|
|
|
|
Changelog for openvswitch-ipsec-3.1.0-288.4.x86_64.rpm :
* Mon Feb 26 2024 Dominique Leuenberger - Use %patch -P N instead of deprecated %patchN. * Thu Feb 15 2024 Duraisankar P - Fix CVE-2023-3966 [bsc#1219465] openvswitch3: Invalid memory access in Geneve with HW offload- Added patch, +openvswitch-CVE-2023-3966.patch * Thu Feb 01 2024 Duraisankar P - Fix CVE-2023-5366 [bsc#1216002], openvswitch: missing masks on a final stage with ports trie- Added patch, * CVE-2023-5366.patch * Thu Dec 14 2023 Dirk Müller - convert to sysuser generated users * Mon Dec 04 2023 Ana Guerrero - Add BuildRequires on python-setuptools. Previously this was pulled by python-Sphinx in the build environment. * Thu Sep 07 2023 Duraisankar P - Fix CVE-2023-3153 [bsc#1212125], VUL-0: CVE-2023-3153: openvswitch,openvswitch3: service monitor MAC flow is not rate limited- Added patch, CVE-2023-3152.patch * Wed May 17 2023 Duraisankar P - Fix CVE-2023-1668 [bsc#1210054], openvswitch: remote traffic denial of service via crafted packets with IP proto 0- Added patch, CVE-2023-1668.patch * Tue May 02 2023 Dominique Leuenberger - Remove python/ovs/dirs.py prior to building: have this re-generated based on the shipped template (boo#1210479). * Wed Apr 05 2023 Duraisankar P - Update OVS version to v3.1.0 and OVN version to v23.03.0 Some of the features are, - ovs-vswitchd now detects changes in CPU affinity and adjusts the number of handler and revalidator threads if necessary. - AF_XDP: * Added support for building with libxdp and libbpf >= 0.7. * Support for AF_XDP is now enabled by default if all dependencies are available at the build time. Use --disable-afxdp to disable. Use --enable-afxdp to fail the build if dependencies are not present. - ovs-appctl: * \"ovs-appctl ofproto/trace\" command can now display port names with the \"--names\" option. - OVSDB-IDL: * Add the support to specify the persistent uuid for row insert in both C and Python IDLs. - Windows: * Conntrack IPv6 fragment support. - DPDK: * Add support for DPDK 22.11.1. - For the QoS max-rate and STP/RSTP path-cost configuration OVS now assumes 10 Gbps link speed by default in case the actual link speed cannot be determined. Previously it was 10 Mbps. Values can still be overridden by specifying \'max-rate\' or \'[r]stp-path-cost\' accordingly. - OpenFlow: * New OpenFlow extension NXT_CT_FLUSH to flush connections matching the specified fields. - ovs-ctl: * New option \'--dump-hugepages\' to include hugepages in core dumps. This can assist with postmortem analysis involving DPDK, but may also produce significantly larger core dump files. - ovs-dpctl and \'ovs-appctl dpctl/\' commands: * \'flush-conntrack\' is now capable of handling partial 5-tuple, with additional optional parameter to specify the reply direction. - ovs-ofctl: * New command \'flush-conntrack\' that accepts zone and 5-tuple (or partial 5-tuple) for both directions. - Support for travis-ci.org based continuous integration builds has been dropped. - Userspace datapath: * Add \'-secs\' argument to appctl \'dpif-netdev/pmd-rxq-show\' to show the pmd usage of an Rx queue over a configurable time period. * Add new experimental PMD load based sleeping feature. PMD threads can request to sleep up to a user configured \'pmd-maxsleep\' value under low load conditions. - For more details, check https://github.com/openvswitch/ovs/blob/v3.1.0/NEWS - Includes secrity fix for CVE-2022-4338 (bsc#1206580) and CVE-2022-4337 (bsc#1206581) - Removed patches, * 0001-Replace-deprecated-var-run-with-run.patch * 0001-openvswitch-merge-compiler.h-files-into-one-file.patch * openvswitch-CVE-2021-36980.patch * 0002-build-Seperated-common-used-headers.patch * a77ad9693c8b49055389559187fe74eddb619746.patch * 0001-m4-Test-avx512-for-x86-only.patch * openvswitch-2.17.2-Fix-tests-with-GNU-grep-3.8.patch - Renamed and rebased patches, * 0001-Don-t-change-permissions-of-dev-hugepages.patch * 0001-Use-double-hash-for-OVS_USER_ID-comment.patch * 0001-Run-ovn-as-openvswitch-openvswitch.patch * 