<div class="container">
<h1>Security update for openvswitch</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2026:20061-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-01-08T14:44:35Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1216002">bsc#1216002</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219465">bsc#1219465</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1236353">bsc#1236353</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1255435">bsc#1255435</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-3966.html">CVE-2023-3966</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-5366.html">CVE-2023-5366</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-2182.html">CVE-2024-2182</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-0650.html">CVE-2025-0650</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-3966</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-3966</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-3966</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-5366</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.1</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-5366</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.5</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-2182</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-2182</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-0650</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">9.2</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-0650</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.1</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-0650</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.1</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Micro 6.1</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves four vulnerabilities can now be installed.</p>
<h2>Description:</h2>
<p>This update for openvswitch fixes the following issues:</p>
<p>Update OpenvSwitch to v3.1.7 and OVN to v23.03.3:</p>
<p>Security issues fixed:</p>
<ul>
<li>CVE-2023-3966: ovs: invalid memory access and potential denial of service via specially crafted Geneve packets
(bsc#1219465).</li>
<li>CVE-2023-5366: ovs: OpenFlow rules may be bypassed via specially crafted ICMPv6 Neighbor Advertisement packets sent
between virtual machines t(bsc#1216002).</li>
<li>CVE-2024-2182: ovn: denial of service via injection of specially crafted BFD packets from inside unprivileged
workloads (bsc#1255435).</li>
<li>CVE-2025-0650: ovn: egress ACLs may be bypassed via specially crafted UDP packet (bsc#1236353).</li>
</ul>
<p>Other updates and bugfixes:</p>
<ul>
<li>OpenvSwitch upstream bugfix updates:</li>
<li>https://www.openvswitch.org/releases/NEWS-3.1.7.txt</li>
<li>v3.1.7<ul>
<li>Bug fixes</li>
<li>OVS validated with DPDK 22.11.7.</li>
</ul>
</li>
<li>v3.1.6<ul>
<li>Bug fixes</li>
<li>OVS validated with DPDK 22.11.6.</li>
</ul>
</li>
<li>v3.1.5<ul>
<li>Bug fixes</li>
<li>OVS validated with DPDK 22.11.5.</li>
</ul>
</li>
<li>
<p>v3.1.4</p>
<ul>
<li>Bug fixes</li>
<li>OVS validated with DPDK 22.11.4.</li>
</ul>
</li>
<li>
<p>OVN upstream bugfix updates:</p>
</li>
<li>https://github.com/ovn-org/ovn/blob/branch-23.03/NEWS</li>
<li>v23.03.3<ul>
<li>Bug fixes</li>
<li>Add "garp-max-timeout-sec" config option to vswitchd external-ids to cap the time between when ovn-controller
sends gARP packets.</li>
</ul>
</li>
<li>v23.03.1<ul>
<li>Bug fixes</li>
<li>CT entries are not flushed by default anymore whenever a load balancer backend is removed. A new, per-LB, option
'ct_flush' can be used to restore the previous behavior. Disabled by default.</li>
<li>Always allow IPv6 Router Discovery, Neighbor Discovery, and Multicast Listener Discovery protocols, regardless of
ACLs defined.</li>
<li>Send ICMP Fragmentation Needed packets back to offending ports when communicating with multichassis ports using
frames that don't fit through a tunnel. This is done only for logical switches that are attached to a physical
network via a localnet port, in which case multichassis ports may have an effective MTU different from regular
ports and hence may need this mechanism to maintain connectivity with other peers in the network.</li>
<li>ECMP routes use L4_SYM dp-hash by default if the datapath supports it. Existing sessions might get re-hashed to a
different ECMP path when OVN detects the algorithm support in the datapath during an upgrade or restart of
ovn-controller.</li>
</ul>
</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Micro 6.1
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-6.1-367=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Micro 6.1 (aarch64 ppc64le s390x x86_64)
<ul>
<li>libopenvswitch-3_1-0-debuginfo-3.1.7-slfo.1.1_2.1</li>
<li>openvswitch-debuginfo-3.1.7-slfo.1.1_2.1</li>
<li>libopenvswitch-3_1-0-3.1.7-slfo.1.1_2.1</li>
<li>openvswitch-debugsource-3.1.7-slfo.1.1_2.1</li>
<li>openvswitch-3.1.7-slfo.1.1_2.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-3966.html">https://www.suse.com/security/cve/CVE-2023-3966.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-5366.html">https://www.suse.com/security/cve/CVE-2023-5366.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-2182.html">https://www.suse.com/security/cve/CVE-2024-2182.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-0650.html">https://www.suse.com/security/cve/CVE-2025-0650.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1216002">https://bugzilla.suse.com/show_bug.cgi?id=1216002</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219465">https://bugzilla.suse.com/show_bug.cgi?id=1219465</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1236353">https://bugzilla.suse.com/show_bug.cgi?id=1236353</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1255435">https://bugzilla.suse.com/show_bug.cgi?id=1255435</a>
</li>
</ul>
</div>