Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

Show Page Sections

Patch release notes 1912e

Release notes for Vyatta NOS 1912e, released July 6, 2020.

Issues resolved

Issues resolved in release 1912e.

Issue numberPrioritySummary
VRVDR-51957BlockerModeled copy command incorrectly enforcing ssh-known-host check in 1912e
VRVDR-51952BlockerGroup ownership for non ROOT files got changed to ssh @ 1912e
VRVDR-51937Blockershow interface dataplane dp0xe<x> displays incorrect speed for copper ports when interface is down
VRVDR-51311BlockerDAS Switch with 1912b seeing low rate of drops vs 1903m
VRVDR-51185BlockerLink does not come up after swapping 1000BASE-T SFP for 1000BASE-X SFP
VRVDR-51066Blocker1908g performance hit with vCSR VNF scenario in small, medium and large platforms
VRVDR-51052BlockerTraffic dropped in SIAD when jumbo frames are > 1522 bytes but under defined MTU limit
VRVDR-50939BlockerBFD session retained in admin down state when interface is disabled
VRVDR-50920BlockerSIAD - modeled copy with scp target is operationally unusable
VRVDR-50256BlockerLogin fails with recent master images - Error in service module
VRVDR-51639CriticalResponse for request hardware-diag version takes much longer with 1912b
VRVDR-51619CriticalSIAD ACL: Ensure that rulesets which would exceed the TCAM are rejected
VRVDR-51616CriticalStorm Control triggered snmpd warning messages in journal
VRVDR-51543CriticalWith multiple peers using the same local address, no authentication ids, and unique pre-shared keys IKEv1 based IPsec stuck in 'init' for all but one peer
VRVDR-51539CriticalRepeated FAL BCM "L3 Interface" for VSI 0 Syslog
VRVDR-51521CriticalNAT64 opd yang file missing required type field in 1908 and 1912
VRVDR-51518CriticalDataplane performance fails for forward pkts when scatter mode driver is used
VRVDR-51385CriticalDataplane Crash in next_hop_list_find_path_using_ifp
VRVDR-51345CriticalS9500-30XS: 100G Interface LED lit even when disabled
VRVDR-51295CriticalChanging speed on interface resets configured MTU to default
VRVDR-51179Criticallive-cd installs should not install all unique state
VRVDR-51148CriticalS9500 interface flaps when MTU is modified
VRVDR-51072CriticalL3 SIAD router not fragmenting packet size above MTU
VRVDR-51067CriticalDPDK VIRTIO driver does not support multiple MAC addresses
VRVDR-50927Criticalshow interface data <port> phy not working correctly for Operator class users
VRVDR-50915CriticalError generating /interfaces/backplane-state on SIAD
VRVDR-50874CriticalStorm control errors in 1912b
VRVDR-50559CriticalError: /vyatta-cpu-history-client: GetState failure: Traceback
VRVDR-49808CriticalTACACS+ logins of users with "exotic" usernames fail when user isolation is enabled
VRVDR-49491CriticalUser Isolation shared storage not accessible in Master image after upgrade
VRVDR-49231CriticalPPPoE Client - Not re-establishing dropped connection automatically
VRVDR-47530CriticalOSPF scaling: regression script fails bringing up many OSPF neighbors
VRVDR-51828MajorSIAD ACL: BCM SDK error when deleting ACL configuration
VRVDR-51483MajorRemoving guest configuration fails with scripting error
VRVDR-51348Majorlibsnmp-dev built from DANOS/net-snmp is not API compatible with libsnmp-dev from upstream
VRVDR-51247MajorS9500 - missing hw_rev.cfg file
VRVDR-51238MajorAfter broadcast storm, TACACS does not recover
VRVDR-51183MajorFAL neighbor del log is generated by dataplane for each ARP received for an unknown address
VRVDR-51008MajorWhen the /var/log partition exists journal files from previous installs are retained but not rotated
VRVDR-50075MajorSandbox cleanup fails for deleted TACACS+ user with open sessions
VRVDR-49985MajorL3ACL: CLI command and validation for IPv6 ACL rules with fragment option
VRVDR-49959MajorChange the yang accepted on SIAD to refuse ACLs specifying 'protocol final'
VRVDR-49502MajorLogin fails for isolated users whose name contains an underscore
VRVDR-49442MajorSNMP related syslog messages at wrong log level
VRVDR-48438MajorLACP causing interface to remain down
VRVDR-45369Majorshow interface dataplane X physical incorrectly reports speed when down

Security vulnerabilities resolved

Security vulnerabilities resolved in release 1912e.

