Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Show Page Sections

Patch release notes 1912a

Release notes for Vyatta NOS 1912a, released February 14, 2020.

Issues resolved

Issues resolved in release 1912a.

Issue numberPrioritySummary
VRVDR-49684BlockerDHCP services within VRF failed to start after enabling secure boot
VRVDR-49631BlockerPTP error message found on UFI06
VRVDR-49185BlockerIP Packet Filter not applied at boot-up
VRVDR-49031BlockerRA-VPN Server +VFP+default VRF : IPsec encryption failing on RA-VPN server for traffic destined or originated between end hosts connected behind the RA-VPN server/client
VRVDR-48728BlockerNetwork link down observed with VM built from vyatta-1908b-amd64-vrouter_20191010T1100-amd64-Build3.14.hybrid.iso
VRVDR-48593BlockerMellanox 100G: The dataplane interface is not up after disabling or enabling the interface
VRVDR-47473BlockerMellanox-100G: The interface (one interface out of two) link shows down after conf/deleting the mtu. Hence observing the traffic loss at that time
VRVDR-49822CriticalOnly shows peering with 16 nodes in show ptp clock 0
VRVDR-49735CriticalIPsec RA VPN: default VRF + VFP is blocking traffic which is supposed to be forwarded
VRVDR-49734CriticalStrongswan VRRP startup check breaks RA VPN server
VRVDR-49633Criticaltcp_auth_collapse NULL pointer dereference causes kernel panic during SYN flood
VRVDR-49618CriticalServo notifications always using attVrouterPtpServoFailure
VRVDR-49568CriticalFlexware XS and S: kernel panics on start after update to 4.19.93
VRVDR-49427CriticalBridge commit failure when changing both max-age and forwarding-delay
VRVDR-49417CriticalWrong counts for pkts matching 3-tuple but not 5-tuple
VRVDR-49415CriticalPython traceback with show cgnat session detail exclude-inner
VRVDR-49403CriticalLACP - vmxnet3 PMD unable to support additional MAC addresses
VRVDR-49376CriticalPTP: fails to issue clock servo recovery traps
VRVDR-49365CriticalRemote Syslog broken by source interface status changes
VRVDR-49350CriticalCGNAT - PCP session times outer sooner than expected
VRVDR-49344CriticalFirewall VFP acceptance tests broken by VRVDR-48094
VRVDR-48944CriticalSIAD Dataplane crash when removing Tunnels interface config
VRVDR-48371CriticalIPsec RA VPN - Unable to ping spoke after failover
VRVDR-48094CriticalIPsec RA VPN client/server: v4 traffic not working with when a concrete remote traffic-selector
VRVDR-46719CriticalPoor TCP performance in iperf over IPSEC VTI (expected ~600Mbps, actual ~2Mbps)
VRVDR-45071Criticalvyatta-security-vpn: vpn-config.pl: l2tp remote-access dhcp-interface "lo.tag;/tmp/bad.sh;echo " / code injection
VRVDR-45069Criticalvyatta-security-vpn: set security vpn rsa-keys local-key file "/tmp/bad.sh;/tmp/bad.sh" / code injection
VRVDR-45068Criticalvyatta-security-vpn: s2s tunnel protocol syntax script / code injection
VRVDR-45067Criticalvyatta-security-vpn: set security vpn ipsec site-to-site peer $CODE / code injection
VRVDR-45066Criticalvyatta-security-vpn: check_file_in_config passed unsanitized user input / code injection
VRVDR-45065Criticalvyatta-security-vpn-secrets: code injection
VRVDR-49630MajorIPsec got warning on committing site-2-site tunnel config Warning: unable to [VPN toggle net.ipv6.conf.intf.disable_xfrm], received error code 65280
VRVDR-49513MajorFailed to connect to system bus error messages
VRVDR-49426MajorMellanox-100G: kernel interface shows up even when dataplane is stopped.
VRVDR-49391MajorPTP: disable (by default) logging of the time adjustments by the IDT servo
VRVDR-49351MajorCGNAT: TCP session with only ext to int traffic does not time out
VRVDR-49119MajorDUT stops responding following anomolous DHCP-DISCOVER packet
VRVDR-49020MajorRA VPN: Spoke not forwarding with ESP: Replay check failed for SPI logs
VRVDR-48761MajorJ2: packets with too small IP length value forwarded rather than dropped
VRVDR-48663MajorNew SSH errors in 1903h make syslog more chatty
VRVDR-46641MajorIKE control-plane incorrectly assumes that the IPsec dataplane supports ESP Traffic Flow Confidentiality
VRVDR-49656MinorIDT servo is built without optimization
VRVDR-49584MinorGRE over IPsec in transport mode (IKEv1) - responder intermittently replies no acceptable traffic selectors found
VRVDR-49431MinorUse upstream fix for correcting link speed when link is down
VRVDR-45753MinorShare storage help text for size missing units

