Patch release notes 2005a
Release notes for Vyatta NOS 2005a, released August 12, 2020.
Issues resolved
Issues resolved in release 2005a.
Issue number | Priority | Summary |
---|---|---|
VRVDR-52505 | Blocker | Coredump triggered by vyatta-dataplane restart in bfd_main_destroy |
VRVDR-52459 | Blocker | BFD IPv4 packet punting for hardware sessions does not work with cpp-rate-limiter |
VRVDR-52453 | Blocker | IPv4 BFD sessions not updating negotiated tx value after config change |
VRVDR-52371 | Blocker | DHCP lease refused |
VRVDR-52369 | Blocker | Adding authentication to a running BFD session does not take effect |
VRVDR-52363 | Blocker | IPv6 BFD sessions stuck Down if neighbour brings session AdminDown then restarts BFD |
VRVDR-52362 | Blocker | Dataplane crash seen when unconfiguring BFD |
VRVDR-52344 | Blocker | DSCP marking not done for IPv4 BFD packets generated in hardware |
VRVDR-52284 | Blocker | S9500 - 'request hardware-diag version' command missing product name, reporting eeprom error |
VRVDR-52278 | Blocker | S9500 - upgrade HW diags to v3.1.10 |
VRVDR-52223 | Blocker | Applying QoS policy to switchport interface breaks BFD |
VRVDR-51981 | Blocker | HW BFD sends control frame with Poll and Final bits both set during session init |
VRVDR-51957 | Blocker | Modelled copy command incorrectly enforcing ssh-known-host check in 1912e |
VRVDR-51952 | Blocker | Group ownership for non ROOT files got changed to ssh @ 1912e |
VRVDR-51937 | Blocker | show interface dataplane dp0xe<x> displays incorrect speed for copper ports when interface is down |
VRVDR-51818 | Blocker | PTP: FAL_BCM: Failed to set TOD-In for PTP clock 0: Internal error after reboot/power_cycle |
VRVDR-51489 | Blocker | PTP time/phase not locked over IPv6 transport mode |
VRVDR-51481 | Blocker | Add support for UfiSpace Apollo NCP1-1 PVT revisions |
VRVDR-51465 | Blocker | Restore (opt-out) collection of shell history in tech-support |
VRVDR-51311 | Blocker | DAS Switch with 1912b seeing low rate of drops vs 1903m |
VRVDR-51303 | Blocker | Hardware-switched traffic goes out untagged over bonding interface contrary to configuration |
VRVDR-51185 | Blocker | Link doesn't come up after swapping 1000BASE-T SFP for 1000BASE-X SFP |
VRVDR-51152 | Blocker | QoS policy applied via netconf causes commit fail |
VRVDR-51066 | Blocker | 1908g performance hit with vCSR VNF scenario in Small, Medium and Large platforms |
VRVDR-50939 | Blocker | BFD session retained in admin down state when interface is disabled |
VRVDR-50920 | Blocker | SIAD - modelled copy with scp target is operationally unusable |
VRVDR-50825 | Blocker | Dataplane crash seen during control-plane policing tests |
VRVDR-50687 | Blocker | Garbage counter values shown in BFD output |
VRVDR-50627 | Blocker | BFD Auth should be blocked at CLI on SIAD |
VRVDR-50517 | Blocker | SIAD: IPv6 Hardware BFD over link-local addresses not coming up correctly |
VRVDR-52467 | Critical | BFD V6: Session created in HW with wrong local diag |
VRVDR-52418 | Critical | BFD IPv4 session creation fails if the peer sets the Control Plane Independent flag |
VRVDR-52413 | Critical | IPv6 BFD session stuck in poll loop when Admin Down after a config change |
VRVDR-52409 | Critical | IPv6 BFD Neg Rx/Neg Tx values only update once every 30s |
VRVDR-52353 | Critical | BFD session gets stuck in software when new preferred tx interface appears with no neighbor |
VRVDR-52249 | Critical | Multi-hop BFD sessions all go down when one nexthop interface is taken down |
