os-vif is vulnerable to information disclosure. Users are able to view content of packets for instances belonging to other tenants sharing the same network. This is due to a hard-coded MAC aging time of 0 which disables MAC learning in linuxbridge and forces obligatory Ethernet flooding of non-local destinations.
www.openwall.com/lists/oss-security/2019/08/29/2
bugs.launchpad.net/os-vif/+bug/1837252
github.com/openstack/os-vif/commit/d29c6e77657eda4e8101c655a1e9407a171c413e
launchpad.net/bugs/1837252
review.opendev.org/#/c/672834/
review.opendev.org/#/c/678098/
review.opendev.org/672834
review.opendev.org/678098
security.openstack.org/ossa/OSSA-2019-004.html