Patch release notes 1912e
Release notes for Vyatta NOS 1912e, released July 6, 2020.
Issues resolved
Issues resolved in release 1912e.
Issue number | Priority | Summary |
---|---|---|
VRVDR-51957 | Blocker | Modeled copy command incorrectly enforcing ssh-known-host check in 1912e |
VRVDR-51952 | Blocker | Group ownership for non ROOT files got changed to ssh @ 1912e |
VRVDR-51937 | Blocker | show interface dataplane dp0xe<x> displays incorrect speed for copper ports when interface is down |
VRVDR-51311 | Blocker | DAS Switch with 1912b seeing low rate of drops vs 1903m |
VRVDR-51185 | Blocker | Link does not come up after swapping 1000BASE-T SFP for 1000BASE-X SFP |
VRVDR-51066 | Blocker | 1908g performance hit with vCSR VNF scenario in small, medium and large platforms |
VRVDR-51052 | Blocker | Traffic dropped in SIAD when jumbo frames are > 1522 bytes but under defined MTU limit |
VRVDR-50939 | Blocker | BFD session retained in admin down state when interface is disabled |
VRVDR-50920 | Blocker | SIAD - modeled copy with scp target is operationally unusable |
VRVDR-50256 | Blocker | Login fails with recent master images - Error in service module |
VRVDR-51639 | Critical | Response for request hardware-diag version takes much longer with 1912b |
VRVDR-51619 | Critical | SIAD ACL: Ensure that rulesets which would exceed the TCAM are rejected |
VRVDR-51616 | Critical | Storm Control triggered snmpd warning messages in journal |
VRVDR-51543 | Critical | With multiple peers using the same local address, no authentication ids, and unique pre-shared keys IKEv1 based IPsec stuck in 'init' for all but one peer |
VRVDR-51539 | Critical | Repeated FAL BCM "L3 Interface" for VSI 0 Syslog |
VRVDR-51521 | Critical | NAT64 opd yang file missing required type field in 1908 and 1912 |
VRVDR-51518 | Critical | Dataplane performance fails for forward pkts when scatter mode driver is used |
VRVDR-51385 | Critical | Dataplane Crash in next_hop_list_find_path_using_ifp |
VRVDR-51345 | Critical | S9500-30XS: 100G Interface LED lit even when disabled |
VRVDR-51295 | Critical | Changing speed on interface resets configured MTU to default |
VRVDR-51179 | Critical | live-cd installs should not install all unique state |
VRVDR-51148 | Critical | S9500 interface flaps when MTU is modified |
VRVDR-51072 | Critical | L3 SIAD router not fragmenting packet size above MTU |
VRVDR-51067 | Critical | DPDK VIRTIO driver does not support multiple MAC addresses |
VRVDR-50927 | Critical | show interface data <port> phy not working correctly for Operator class users |
VRVDR-50915 | Critical | Error generating /interfaces/backplane-state on SIAD |
VRVDR-50874 | Critical | Storm control errors in 1912b |
VRVDR-50559 | Critical | Error: /vyatta-cpu-history-client: GetState failure: Traceback |
VRVDR-49808 | Critical | TACACS+ logins of users with "exotic" usernames fail when user isolation is enabled |
VRVDR-49491 | Critical | User Isolation shared storage not accessible in Master image after upgrade |
VRVDR-49231 | Critical | PPPoE Client - Not re-establishing dropped connection automatically |
VRVDR-47530 | Critical | OSPF scaling: regression script fails bringing up many OSPF neighbors |
VRVDR-51828 | Major | SIAD ACL: BCM SDK error when deleting ACL configuration |
VRVDR-51483 | Major | Removing guest configuration fails with scripting error |
VRVDR-51348 | Major | libsnmp-dev built from DANOS/net-snmp is not API compatible with libsnmp-dev from upstream |
VRVDR-51247 | Major | S9500 - missing hw_rev.cfg file |
VRVDR-51238 | Major | After broadcast storm, TACACS does not recover |
VRVDR-51183 | Major | FAL neighbor del log is generated by dataplane for each ARP received for an unknown address |
VRVDR-51008 | Major | When the /var/log partition exists journal files from previous installs are retained but not rotated |
VRVDR-50075 | Major | Sandbox cleanup fails for deleted TACACS+ user with open sessions |
VRVDR-49985 | Major | L3ACL: CLI command and validation for IPv6 ACL rules with fragment option |
VRVDR-49959 | Major | Change the yang accepted on SIAD to refuse ACLs specifying 'protocol final' |
VRVDR-49502 | Major | Login fails for isolated users whose name contains an underscore |
VRVDR-49442 | Major | SNMP related syslog messages at wrong log level |
VRVDR-48438 | Major | LACP causing interface to remain down |
VRVDR-45369 | Major | show interface dataplane X physical incorrectly reports speed when down |
Security vulnerabilities resolved
Security vulnerabilities resolved in release 1912e.