VRVDR-52243 | Critical | IPv6 BFD sessions not reflecting correct timer values after negotiating a change |
VRVDR-52240 | Critical | PTP: With apts profile the following is seen in journalctl Error: /service/ptp/state: Failed to process returned data for (*schema.container)state: Error: /instance-list/0/apts-ds/asymmetry-history: Doesn't match schema |
VRVDR-52182 | Critical | Occasional divide-by-zero crash in BFD cleanup |
VRVDR-52152 | Critical | PTP: Use monotonic time for semaphores and mutexes |
VRVDR-52151 | Critical | Dataplane crash on restart with a HW BFD session configured |
VRVDR-52134 | Critical | Crash in BCM libs when cycling BFD config in and out multiple times |
VRVDR-52128 | Critical | Exceeding HW BFD platform memory during peer negotiation repeatedly logs errors |
VRVDR-52126 | Critical | BFD sessions sometimes failing to program in hardware with tx-gport error |
VRVDR-52122 | Critical | Poll bit not set on first control frame for transition from Down to Up |
VRVDR-52115 | Critical | Memory use after free when deleting storm control profile |
VRVDR-52049 | Critical | monitor interfaces dataplane <int> traffic stops packet on that interface |
VRVDR-51989 | Critical | HW BFD allows users to configure more templates than the hardware is capable of using |
VRVDR-51946 | Critical | For-us packets dropped when configuring CPP followed by breakout |
VRVDR-51860 | Critical | Dataplane crashes with SEGV/FPE signal in BFD cleanup scenario with OSPF/BGP |
VRVDR-51825 | Critical | Log flooded with FAL_BCM ... for key bfd messages |
VRVDR-51754 | Critical | Readonly account failed to stay in after log on |
VRVDR-51748 | Critical | DHCP server assign ipv6 address to directly connected or non-directly interface (via relay) with /128 subnet even though subnet pool is defined in /64 network |
VRVDR-51747 | Critical | BFD not tracking trackers properly |
VRVDR-51639 | Critical | Response for request hardware-diag version takes much longer with 1912b |
VRVDR-51619 | Critical | SIAD ACL: Ensure that rulesets which would exceed the TCAM are rejected |
VRVDR-51616 | Critical | Storm Control triggered snmpd warning messages in journal |
VRVDR-51554 | Critical | Configuring ingress-map and show map platform ingress crashes dataplane |
VRVDR-51522 | Critical | BFD status misreported or even restarted when config is removed |
VRVDR-51518 | Critical | Dataplane performance fails for forward pkts when scatter mode driver is used |
VRVDR-51480 | Critical | Crash in mdb_db_infos_fec_hierarchy_info_fec_id_range_start_get on failing to init on J2 |
VRVDR-51455 | Critical | Bad file descriptor (src/epoll.cpp:100) when applying config |
VRVDR-51406 | Critical | All traffic dropped for traffic type after removing traffic type from storm control profile |
VRVDR-51385 | Critical | Dataplane crash in next_hop_list_find_path_using_ifp |
VRVDR-51377 | Critical | Stack overflow after removing a LAG member |
VRVDR-51345 | Critical | S9500-30XS: 100G Interface LED lit even when disabled |
VRVDR-51344 | Critical | S9500-30XS: 10G Interface LED sometimes lit when interface is disabled |
VRVDR-51340 | Critical | IPv6 route is not withdrawn from OSPFv3 database when adv router is rebooted |
VRVDR-51330 | Critical | When OAM is not configured, untrapped packets may treated as trapped |
VRVDR-51305 | Critical | VRF-leaking:RIBD crash when delete interface from routing-instance and leaked route to other VRF udpated as default type and after config back interface to routing-instance,leaked routes shows as inactive |
