to enable cert management
where IP addresses are used in subject alternate names (LP: #1790598).
* d/p/revert-dvr-add-error-handling.patch: Cherry-picked from upstream to
revert DVR regressions (LP: #1751396)
* d/p/revert-dvr-inter-tenant.patch: Cherry-picked from upstream to revert
DVR regression (LP: #1783654).
-- Corey Bryant <email address hidden> Mon, 01 Oct 2018 11:41:51 -0400
-
neutron (2:12.0.3-0ubuntu1) bionic; urgency=medium
* New stable point release for OpenStack Queens (LP: #1778747).
-- Corey Bryant <email address hidden> Tue, 26 Jun 2018 11:55:23 -0400
-
neutron (2:12.0.2-0ubuntu1) bionic; urgency=medium
* New stable point release for OpenStack Queens (LP: #1771572).
* d/p/refresh-router-objects-after-port-binding.patch,
d/p/use-cidr-during-tenant-network-rule-deletion.patch,
d/p/remove-race-and-simplify-conntrack-state-management.patch,
d/p/dvr-inter-tenant-traffic.patch: Dropped. Fixed in stable release.
-- Corey Bryant <email address hidden> Thu, 17 May 2018 16:31:00 -0400
-
neutron (2:12.0.1-0ubuntu1.1) bionic; urgency=medium
* d/p/remove-race-and-simplify-conntrack-state-management.patch:
Cherry-picked from upstream stable/queens branch to prevent
ovs-agent from eating up CPU (LP: #1750777).
* d/gbp.conf: Create stable/queens branch.
-- Corey Bryant <email address hidden> Wed, 02 May 2018 15:00:58 -0400
-
neutron (2:12.0.1-0ubuntu1) bionic; urgency=medium
* d/p/dvr-inter-tenant-traffic.patch: Cherry-picked from upstream
stable/queens branch (LP: #1751396).
* New stable point release for OpenStack Queens (LP: #1765138).
-- Corey Bryant <email address hidden> Wed, 18 Apr 2018 12:07:48 -0400
-
neutron (2:12.0.0-0ubuntu3) bionic; urgency=medium
* d/p/refresh-router-objects-after-port-binding.patch: Cherry-picked
from upstream stable/queens branch (LP: #1759971).
* d/p/use-cidr-during-tenant-network-rule-deletion.patch: Cherry-picked
from upstream stable/queens branch (LP: #1759956).
-- Corey Bryant <email address hidden> Mon, 16 Apr 2018 16:06:25 -0400
-
neutron (2:12.0.0-0ubuntu2) bionic; urgency=medium
* d/neutron-openvswitch-agent.service.in,
d/neutron-openvswitch-agent.neutron-ovs-cleanup.service.in:
Ensure neutron-ovs-cleanup runs after openvswitch-switch and
neutron-openvswitch-agent runs after neutron-ovs-cleanup (LP: #1752838).
-- Seyeong Kim <email address hidden> Wed, 28 Mar 2018 04:44:38 -0700
-
neutron (2:12.0.0-0ubuntu1.4) bionic; urgency=medium
* Ensure python-pecan is >= 1.2.1 (LP: #1758882).
-- Corey Bryant <email address hidden> Mon, 26 Mar 2018 08:19:15 -0400
-
neutron (2:12.0.0-0ubuntu1.3) bionic; urgency=medium
* d/neutron-openvswitch-agent.neutron-ovs-cleanup.service.in:
Revert changes made for LP:#1752838 due to regression (LP: #1758411).
-- Corey Bryant <email address hidden> Fri, 23 Mar 2018 14:41:23 -0400
-
neutron (2:12.0.0-0ubuntu1.2) bionic; urgency=medium
* d/neutron-openvswitch-agent.service.in: Ensure
neutron-openvswitch-agent starts after neutron-ovs-cleanup.
-- Corey Bryant <email address hidden> Mon, 12 Mar 2018 09:32:19 -0400
-
neutron (2:12.0.0-0ubuntu1.1) bionic; urgency=medium
* d/neutron-openvswitch-agent.neutron-ovs-cleanup.service.in:
Adding dependency on openvswitch-switch.service because
neutron-ovs-cleanup will fail if it is run earlier than it
(LP: #1752838).
-- Seyeong Kim <email address hidden> Thu, 01 Mar 2018 17:19:08 -0800
-
neutron (2:12.0.0-0ubuntu1) bionic; urgency=medium
* New upstream release for OpenStack Queens.
-- James Page <email address hidden> Wed, 28 Feb 2018 16:07:52 +0000
-
neutron (2:12.0.0~rc2-0ubuntu1) bionic; urgency=medium
* New upstream release candidate for OpenStack Queens.
-- Corey Bryant <email address hidden> Tue, 20 Feb 2018 12:48:08 -0500
-
neutron (2:12.0.0~rc1-0ubuntu1) bionic; urgency=medium
* New upstream milestone for OpenStack Queens.
* d/control: Align (Build-)Depends with upstream.
* d/control: Switch to python3-sphinx.
-- James Page <email address hidden> Mon, 12 Feb 2018 17:54:27 +0000
-
neutron (2:12.0.0~b3-0ubuntu1) bionic; urgency=medium
* New upstream milestone for OpenStack Queens.
* d/control: Align (Build-)Depends with upstream.
-- Corey Bryant <email address hidden> Fri, 26 Jan 2018 12:45:29 -0500
-
neutron (2:12.0.0~b2-0ubuntu1) bionic; urgency=medium
* d/watch: Scope to 12.x series.
* d/p/call-update_all_ha_network_port_statuses-on-agent-start.patch:
Dropped, included upstream.
* New upstream milestone for OpenStack Queens.
* d/control: Align (Build-)Depends with upstream.
* d/*: wrap-and-sort -bast.
* d/control: Bumped Standards-Version to 4.1.2.
* d/control,compat: Bump debhelper compat to 10, drop BD on dh-
systemd.
* d/rules,neutron.conf.defaults: Switch to using crudini merge.
-- James Page <email address hidden> Mon, 11 Dec 2017 12:47:32 +0000
-
neutron (2:12.0.0~b1-0ubuntu2) bionic; urgency=medium
* d/p/call-update_all_ha_network_port_statuses-on-agent-start.patch:
Cherry-pick from upstream to prevent multiple masters for L3HA
(LP: #1731595).
-- Corey Bryant <email address hidden> Thu, 30 Nov 2017 15:05:33 -0500
-
neutron (2:12.0.0~b1-0ubuntu1) bionic; urgency=medium
* New upstream milestone for OpenStack Queens.
* d/control: Align (Build-)Depends with upstream.
* d/p/flake8-legacy.patch: Update patch to avoid import of flake8
legacy module as this causes test listing to fail.
-- James Page <email address hidden> Thu, 16 Nov 2017 16:34:23 +0000
-
neutron (2:11.0.1-0ubuntu1) artful; urgency=medium
* d/control: Add rename package to BDs as d/rules needs it and it
is no longer available by default in Artful.
* New stable point release for OpenStack Pike (LP: #1719728).
-- Corey Bryant <email address hidden> Wed, 27 Sep 2017 10:30:00 -0400
