Hi yaook users,

OVN has two CVEs that allows a user to read data from memory/packages they are not allowed to read. See also the advisory[1].

The following images are vulnerable:

    ovn images before 1.0.153
    yaook release before v2.2.0 and the version v2.2.0

If any of these images are used in your cluster, the cluster is vulnerable.

A new stable release will be published according to the release cycle.
You can upgrade to that release simply by updating your operators.

If you want to upgrade in advance you can pin your ovn image to
v24.09.3-1.0.153 in the neutron-operator (adjust the OpenStack version to the version you have deployed):

values:
  operator:
    extraEnv:
    - name: YAOOK_OP_VERSIONS_OVERRIDE
      value: |
        registry.yaook.cloud/yaook/ovn: registry.yaook.cloud/yaook/ovn:v24.09.3-1.0.153

Regards
Stefan

[1] https://yaook.cloud/security-advisories-cve-2026-5265-5367/

-- 
Stefan Hoffmann
DevOps Engineer

Cloud&Heat Technologies GmbH
Königsbrücker Straße 96 | 01099 Dresden
+49 351 479 367 36
stefan.hoffmann@cloudandheat.com | www.cloudandheat.com

Green, Open, Efficient.
Ihr Cloud-Service- und Cloud-Technologie-Provider aus Dresden.
https://www.cloudandheat.com/

Commercial Register: District Court Dresden
Register Number: HRB 30549
VAT ID No.: DE281093504
Managing Director: Nicolas Röhrs
Authorized signatory: Dr. Marius Feldmann