Issue number | CVSS | Advisory | Summary |
---|---|---|---|
VRVDR-50886 | 8.8 | DSA-4670-1 | CVE-2018-12900, CVE-2018-17000, CVE-2018-17100, CVE-2018-19210, CVE-2019-7663, CVE-2019-14973, CVE-2019-17546 : Debian DSA-4670-1 : tiff - security update |
VRVDR-50498 | 8.8 | DSA-4646-1 | CVE-2020-10531: Debian DSA-4646-1 : icu - security update |
VRVDR-51236 | 8.6 | DSA-4689-1 | CVE-2019-6477, CVE-2020-8616, CVE-2020-8617: Debian DSA-4689-1 : bind9 - security update |
VRVDR-51526 | 7.8 | DSA-4699-1 | CVE-2019-19462, CVE-2019-3016, CVE-2020-0543, CVE-2020-10711, CVE-2020-10732, CVE-2020-10751, CVE-2020-10757, CVE-2020-12114, CVE-2020-12464, CVE-2020-12768, CVE-2020-12770, CVE-2020-13143: Debian DSA-4699-1 : linux - security update |
VRVDR-51525 | 7.8 | DSA-4698-1 | CVE-2019-2182, CVE-2019-5108, CVE-2019-19319, CVE-2019-19462, CVE-2019-19768, CVE-2019-20806, CVE-2019-20811, CVE-2020-0543, CVE-2020-2732, CVE-2020-8428, CVE-2020-8647, CVE-2020-8648, CVE-2020-8649, CVE-2020-9383, CVE-2020-10711, CVE-2020-10732, CVE-2020-10751, CVE-2020-10757, CVE-2020-10942, CVE-2020-11494, CVE-2020-11565, CVE-2020-11608, CVE-2020-11609, CVE-2020-11668, CVE-2020-12114, CVE-2020-12464, CVE-2020-12652, CVE-2020-12653, CVE-2020-12654, CVE-2020-12770, CVE-2020-13143: Debian DSA-4698-1: linux – security update |
VRVDR-50851 | 7.5 | DSA-4666-1 | CVE-2020-12243: Debian DSA-4666-1 : openldap - security update |
VRVDR-50530 | 7.1 | DSA-4647-1 | CVE-2020-0556: Debian DSA-4647-1 : bluez - security update |
VRVDR-51054 | 6.7 | DSA-4688-1 | CVE-2020-10722, CVE-2020-10723, CVE-2020-10724: Debian DSA-4688-1 : dpdk - security update |
VRVDR-51142 | 5.5 | DSA-4685-1 | CVE-2020-3810: Debian DSA-4685-1 : apt - security update |
VRVDR-44891 | N/A | N/A | opd does not escape input properly when
completing commands |
New L3 ACL commands
Release 1912e adds some additional matches for the security ip-packet-filter command.
Source or destination port number, for TCP, UDP, UDP-Lite, DCCP, or SCTP
security ip-packet-filter group <group-name> rule <number> match destination port number <value>
security ip-packet-filter group <group-name> rule <number> match source port number <value>
DSCP, by name or by value
security ip-packet-filter group <group-name> rule <number> match dscp name (af11|af12|af13|af21|af22|af23|af31|af32|af33|af41|af42|af43|cs1|cs2|cs3|cs4|cs5|cs6|cs7|default|af|va)
security ip-packet-filter group <group-name> rule <number> match dscp value <value>
TTL, a value of 1 or 255
security ip-packet-filter group <group-name> rule <number> match ttl equals <value>
IPv6 base and final fragment
security ip-packet-filter group <group-name> rule <number> match protocol base name ipv6-frag
security ip-packet-filter group <group-name> rule <number> match protocol final name ipv6-frag
ICMP type
- ICMP type, and optionally code, for IPv4 and ICMPv6.
Matching by named combination of type and possibly code, matching by numeric type alone, or matching by numeric type and code.