Issue numberCVSSAdvisorySummary
VRVDR-508868.8DSA-4670-1CVE-2018-12900, CVE-2018-17000, CVE-2018-17100, CVE-2018-19210, CVE-2019-7663, CVE-2019-14973, CVE-2019-17546 : Debian DSA-4670-1 : tiff - security update
VRVDR-504988.8DSA-4646-1CVE-2020-10531: Debian DSA-4646-1 : icu - security update
VRVDR-512368.6DSA-4689-1CVE-2019-6477, CVE-2020-8616, CVE-2020-8617: Debian DSA-4689-1 : bind9 - security update
VRVDR-515267.8DSA-4699-1CVE-2019-19462, CVE-2019-3016, CVE-2020-0543, CVE-2020-10711, CVE-2020-10732, CVE-2020-10751, CVE-2020-10757, CVE-2020-12114, CVE-2020-12464, CVE-2020-12768, CVE-2020-12770, CVE-2020-13143: Debian DSA-4699-1 : linux - security update
VRVDR-515257.8DSA-4698-1CVE-2019-2182, CVE-2019-5108, CVE-2019-19319, CVE-2019-19462, CVE-2019-19768, CVE-2019-20806, CVE-2019-20811, CVE-2020-0543, CVE-2020-2732, CVE-2020-8428, CVE-2020-8647, CVE-2020-8648, CVE-2020-8649, CVE-2020-9383, CVE-2020-10711, CVE-2020-10732, CVE-2020-10751, CVE-2020-10757, CVE-2020-10942, CVE-2020-11494, CVE-2020-11565, CVE-2020-11608, CVE-2020-11609, CVE-2020-11668, CVE-2020-12114, CVE-2020-12464, CVE-2020-12652, CVE-2020-12653, CVE-2020-12654, CVE-2020-12770, CVE-2020-13143: Debian DSA-4698-1: linux – security update
VRVDR-508517.5DSA-4666-1CVE-2020-12243: Debian DSA-4666-1 : openldap - security update
VRVDR-505307.1DSA-4647-1CVE-2020-0556: Debian DSA-4647-1 : bluez - security update
VRVDR-510546.7DSA-4688-1CVE-2020-10722, CVE-2020-10723, CVE-2020-10724: Debian DSA-4688-1 : dpdk - security update
VRVDR-511425.5DSA-4685-1CVE-2020-3810: Debian DSA-4685-1 : apt - security update
VRVDR-44891N/AN/Aopd does not escape input properly when completing commands

New L3 ACL commands

Release 1912e adds some additional matches for the security ip-packet-filter command.

Source or destination port number, for TCP, UDP, UDP-Lite, DCCP, or SCTP

security ip-packet-filter group <group-name> rule <number> match destination port number <value>
security ip-packet-filter group <group-name> rule <number> match source port number <value>

DSCP, by name or by value

security ip-packet-filter group <group-name> rule <number> match dscp name (af11|af12|af13|af21|af22|af23|af31|af32|af33|af41|af42|af43|cs1|cs2|cs3|cs4|cs5|cs6|cs7|default|af|va)
security ip-packet-filter group <group-name> rule <number> match dscp value <value>

TTL, a value of 1 or 255

security ip-packet-filter group <group-name> rule <number> match ttl equals <value>

IPv6 base and final fragment

security ip-packet-filter group <group-name> rule <number> match protocol base name ipv6-frag
security ip-packet-filter group <group-name> rule <number> match protocol final name ipv6-frag

ICMP type

  • ICMP type, and optionally code, for IPv4 and ICMPv6.
  • Matching by named combination of type and possibly code, matching by numeric type alone, or matching by numeric type and code.