Security vulnerabilities resolved

Security vulnerabilities resolved in release 1912a.

Issue numberCVSSAdvisorySummary
VRVDR-496429.8DSA-4602-1CVE-2019-17349, CVE-2019-17350, CVE-2019-18420, CVE-2019-18421, CVE-2019-18422, CVE-2019-18423, CVE-2019-18424, CVE-2019-18425, CVE-2019-19577, CVE-2019-19578, CVE-2019-19579, CVE-2019-19580, CVE-2019-19581, CVE-2019-19582, CVE-2019-19583, CVE-2018-12207, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091, CVE-2019-11135, CVE-2019-17348, CVE-2019-17347, CVE-2019-17346, CVE-2019-17345, CVE-2019-17344, CVE-2019-17343, CVE-2019-17342, CVE-2019-17341, CVE-2019-17340: Debian DSA-4602-1 : xen - security update (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)
VRVDR-494509.8DSA-4587-1CVE-2019-15845, CVE-2019-16201, CVE-2019-16254, CVE-2019-16255: Debian DSA-4587-1 : ruby2.3 - security update
VRVDR-491327.8DSA-4564-1CVE-2018-12207, CVE-2019-0154, CVE-2019-0155, CVE-2019-11135: Debian DSA-4564-1: linux – security update
VRVDR-494777.5DSA-4591-1CVE-2019-19906: Debian DSA-4591-1 : cyrus-sasl2 - security update
VRVDR-494865.3DSA-4594-1CVE-2019-1551: Debian DSA-4594-1 : openssl1.0 - security update
VRVDR-49728N/ADSA-4609-1CVE-2019-15795, CVE-2019-15796: Debian DSA-4609-1 : python-apt - security update

Hotfix command

1912a adds a new CLI command to simplify adding a new hotfix (a modified Debian package) to Vyatta NOS.

Note: This is a one-way operation, as you cannot uninstall a hotfix. With this command, you can only upgrade existing packages, and you cannot install new packages.
To preserve the original system state, use clone system image before installing a hotfix. After installation, you can verify hotfixes with either show system image image_name all or show version image image_name.
The following command introduces the hotfix:
add system image image_name packages list_of_pkgs
show system image image_name packages

To install hotfixes, you must have elevated privileges to avoid a security hole. This command should be available to only the most trusted users. The default ACM ruleset allows only users of the "superuser" level to execute the command.

The following commands configure this new rule:
# set system acm operational-ruleset rule 9970 action deny
# set system acm operational-ruleset rule 9970 command '/add/system/image/*/packages/*'
# set system acm operational-ruleset rule 9970 group vyattaop
# set system acm operational-ruleset rule 9970 group vyattaadm

If you are migrating an ACM ruleset from an earlier release, apply a similar rule to your existing ruleset.

With command authorization enabled, ACM rules do not apply to TACACS+ users. Therefore, verify your TACACS+ server configuration to make sure only appropriate users can execute this command.