From 239ec3826a74c4f3ffb1239cc574f95c6097c631 Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Thu, 8 Jul 2021 20:49:35 +0000
Subject: [PATCH] Add OSSA-2021-001 (CVE-2021-20267)

Change-Id: I6bcc8392831efbdc7759b0ed5340023bb0440c85
Closes-Bug: #1902917
---
 ossa/OSSA-2021-001.yaml | 67 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 ossa/OSSA-2021-001.yaml

diff --git a/ossa/OSSA-2021-001.yaml b/ossa/OSSA-2021-001.yaml
new file mode 100644
index 0000000..728d077
--- /dev/null
+++ b/ossa/OSSA-2021-001.yaml
@@ -0,0 +1,67 @@
+date: 2021-07-08
+
+id: OSSA-2021-001
+
+title: Anti-spoofing bypass for Open vSwitch networks
+
+description: >
+  David Sinquin with Gandi.net reported a vulnerability in Neutron's default
+  Open vSwitch firewall rules. By sending carefully crafted packets, anyone in
+  control of a server instance connected to the virtual switch can impersonate
+  the IPv6 addresses of other systems on the network, resulting in denial of
+  service or in some cases possibly interception of traffic intended for other
+  destinations. Only deployments using the Open vSwitch driver are affected.
+
+affected-products:
+  - product: Neutron
+    version: '<16.3.3, >=17.0.0 <17.1.3, =18.0.0'
+
+vulnerabilities:
+  - cve-id: CVE-2021-20267
+
+reporters:
+  - name: David Sinquin
+    affiliation: Gandi.net
+    reported:
+      - CVE-2021-20267
+
+issues:
+  links:
+    - https://launchpad.net/bugs/1902917
+
+reviews:
+  xena:
+    - https://review.opendev.org/783743
+
+  wallaby:
+    - https://review.opendev.org/776599
+    - https://review.opendev.org/791464
+
+  victoria:
+    - https://review.opendev.org/777783
+    - https://review.opendev.org/791465
+
+  ussuri:
+    - https://review.opendev.org/777784
+    - https://review.opendev.org/791467
+
+  train:
+    - https://review.opendev.org/777785
+    - https://review.opendev.org/791468
+
+  stein:
+    - https://review.opendev.org/777872
+    - https://review.opendev.org/791500
+
+  rocky:
+    - https://review.opendev.org/777786
+    - https://review.opendev.org/791469
+
+  queens:
+    - https://review.opendev.org/777873
+    - https://review.opendev.org/791470
+
+notes:
+  - The stable/train, stable/stein, stable/rocky, and stable/queens branches
+    are under extended maintenance and will receive no new point releases, but
+    patches for them are provided as a courtesy.