0001-Use-strongswan-for-openvswitch-ipsec-service.patch * 0001-Run-openvswitch-as-openvswitch-openvswitch.patch - Added ovsb tool install patch, * install-ovsdb-tools.patch * Thu Sep 29 2022 Dirk Müller - add a77ad9693c8b49055389559187fe74eddb619746.patch to avoid the cpu detection code being compiled with AVX512 enabled- add 0001-m4-Test-avx512-for-x86-only.patch * Mon Sep 12 2022 Andreas Stieger - fix tests with GNU grep 3.8 boo#1203239 add openvswitch-2.17.2-Fix-tests-with-GNU-grep-3.8.patch * Wed Aug 03 2022 Dirk Müller - update to 2.17.2: - Bug fixes - DPDK: * OVS validated with DPDK 21.11.1. It is recommended to use this version until further releases. - Bug fixes - libopenvswitch API change: * To fix the Undefined Behavior issue causing the compiler to incorrectly optimize important parts of code, container iteration macros (e.g., LIST_FOR_EACH) have been re-implemented in a UB-safe way. * Backwards compatibility has mostly been preserved, however the user-provided pointer is now set to NULL after the loop (unless it exited via \"break;\") * Users of libopenvswitch will need to double-check the use of such loop macros before compiling with a new version. * Since the change is limited to the definitions within the headers, the ABI is not affected.- refresh 0001-openvswitch-merge-compiler.h-files-into-one-file.patch 0002-build-Seperated-common-used-headers.patch * Fri May 13 2022 Dominique Leuenberger - Allow dpdk version 21.11. * Fri Apr 22 2022 Ferdinand Thiessen - Python package: Do not use C json parser on 32bit as large numbers will overflow. * Sun Apr 03 2022 Ferdinand Thiessen - Mention openvswitch-rpmlintrc as Source in spec file * Mon Mar 14 2022 Ferdinand Thiessen - Fix installation of files shared with OVN (required for building OVN without openvswitch sources), remove custom installation of internal headers from SPEC-install section and use patches (for upstreaming) instead. * install-ovsdb-tools.patch * Added 0001-openvswitch-merge-compiler.h-files-into-one-file.patch * Added 0002-build-Seperated-common-used-headers.patch- Enabled check section / running testsuite by default to validate build result. There must no problems with the testsuite anymore as upstream runs it by CI and checked before release of a new version.- Renamed 0001-Don-t-change-permissions-of-dev-hugepages.patch to Don-t-change-permissions-of-dev-hugepages.patch- Renamed 0001-Run-openvswitch-as-openvswitch-openvswitch.patch to Run-openvswitch-as-openvswitch-openvswitch.patch- Renamed 0001-Use-double-hash-for-OVS_USER_ID-comment.patch to Use-double-hash-for-OVS_USER_ID-comment.patch- Rebased 0001-Use-strongswan-for-openvswitch-ipsec-service.patch to Use-strongswan-for-openvswitch-ipsec-service.patch * Fri Mar 11 2022 Ferdinand Thiessen - Fix OVS location for python bindings (dirs.py), boo#1196978 Make sure dirs.py is freshly generated * Mon Mar 07 2022 Dirk Müller - fix python3 requires (bsc#1196758) * Sun Feb 27 2022 Ferdinand Thiessen - Added install-ovsdb-tools.patch to install ovsdb tools required for building OVN * Sat Feb 26 2022 Ferdinand Thiessen - Enable multiple python3 flavor subpackages on Tumbleweed / Factory * Sat Feb 26 2022 Ferdinand Thiessen - Update OVS to version 2.17.0 * Userspace datapath: * Optimized flow lookups for datapath flows with simple match criteria. * New per-interface configuration knob \'other_config:tx-steering\'. * Removed experimental tag for PMD Auto Load Balance. * New configuration knob \'other_config:n-offload-threads\' to change the number of HW offloading threads. * DPDK: * EAL argument --socket-mem is no longer configured by default upon start-up. If dpdk-socket-mem and dpdk-alloc-mem are not specified, DPDK defaults will be used. * EAL argument --socket-limit no longer takes on the value of --socket-mem by default. \'other_config:dpdk-socket-limit\' can be set equal to the \'other_config:dpdk-socket-mem\' to preserve the legacy memory limiting behavior. * EAL argument --in-memory is applied by default if supported. * Add support for DPDK 21.11. * Forbid use of DPDK multiprocess