Defects
The defects that have been resolved in this release are detailed in this section.
Security vulnerabilities
Security issues have been resolved in this release.
| Key | Summary |
|---|---|
| CVE-2013-5211 | Network Time Protocol (NTP) Mode 6 Scanner (VRVDR-37993) |
| CVE-2017-5754 | Debian DSA-4078-1: linux - security update (Meltdown) (VRVDR-39891) |
| CVE-2017-5753 | Debian DSA-4187-1, DSA-4188-1: Spectre aka. variant #1: (VRVDR-39909) |
| CVE-2017-3145 | Debian DSA-4089-1: bind9 - security update (VRVDR-40087) |
| CVE-2018-1000005, CVE-2018-1000007 | Debian DSA-4098-1 : curl - security update (VRVDR-40327) |
| CVE-2018-5334, CVE-2018-5335, CVE-2018-5336 | Debian DSA-4101-1: wireshark - security update (VRVDR-40398) |
| CVE-2017-10790, CVE-2018-6003 | Debian DSA-4106-1: libtasn1-6 - security update (VRVDR-40555) |
| CVE-2017-17563, CVE-2017-17564, CVE-2017-17565, CVE-2017-17566 | Debian DSA 4112-1: xen security update (VRVDR-40782) |
| CVE-2017-14632, CVE-2017-14633 | Debian DSA 4113-1: libvorbis security update (VRVDR-40783) |
| CVE-2018-6459 | Strongswan 5.6.x: denial-of-service vulnerability in the parser for RSASSA-PSS signatures (VRVDR-40821) |
| CVE-2018-7540, CVE-2018-7541, CVE-2018-7542 | Debian DSA 4131-1: xen security update (VRVDR-40991) |
| CVE-2017-3144, CVE-2018-5732, CVE-2018-5733 | Debian DSA 4133-1: isc-dhcp security update (VRVDR-41041) |
| CVE-2018-7738 | Debian DSA-4134-1: util-linux - security update (VRVDR-41096) |
| CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 | Debian DSA-4136-1: curl - security update (VRVDR-41137) |
| CVE-2018-1064 CVE-2018-5748 CVE-2018-6764 | Debian DSA 4137-1: libvirt security update (VRVDR-41139) |
| CVE-2018-5146 | Debian DSA 4140-1: libvorbis security update (VRVDR-41172) |
| CVE-2018-6797, CVE-2018-6798, CVE-2018-6913 | Debian DSA-4172-1: perl - security update (VRVDR-41512) |
| CVE-2018-0494 | Debian DSA-4195-1: wget - security update (VRVDR-41795) |
| CVE-2018-1087, CVE-2018-8897 | Debian DSA-4196-1: linux - security update (VRVDR-41797) |
| CVE-2018-8897, CVE-2018-10471, CVE-2018-10472, CVE-2018-10981, CVE-2018-10982 | xen security update (VRVDR-41924) |
| CVE-2018-1000301 | Debian DSA-4202-1: curl - security update (VRVDR-41946) |
| CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1125, CVE-2018-1126 | Debian DSA-4208-1: procps - security update (VRVDR-42006) |
| CVE-2018-3639 | speculative execution, variant 4: speculative store bypass / Specture v4 / Spectre-NG (VRVDR-42013) |
| CVE-2018-3639 | xen security update (VRVDR-42088) |
| CVE-2017-5715, CVE-2017-15038, CVE-2017-15119, CVE-2017-15124, CVE-2017-15268, CVE-2017-15289, CVE-2017-16845, CVE-2017-17381, CVE-2017-18043, CVE-2018-5683, CVE-2018-7550 | DSA 4213-1: qemu security update (VRVDR-42112) |
| CVE-2018-12020 | Debian DSA-4222-1: gnupg2 - security update (VRVDR-42284) |
| CVE-2018-0495 | Debian DSA-4231-1: Debian DLA-1405-1: libgcrypt20 - security update (VRVDR-42383) |
| CVE-2018-3665 | DSA 4232-1: xen security update (VRVDR-42427) |
| CVE-2018-5390, CVE-2018-13405 | DSA 4266-1: linux security update (VRVDR-43111) |
Resolved issues
Customer issues have been resolved in this release.
