Patch release notes 1912b
Release notes for Vyatta NOS 1912b, released April 15, 2020.
Issues resolved
Issues resolved in release 1912b.
| Issue number | Priority | Summary |
|---|---|---|
| VRVDR-50483 | Blocker | Up-rev Ufi s9500 hardware diag |
| VRVDR-50482 | Blocker | Up-rev Ufi s9500 BSP to v309 |
| VRVDR-50431 | Blocker | Need to remove iommu=pt from vyatta VM kernel param |
| VRVDR-50402 | Blocker | PTP: Unable to use GPS as time or frequency source (GPS_bad_buff incrementing) |
| VRVDR-50373 | Blocker | CGNAT: Use all the addresses in a NAT pool prefix |
| VRVDR-50347 | Blocker | Create a per-subscriber count for 5-tuple sessions |
| VRVDR-50337 | Blocker | Allow select CGNAT public addresses to be shared by multiple subscribers |
| VRVDR-50194 | Blocker | Descrepancy between show cgnat sub active number of sessions and actual sessions |
| VRVDR-50024 | Blocker | CGNAT is mapping subscribers to the same public address |
| VRVDR-49991 | Blocker | Enable hardware platform reboot on NMI panic |
| VRVDR-49976 | Blocker | CGNAT interface failover |
| VRVDR-50500 | Critical | show vpn ike/ipsec sa broken on recent Fleetwood image |
| VRVDR-50467 | Critical | Marvell : Sometimes after dataplane crash front panel ports do not come up |
| VRVDR-50458 | Critical | Shutting down source interface stopping logging is broken |
| VRVDR-50360 | Critical | Use of uninitialized value when setting VPN commands |
| VRVDR-50336 | Critical | dataplane_test crash in npf_json_ruleset |
| VRVDR-50293 | Critical | Forwarded cross VRF traffic blackholed when SNAT is applied |
| VRVDR-50191 | Critical | Packet capture leaking mbufs under heavy load |
| VRVDR-50160 | Critical | IPsec RAVPN server terminates all clients when uses vfp configured |
| VRVDR-50130 | Critical | SNMP syslog traps not sent for target in VRF |
| VRVDR-50127 | Critical | SIAD QoS - PCP remark not working in trunk policy |
| VRVDR-50035 | Critical | TACACS+ cmd authz sent for local users |
| VRVDR-50031 | Critical | Flexware S/M/L : Ping fails when hardware switching disabled |
| VRVDR-50008 | Critical | Create CGNAT counter to count the creation of dest addr hash tables |
| VRVDR-49930 | Critical | PTP: BSP is unable to program the GPS during initialization |
| VRVDR-49844 | Critical | NAT64 not working from V6 to V4 with src prefix mapping |
| VRVDR-49828 | Critical | RAVPN:L2TP-Server: Tunnel fails to come to up state |
| VRVDR-49803 | Critical | NPF ALG incorrect use of cds_list_add_tail - possible memory corruption |
| VRVDR-49800 | Critical | IPsec RA VPN sever: EAP-TLS as authentication method (mandatory for macOS) |
| VRVDR-49750 | Critical | TACACS+ authz sent for user "*" on Bash path completion |
| VRVDR-49683 | Critical | 1908d performance issue with QoS seeing significant reduction in performance |
| VRVDR-49470 | Critical | ENTITY-MIB: Missing entPhysicalDescr OID |
| VRVDR-49468 | Critical | IPsec RA VPN server: push DNS server address to clients as attribute |
| VRVDR-49440 | Critical | VRRP Becomes MASTER After FAULT with Preemption False in Bonding Group |
| VRVDR-49429 | Critical | IPsec RA VPN server: per-profile client ID authentication filtering/matching |
| VRVDR-49171 | Critical | TACACS: Coredump observed at sssd.service |
| VRVDR-48861 | Critical | vyatta VNF creating extra RX queues |
| VRVDR-48229 | Critical | Changing tunnel Y uses vfpX features should be immediately applied |