feature. * Add support for running threads on cores >= RTE_MAX_LCORE. * Python: For SSL support, the use of the pyOpenSSL library has been replaced with the native \'ssl\' module. * OVSDB: * Python library for OVSDB clients now also supports faster resynchronization with a clustered database after a brief disconnection, i.e. \'monitor_cond_since\' monitoring method. * Major improvement in the performance of the OVSDB server. * OpenFlow: * Default selection method for select groups with up to 256 buckets is now dp_hash. Previously this was limited to 64 buckets. This change is mainly for the benefit of OVN load balancing configurations. * Encap & Decap action support for MPLS packet type.- Update OVS to version 2.16.0 * Fix CVE-2021-36980 (boo#1188524) openvswitch 2.11.0 through 2.15.0 has a use-after-free in decode_NXAST_RAW_ENCAP (called from ofpact_decode and ofpacts_decode) during the decoding of a RAW_ENCAP action * Removed support for 1024-bit Diffie-Hellman key exchange * Rate limiting configuration now supports setting packet-per-second limits in addition to the previously configurable byte rate settings. * OVSDB: * Introduced new database service model - \"relay\". * New command line options --record/--replay for ovsdb-server and ovsdb-client to record and replay all the incoming transactions, monitors, etc. * The Python Idl class now has a cooperative_yield() method * In ovs-vsctl and vtep-ctl, the \"find\" command now accept new operators {in} and {not-in}. * Various Userspace datapath improvements * ovs-ctl: * New option \'--no-record-hostname\' to disable hostname configuration in ovsdb on startup. * New command \'record-hostname-if-not-set\' to update hostname in ovsdb. * ovs-appctl: Added ability to add and delete static mac entries using: \'ovs-appctl fdb/add \' \'ovs-appctl fdb/del \' * Linux datapath: * ovs-vswitchd will configure the kernel module using per-cpu dispatch mode (if available). This changes the way upcalls are delivered to user space in order to resolve a number of issues with per-vport dispatch. * New vswitchd unixctl command `dpif-netlink/dispatch-mode` will return the current dispatch mode for each datapath.- Update OVS to version 2.15.0 * OVSDB: * Changed format in which ovsdb transactions are stored in database files. Now each transaction contains diff of data instead of the whole new value of a column. * New unixctl command \'ovsdb-server/get-db-storage-status\' * New unixctl command \'ovsdb-server/memory-trim-on-compaction on|off\'. * Maximum backlog on RAFT connections limited to 500 messages or 4GB. * DPDK: Removed support for vhost-user dequeue zero-copy. * Add support for DPDK 20.11. * The environment variable OVS_UNBOUND_CONF, if set, is now used as the DNS resolver\'s (unbound) configuration file. * Linux datapath: Support for kernel versions up to 5.8.x. * Building the Linux kernel module from the OVS source tree is deprecated * Support for the Linux kernel is capped at version 5.8 * Only bug fixes for the Linux OOT kernel module will be accepted. * The Linux kernel module will be fully removed from the OVS source tree in OVS branch 2.18- Rebased 0001-Use-strongswan-for-openvswitch-ipsec-service.patch- Drop upstream fixed 0001-Replace-deprecated-var-run-with-run.patch- Separated OVN * Stand alone package, this enables better maintenance especially updates. * Drop 0001-Run-ovn-as-openvswitch-openvswitch.patch from OVN * Mon May 10 2021 Dirk Müller - add openssl(cli) dependency on pki (bsc#1185839) * Thu Apr 29 2021 Jaime Caamaño Ruiz - Replace deprecated /var/run with /run (bsc#1185176, bsc#1185177). * 0001-Replace-deprecated-var-run-with-run.patch * Fri Feb 12 2021 Jaime Caamaño Ruiz - Update openvswitch to 2.14.2. For a list of changes, check https://github.com/openvswitch/ovs/blob/v2.14.2/NEWS Includes security fix for CVE-2020-27827 (bsc#1181345) and CVE-2020-35498 (bsc#1181742).- Removed patches no longer applying to code base: * 0001-rhel-Fix-reload-of-OVS_USER_ID-on-startup.patch * 0001-ipsec-Fix-Strongswan-configuration-syntax.patch
|
|
|