| Component | Key | Summary |
|---|---|---|
| RA_VPN | VRVDR-36378 | Client behind NAT is unable to connect to L2TP server |
| Firewall | VRVDR-38978 | ZBF doesn't allow stateful tracking for locally sourced traffic |
| Interfaces | VRVDR-39271 | Once a week dp0bond0 and dp0bond1 interfaces goes down on their Master |
| DHCP | VRVDR-39529 | DHCP server failover is not synchronizing databases |
| VRRP | VRVDR-39710 | When rfc-compatibility is enabled in a VRRP instance, Vyatta does not respond to icmp requests |
| NAT | VRVDR-39729 | dataplane crashes when NAT resource group address has /31 mask |
| Bonding | VRVDR-39750 | The show interface dataplane <bond-vif> CLI shows interface statistics but is not a tab completion option under show interface dataplane |
| Firewall | VRVDR-39772 | The show log and show log firewall name <FW-RULE> command no longer displays firewall logs |
| VRRP | VRVDR-39802 | Mastership roles back from backup to primary with preempt false |
| Bonding | VRVDR-39829 | Bond fails after packet duplication is observed intermittently in production |
| Bonding | VRVDR-39854 | Bond interface down after DATAPLANE: ESP: Head room inc failed |
| QinQ | VRVDR-39860 | Commit doesn't complete and Rollback doesn't complete properly |
| VRRP/GRE | VRVDR-39863 | VRRP fails over when customer removes routing-instance with GRE associated and tunnel local-address is part of VRRP |
| NAT | VRVDR-39864 | Solution needed: SNAT for internally sourced traffic while externally sourced traffic must pass without translation |
| Firewall | VRVDR-39865 | non-unique ICMP states for pings between windows hosts |
| Dataplane | VRVDR-39871 | Ping RTT regression |
| Config Infrastructure | VRVDR-39922 | When deleting a subnet from resource group, the compare command shows incorrect information/output |
| NAT | VRVDR-39985 | TCP DF Packets larger than GRE tunnel MTU are dropped with no ICMP fragmentation needed returned |
| Firewall | VRVDR-39991 | Stateful firewall drops packets between 2 subnets on the same interface |
| IPsec/VPN | VRVDR-40085 | PB-IPsec is not working when pinging between loopback interfaces on the Vyatta NOS themselves. |
| NAT | VRVDR-40210 | NAT ICMP error handling for checksum disabled UDP is wrong |
| NAT | VRVDR-40211 | delete session-table source <IP-address:port> and delete session-table destination <IP-address:port> do not work on 17.2.0 |
| Installer | VRVDR-40281 | After upgrading from 5.2 to more recent version error -vbash: show: command not found in operation mode |
| System | VRVDR-40328 | cloud-init images takes a long time to boot |
| Bonding | VRVDR-40497 | ARP doesn't work over bonded SR-IOV interface |
| IPsec/VPN | VRVDR-40644 | IKEv1: QUICK_MODE re-transmits are not handled correctly |
| Bridging | VRVDR-40857 | vhost-bridge does not come up for tagged vlan with interface names of a certain length. |
| IPsec/VPN | VRVDR-40858 | VTI interface showing MTU 1428 causing TCP PMTU issues |
| Firewall | VRVDR-40886 | Combining icmp name <value> with a number of other configuration for the rule will cause FW to not load |
| SNMP | VRVDR-40920 | With 127.0.0.1 as listen-address snmpd does not start |
| ALG | VRVDR-40927 | DNAT: SDP in SIP 200 OK not translated when it follows a 183 Response |
| NAT | VRVDR-40940 | dataplane crash related to NAT/Firewall |
| IPsec/VPN | VRVDR-40967 | disabling IPv6 forwarding prevents routing of vti sourced IPv4 packets |
| Bridging | VRVDR-40988 | vhost not starting when vSRX image is used with certain number of interfaces |