- For ICMPv6, also matching on a
class
being error or info, that is non-error.
security ip-packet-filter group <group-name> rule <number> match icmp name TOS-host-redirect
security ip-packet-filter group <group-name> rule <number> match icmp name TOS-host-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name TOS-network-redirect
security ip-packet-filter group <group-name> rule <number> match icmp name TOS-network-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name address-mask-reply
security ip-packet-filter group <group-name> rule <number> match icmp name address-mask-request
security ip-packet-filter group <group-name> rule <number> match icmp name communication-prohibited
security ip-packet-filter group <group-name> rule <number> match icmp name destination-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name echo-reply
security ip-packet-filter group <group-name> rule <number> match icmp name echo-request
security ip-packet-filter group <group-name> rule <number> match icmp name fragmentation-needed
security ip-packet-filter group <group-name> rule <number> match icmp name host-precedence-violation
security ip-packet-filter group <group-name> rule <number> match icmp name host-prohibited
security ip-packet-filter group <group-name> rule <number> match icmp name host-redirect
security ip-packet-filter group <group-name> rule <number> match icmp name host-unknown
security ip-packet-filter group <group-name> rule <number> match icmp name host-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name ip-header-bad
security ip-packet-filter group <group-name> rule <number> match icmp name network-prohibited
security ip-packet-filter group <group-name> rule <number> match icmp name network-redirect
security ip-packet-filter group <group-name> rule <number> match icmp name network-unknown
security ip-packet-filter group <group-name> rule <number> match icmp name network-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name parameter-problem
security ip-packet-filter group <group-name> rule <number> match icmp name port-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name precedence-cutoff
security ip-packet-filter group <group-name> rule <number> match icmp name protocol-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name redirect
security ip-packet-filter group <group-name> rule <number> match icmp name required-option-missing
security ip-packet-filter group <group-name> rule <number> match icmp name router-advertisement
security ip-packet-filter group <group-name> rule <number> match icmp name router-solicitation
security ip-packet-filter group <group-name> rule <number> match icmp name source-quench
security ip-packet-filter group <group-name> rule <number> match icmp name source-route-failed
security ip-packet-filter group <group-name> rule <number> match icmp name time-exceeded
security ip-packet-filter group <group-name> rule <number> match icmp name timestamp-reply
security ip-packet-filter group <group-name> rule <number> match icmp name timestamp-request
security ip-packet-filter group <group-name> rule <number> match icmp name ttl-zero-during-reassembly
security ip-packet-filter group <group-name> rule <number> match icmp name ttl-zero-during-transit
security ip-packet-filter group <group-name> rule <number> match icmp type <type-number>
security ip-packet-filter group <group-name> rule <number> match icmp type <type-number> code <value>
security ip-packet-filter group <group-name> rule <number> match icmpv6 class error
security ip-packet-filter group <group-name> rule <number> match icmpv6 class info
security ip-packet-filter group <group-name> rule <number> match icmpv6 name address-unreachable
security ip-packet-filter group <group-name> rule <number> match icmpv6 name bad-header
security ip-packet-filter group <group-name> rule <number> match icmpv6 name communication-prohibited
security ip-packet-filter group <group-name> rule <number> match icmpv6 name destination-unreachable
security ip-packet-filter group <group-name> rule <number> match icmpv6 name echo-reply
security ip-packet-filter group <group-name> rule <number> match icmpv6 name echo-request
security ip-packet-filter group <group-name> rule <number> match icmpv6 name mobile-prefix-advertisement
security ip-packet-filter group <group-name> rule <number> match icmpv6 name mobile-prefix-solicitation
security ip-packet-filter group <group-name> rule <number> match icmpv6 name multicast-listener-done
security ip-packet-filter group <group-name> rule <number> match icmpv6 name multicast-listener-query
security ip-packet-filter group <group-name> rule <number> match icmpv6 name multicast-listener-report
security ip-packet-filter group <group-name> rule <number> match icmpv6 name neighbor-advertisement
security ip-packet-filter group <group-name> rule <number> match icmpv6 name neighbor-solicitation
security ip-packet-filter group <group-name> rule <number> match icmpv6 name no-route
security ip-packet-filter group <group-name> rule <number> match icmpv6 name packet-too-big
security ip-packet-filter group <group-name> rule <number> match icmpv6 name parameter-problem
security ip-packet-filter group <group-name> rule <number> match icmpv6 name port-unreachable
security ip-packet-filter group <group-name> rule <number> match icmpv6 name redirect
security ip-packet-filter group <group-name> rule <number> match icmpv6 name router-advertisement
security ip-packet-filter group <group-name> rule <number> match icmpv6 name router-solicitation
security ip-packet-filter group <group-name> rule <number> match icmpv6 name time-exceeded
security ip-packet-filter group <group-name> rule <number> match icmpv6 name ttl-zero-during-reassembly
security ip-packet-filter group <group-name> rule <number> match icmpv6 name ttl-zero-during-transit
security ip-packet-filter group <group-name> rule <number> match icmpv6 name unknown-header-type
security ip-packet-filter group <group-name> rule <number> match icmpv6 name unknown-option
security ip-packet-filter group <group-name> rule <number> match icmpv6 type <type-number>
security ip-packet-filter group <group-name> rule <number> match icmpv6 type <type-number> code <value>