  • For ICMPv6, also matching on a class being error or info, that is non-error.
security ip-packet-filter group <group-name> rule <number> match icmp name TOS-host-redirect
security ip-packet-filter group <group-name> rule <number> match icmp name TOS-host-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name TOS-network-redirect
security ip-packet-filter group <group-name> rule <number> match icmp name TOS-network-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name address-mask-reply
security ip-packet-filter group <group-name> rule <number> match icmp name address-mask-request
security ip-packet-filter group <group-name> rule <number> match icmp name communication-prohibited
security ip-packet-filter group <group-name> rule <number> match icmp name destination-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name echo-reply
security ip-packet-filter group <group-name> rule <number> match icmp name echo-request
security ip-packet-filter group <group-name> rule <number> match icmp name fragmentation-needed
security ip-packet-filter group <group-name> rule <number> match icmp name host-precedence-violation
security ip-packet-filter group <group-name> rule <number> match icmp name host-prohibited
security ip-packet-filter group <group-name> rule <number> match icmp name host-redirect
security ip-packet-filter group <group-name> rule <number> match icmp name host-unknown
security ip-packet-filter group <group-name> rule <number> match icmp name host-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name ip-header-bad
security ip-packet-filter group <group-name> rule <number> match icmp name network-prohibited
security ip-packet-filter group <group-name> rule <number> match icmp name network-redirect
security ip-packet-filter group <group-name> rule <number> match icmp name network-unknown
security ip-packet-filter group <group-name> rule <number> match icmp name network-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name parameter-problem
security ip-packet-filter group <group-name> rule <number> match icmp name port-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name precedence-cutoff
security ip-packet-filter group <group-name> rule <number> match icmp name protocol-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name redirect
security ip-packet-filter group <group-name> rule <number> match icmp name required-option-missing
security ip-packet-filter group <group-name> rule <number> match icmp name router-advertisement
security ip-packet-filter group <group-name> rule <number> match icmp name router-solicitation
security ip-packet-filter group <group-name> rule <number> match icmp name source-quench
security ip-packet-filter group <group-name> rule <number> match icmp name source-route-failed
security ip-packet-filter group <group-name> rule <number> match icmp name time-exceeded
security ip-packet-filter group <group-name> rule <number> match icmp name timestamp-reply
security ip-packet-filter group <group-name> rule <number> match icmp name timestamp-request
security ip-packet-filter group <group-name> rule <number> match icmp name ttl-zero-during-reassembly
security ip-packet-filter group <group-name> rule <number> match icmp name ttl-zero-during-transit
security ip-packet-filter group <group-name> rule <number> match icmp type <type-number>
security ip-packet-filter group <group-name> rule <number> match icmp type <type-number> code <value>
security ip-packet-filter group <group-name> rule <number> match icmpv6 class error
security ip-packet-filter group <group-name> rule <number> match icmpv6 class info
security ip-packet-filter group <group-name> rule <number> match icmpv6 name address-unreachable
security ip-packet-filter group <group-name> rule <number> match icmpv6 name bad-header
security ip-packet-filter group <group-name> rule <number> match icmpv6 name communication-prohibited
security ip-packet-filter group <group-name> rule <number> match icmpv6 name destination-unreachable
security ip-packet-filter group <group-name> rule <number> match icmpv6 name echo-reply
security ip-packet-filter group <group-name> rule <number> match icmpv6 name echo-request
security ip-packet-filter group <group-name> rule <number> match icmpv6 name mobile-prefix-advertisement
security ip-packet-filter group <group-name> rule <number> match icmpv6 name mobile-prefix-solicitation
security ip-packet-filter group <group-name> rule <number> match icmpv6 name multicast-listener-done
security ip-packet-filter group <group-name> rule <number> match icmpv6 name multicast-listener-query
security ip-packet-filter group <group-name> rule <number> match icmpv6 name multicast-listener-report
security ip-packet-filter group <group-name> rule <number> match icmpv6 name neighbor-advertisement
security ip-packet-filter group <group-name> rule <number> match icmpv6 name neighbor-solicitation
security ip-packet-filter group <group-name> rule <number> match icmpv6 name no-route
security ip-packet-filter group <group-name> rule <number> match icmpv6 name packet-too-big
security ip-packet-filter group <group-name> rule <number> match icmpv6 name parameter-problem
security ip-packet-filter group <group-name> rule <number> match icmpv6 name port-unreachable
security ip-packet-filter group <group-name> rule <number> match icmpv6 name redirect
security ip-packet-filter group <group-name> rule <number> match icmpv6 name router-advertisement
security ip-packet-filter group <group-name> rule <number> match icmpv6 name router-solicitation
security ip-packet-filter group <group-name> rule <number> match icmpv6 name time-exceeded
security ip-packet-filter group <group-name> rule <number> match icmpv6 name ttl-zero-during-reassembly
security ip-packet-filter group <group-name> rule <number> match icmpv6 name ttl-zero-during-transit
security ip-packet-filter group <group-name> rule <number> match icmpv6 name unknown-header-type
security ip-packet-filter group <group-name> rule <number> match icmpv6 name unknown-option
security ip-packet-filter group <group-name> rule <number> match icmpv6 type <type-number>
security ip-packet-filter group <group-name> rule <number> match icmpv6 type <type-number> code <value>