| NAT | VRVDR-41074 | PBR is not working correctly in SNAT and DNAT setup where customer wants to hide ip add |
| BGP | VRVDR-41088 | Extended (4 byte) ASN not represented internally as unsigned type |
| Interfaces | VRVDR-41225 | When configuring interface description, every white space is treated as a new line |
| Firewall | VRVDR-41252 | With unbound VTI in zone-policy, drop rule is bypassed depending on commit order of zone rules. |
| GRE | VRVDR-41266 | Static route leaking to VRF does not transit traffic across mGRE tunnel after reboot |
| Bonding | VRVDR-41469 | One interface link down - bond is not carrying traffic |
| VRRP | VRVDR-41481 | VRRP on bond interface does not send VRRP advertisement |
| DNS | VRVDR-41536 | dnsmasq service start-init limit hit when adding more than 4 static host entries if dns forwarding is enabled |
| Dataplane | VRVDR-41558 | The reported timestamps in packet traces are not consistent with the actual time and system clock |
| IPv6 | VRVDR-41628 | Route/prefix from router-advertisement active in kernel and dataplane but ignored by RIB |
| ALG | VRVDR-41834 | NAT: SIP BYE not translated/forwarded if send by called party |
| IPsec/VPN/VRRP | VRVDR-41906 | PMTU discovery fails as ICMP Type 3 code 4 messages are sent out from wrong source ip |
| IPsec/VPN/VRRP | VRVDR-41944 | After VRRP fail-over some VTI tunnels fail to re-establish until a 'vpn restart' or peer reset is issued |
| NAT | VRVDR-41957 | Bi-Directional NAT'd packets too large for GRE fail to return ICMP Type 3 Code 4 |
| sFlow | VRVDR-42027 | SFLOW using incorrect input ifIndex |
| IPsec/VPN | VRVDR-42084 | vfp interface marked as non-dataplane interface in show dataplane route when nat/ipsec config is re-applied |
| SSH | VRVDR-42108 | After 25s ssh login delay systemctl --user status fails with Failed to connect to bus: No such file or directory |
| Flow Accounting | VRVDR-42244 | Flow-monitoring only exports 1000 samples to collector |
| VRRP | VRVDR-42283 | VRRP state changes to FAULT for all interfaces when a vif interface ip is deleted |
| IPsec/VPN | VRVDR-42335 | IPSEC: remote-id hostname behavior changes from 5400 to 5600 |
| OSPF | VRVDR-42362 | OSPF route reset from remote end once standby Vyatta device reboot |
| TACACS | VRVDR-42483 | TACACS authentication failing |
| BGP | VRVDR-42635 | bgp redistribute route-map policy change does not take effect |
| System | VRVDR-42718 | Config-sync incorrect sync status |
| System | VRVDR-42774 | x710 (i40e) driver sending flow control frames at very high rates |
| IPsec/VPN | VRVDR-42826 | With remote-id 0.0.0.0 peer negotiation fails due to pre-shared-key mismatch |
| SNMP | VRVDR-43157 | When tunnel bounces SNMP trap is not properly generated. |
Known issues
The known issues in this release have been identified.
| Component | Key | Summary |
|---|---|---|
| IPsec/VPN | VRVDR-42135 | dead-peer-detection hold not functional / XFRM acquire handling missing (was: IPsec tunnel UP but not passing data) |
| VRRP | VRVDR-42692 | VRRP configurations under switch group not supported |
| OSPF | VRVDR-42820 | Trying to get ROUTE-MAPS to work correctly. |
| Hypervisor | VRVDR-43145 | VM management improvements - run VM start/stop script asynchronously and provide CLI to force shutdown a VM |
| IPsec/VPN | VRVDR-43174 | show vpn ike sa peer command does not work |
| IPsec/VPN | VRVDR-43186 | RAC Failover not working - source IP not selected correctly |
| IPsec/VPN | VRVDR-43193 | WIth RAC traceroute does not work for traffic destined over the tunnel |