Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Show Page Sections

Patch release notes 1912b

Release notes for Vyatta NOS 1912b, released April 15, 2020.

Issues resolved

Issues resolved in release 1912b.

Issue numberPrioritySummary
VRVDR-50483BlockerUp-rev Ufi s9500 hardware diag
VRVDR-50482BlockerUp-rev Ufi s9500 BSP to v309
VRVDR-50431BlockerNeed to remove iommu=pt from vyatta VM kernel param
VRVDR-50402BlockerPTP: Unable to use GPS as time or frequency source (GPS_bad_buff incrementing)
VRVDR-50373BlockerCGNAT: Use all the addresses in a NAT pool prefix
VRVDR-50347BlockerCreate a per-subscriber count for 5-tuple sessions
VRVDR-50337BlockerAllow select CGNAT public addresses to be shared by multiple subscribers
VRVDR-50194BlockerDescrepancy between show cgnat sub active number of sessions and actual sessions
VRVDR-50024BlockerCGNAT is mapping subscribers to the same public address
VRVDR-49991BlockerEnable hardware platform reboot on NMI panic
VRVDR-49976BlockerCGNAT interface failover
VRVDR-50500Criticalshow vpn ike/ipsec sa broken on recent Fleetwood image
VRVDR-50467CriticalMarvell : Sometimes after dataplane crash front panel ports do not come up
VRVDR-50458CriticalShutting down source interface stopping logging is broken
VRVDR-50360CriticalUse of uninitialized value when setting VPN commands
VRVDR-50336Criticaldataplane_test crash in npf_json_ruleset
VRVDR-50293CriticalForwarded cross VRF traffic blackholed when SNAT is applied
VRVDR-50191CriticalPacket capture leaking mbufs under heavy load
VRVDR-50160CriticalIPsec RAVPN server terminates all clients when uses vfp configured
VRVDR-50130CriticalSNMP syslog traps not sent for target in VRF
VRVDR-50127CriticalSIAD QoS - PCP remark not working in trunk policy
VRVDR-50035CriticalTACACS+ cmd authz sent for local users
VRVDR-50031CriticalFlexware S/M/L : Ping fails when hardware switching disabled
VRVDR-50008CriticalCreate CGNAT counter to count the creation of dest addr hash tables
VRVDR-49930CriticalPTP: BSP is unable to program the GPS during initialization
VRVDR-49844CriticalNAT64 not working from V6 to V4 with src prefix mapping
VRVDR-49828CriticalRAVPN:L2TP-Server: Tunnel fails to come to up state
VRVDR-49803CriticalNPF ALG incorrect use of cds_list_add_tail - possible memory corruption
VRVDR-49800CriticalIPsec RA VPN sever: EAP-TLS as authentication method (mandatory for macOS)
VRVDR-49750CriticalTACACS+ authz sent for user "*" on Bash path completion
VRVDR-49683Critical1908d performance issue with QoS seeing significant reduction in performance
VRVDR-49470CriticalENTITY-MIB: Missing entPhysicalDescr OID
VRVDR-49468CriticalIPsec RA VPN server: push DNS server address to clients as attribute
VRVDR-49440CriticalVRRP Becomes MASTER After FAULT with Preemption False in Bonding Group
VRVDR-49429CriticalIPsec RA VPN server: per-profile client ID authentication filtering/matching
VRVDR-49171CriticalTACACS: Coredump observed at sssd.service
VRVDR-48861Criticalvyatta VNF creating extra RX queues
VRVDR-48229CriticalChanging tunnel Y uses vfpX features should be immediately applied
VRVDR-45066Criticalvyatta-security-vpn: check_file_in_config passed unsanitized user input / code injection
VRVDR-50514MajorPost restart vpn tunnel vfps not used on RAVPN server
VRVDR-50387Majorqemu-wrap.py script confusing libvirt/virsh
VRVDR-50376MajorIncrease max number of clients of dp_events
VRVDR-50340Majorshow cgnat session ... protocol udp doesn't return anything when giving a full filter
VRVDR-50332MajorPTP: add hardware diagnostic to show the DPLL status
VRVDR-50190MajorIPsec RAVPN server VFP state files not maintained
VRVDR-49951MajorSNMP errors during PTP configuration
VRVDR-49927MajorIPsec RA VPN server: enforce X.509 certificate with X.509 and EAP-TLS authentication method
VRVDR-49839Majorshow vpn ike sa failure
VRVDR-49807MajorSeparately report TCP and UDP port allocation exhaustion
VRVDR-49785MajorCGNAT: rate limiting of some CGNAT resource constraint log messages
VRVDR-49739MajorsFlow not sending packets out
VRVDR-49737MajorGUI displays wrong/different information than CLI
VRVDR-49707Majorvyatta-openvpn: code injection due to scripts in tmplscripts
VRVDR-49654MajorONIE install fails with Invalid drive/partition
VRVDR-49643MajorSIAD: Interface with a copper SFP and speed/duplex set to 100M/Full working as 1GE
VRVDR-49627Majorclear cgnat session subscriber-address clears all CGNAT sessions
VRVDR-49510MajorExcessive number of rsyslog restarts at boot
VRVDR-49472MajorENTITY-SENSOR-MIB: Incorrect OID values
VRVDR-49459MajorPing monitor may send more packets than specified in "packets"
VRVDR-49439MajorPath Monitor does not handle fractional ping loss correctly
VRVDR-49108Majorsystemd complains of bad settings in keepalived.service
VRVDR-47349MajorIPv6 VRRP version 3 config reload causes master to move to FAULT state - IPv6 interface link-local address not found
VRVDR-46531MajorVRRP IPv6 IPAO only enabled with link-local address
VRVDR-50250MinorMemory leaks in sssd TACACS+ identity routines

Security vulnerabilities resolved

Security vulnerabilities resolved in release 1912b.

Issue numberCVSSAdvisorySummary
VRVDR-501669.8DSA-4633-1CVE-2019-5436, CVE-2019-5481, CVE-2019-5482: Debian DSA-4633-1: curl - security update
VRVDR-501619.8DSA-4632-1CVE-2020-8597: Debian DSA-4632-1: ppp - security update
VRVDR-498329.8DSA-4616-1CVE-2019-15890, CVE-2020-7039, CVE-2020-1711: Debian DSA-4616-1: qemu – security update
VRVDR-498347.8DSA-4614-1CVE-2019-18634: Debian DSA-4614-1: sudo - security update

Documentation errata

Errors with the IPsec Site-to-Site VPN Configuration Guide and LAN Interfaces Configuration Guide have been corrected in this release.

IPsec Site-to-Site VPN Configuration Guide

The Virtual Tunnel Interface Commands section documented the interfaces vti vtix mtu mtu command with the incorrect default MTU size of 1500. The correct default MTU size is 1428.

LAN Interfaces Configuration Guide

The Ethernet Link Bonding Interface Commands section for the interfaces bonding dpFbondx lacp-options mode command specified that active is the default mode in the Command Default section, but passive is the default mode in the Parameters section. The default mode is active.