| VRVDR-45066 | Critical | vyatta-security-vpn: check_file_in_config passed unsanitized user input / code injection |
| VRVDR-50514 | Major | Post restart vpn tunnel vfps not used on RAVPN server |
| VRVDR-50387 | Major | qemu-wrap.py script confusing libvirt/virsh |
| VRVDR-50376 | Major | Increase max number of clients of dp_events |
| VRVDR-50340 | Major | show cgnat session ... protocol udp doesn't return anything when giving a full filter |
| VRVDR-50332 | Major | PTP: add hardware diagnostic to show the DPLL status |
| VRVDR-50190 | Major | IPsec RAVPN server VFP state files not maintained |
| VRVDR-49951 | Major | SNMP errors during PTP configuration |
| VRVDR-49927 | Major | IPsec RA VPN server: enforce X.509 certificate with X.509 and EAP-TLS authentication method |
| VRVDR-49839 | Major | show vpn ike sa failure |
| VRVDR-49807 | Major | Separately report TCP and UDP port allocation exhaustion |
| VRVDR-49785 | Major | CGNAT: rate limiting of some CGNAT resource constraint log messages |
| VRVDR-49739 | Major | sFlow not sending packets out |
| VRVDR-49737 | Major | GUI displays wrong/different information than CLI |
| VRVDR-49707 | Major | vyatta-openvpn: code injection due to scripts in tmplscripts |
| VRVDR-49654 | Major | ONIE install fails with Invalid drive/partition |
| VRVDR-49643 | Major | SIAD: Interface with a copper SFP and speed/duplex set to 100M/Full working as 1GE |
| VRVDR-49627 | Major | clear cgnat session subscriber-address clears all CGNAT sessions |
| VRVDR-49510 | Major | Excessive number of rsyslog restarts at boot |
| VRVDR-49472 | Major | ENTITY-SENSOR-MIB: Incorrect OID values |
| VRVDR-49459 | Major | Ping monitor may send more packets than specified in "packets" |
| VRVDR-49439 | Major | Path Monitor does not handle fractional ping loss correctly |
| VRVDR-49108 | Major | systemd complains of bad settings in keepalived.service |
| VRVDR-47349 | Major | IPv6 VRRP version 3 config reload causes master to move to FAULT state - IPv6 interface link-local address not found |
| VRVDR-46531 | Major | VRRP IPv6 IPAO only enabled with link-local address |
| VRVDR-50250 | Minor | Memory leaks in sssd TACACS+ identity routines |
Security vulnerabilities resolved
Security vulnerabilities resolved in release 1912b.
| Issue number | CVSS | Advisory | Summary |
|---|---|---|---|
| VRVDR-50166 | 9.8 | DSA-4633-1 | CVE-2019-5436, CVE-2019-5481, CVE-2019-5482: Debian DSA-4633-1: curl - security update |
| VRVDR-50161 | 9.8 | DSA-4632-1 | CVE-2020-8597: Debian DSA-4632-1: ppp - security update |
| VRVDR-49832 | 9.8 | DSA-4616-1 | CVE-2019-15890, CVE-2020-7039, CVE-2020-1711: Debian DSA-4616-1: qemu – security update |
| VRVDR-49834 | 7.8 | DSA-4614-1 | CVE-2019-18634: Debian DSA-4614-1: sudo - security update |
Documentation errata
Errors with the IPsec Site-to-Site VPN Configuration Guide and LAN Interfaces Configuration Guide have been corrected in this release.
IPsec Site-to-Site VPN Configuration Guide
The Virtual Tunnel Interface Commands section documented the interfaces vti vtix mtu mtu command with the incorrect default MTU size of 1500. The correct default MTU size is 1428.
LAN Interfaces Configuration Guide
The Ethernet Link Bonding Interface Commands section for the interfaces bonding dpFbondx lacp-options mode command specified that active is the default mode in the Command Default section, but passive is the default mode in the Parameters section. The default mode is active.