VRVDR-51298 | Critical | PTP: config parser will not accept expected range of values for log-announce-interval |
VRVDR-51295 | Critical | Changing speed on interface resets configured MTU to default |
VRVDR-51240 | Critical | OSPFv3 session flap in NSSA area when advertise/withdraw the BGP/connected routes into OSPFv3 via redistribution |
VRVDR-51179 | Critical | live-cd installs should not install all unique state |
VRVDR-51165 | Critical | monitor dataplane doesn't work |
VRVDR-51148 | Critical | S9500 interface flaps when MTU is modified |
VRVDR-51135 | Critical | NTP client remains sync'd with server even though source interface has no address |
VRVDR-51108 | Critical | QoS - NETCONF Error: /policy/qos/state: An unexpected element is present |
VRVDR-51100 | Critical | Dataplane crash in get_switch_dev_info when running "show interfaces extensive" |
VRVDR-51099 | Critical | Restarting guest fails with timeout |
VRVDR-51072 | Critical | L3 SIAD router not fragmenting packet size above MTU |
VRVDR-51067 | Critical | DPDK VIRTIO driver does not support multiple MAC addresses |
VRVDR-51042 | Critical | PTP: Dataplane crash occurs during shutdown phase whilst rebooting |
VRVDR-50960 | Critical | Vhost tracking does not work after a guest reboot |
VRVDR-50956 | Critical | VRRP goes into fault state after reboot |
VRVDR-50952 | Critical | VRF DHCPv4: vyatta-service-dhcp-client@dp0X.service failed after config/delete/config |
VRVDR-50927 | Critical | show interface data <port> phy not working correctly for Operator class users |
VRVDR-50915 | Critical | Error generating /interfaces/backplane-state on SIAD |
VRVDR-50874 | Critical | Storm control errors in 1912b |
VRVDR-50712 | Critical | Missing monitor dataplane bfd |
VRVDR-50688 | Critical | BFD sessions stuck in hardware after unconfigure |
VRVDR-50654 | Critical | Display issues in show bfd session detail |
VRVDR-50559 | Critical | Error: /vyatta-cpu-history-client: GetState failure: Traceback |
VRVDR-50401 | Critical | SIAD: Kernel messages printed to log and serial console when configuring BFD |
VRVDR-50399 | Critical | SIAD: BFD session parameters not updated for existing sessions on config change |
VRVDR-50359 | Critical | show int dataplane foo phy issues with vendor-rev |
VRVDR-50234 | Critical | L2TPv3: Fails to be ping across tunnel using L2TPv3 |
VRVDR-49231 | Critical | PPPoE Client - Not re-establishing dropped connection automatically |
VRVDR-48315 | Critical | Malformed interface names in show ipv6 multicast interface with IPv6 GRE tunnels |
VRVDR-52396 | Major | BFD session fails to program in hardware trying to use flood-group as tx-port |
VRVDR-52281 | Major | BFD: stats are not thread safe on HW platforms |
VRVDR-52279 | Major | BFD stop tx timer only after v4 session in HW |
VRVDR-52251 | Major | Remove the BFD router tracker hash table |
VRVDR-52232 | Major | Rename FAL_BFD_HW_MODE_CP_INDEPENDENT |
VRVDR-52216 | Major | BFD: No update sent to OAMd for remote ADMIN DOWN |
VRVDR-52212 | Major | PTP: From power on reset GPS takes a few minutes to become ready |
VRVDR-52206 | Major | BFD sessions can update FAL with no changes |
VRVDR-52183 | Major | BFD sessions for Static IPv6 clients do not come back after dataplane restart |
VRVDR-52165 | Major | BFD not programming h/w multihop correctly |
VRVDR-51828 | Major | SIAD ACL: BCM SDK error when deleting ACL configuration |
VRVDR-51608 | Major | L2 traffic priority value is getting modified at the egress interface |
VRVDR-51519 | Major | PTP slave-only config throws error and doesn't display any clock status |
VRVDR-51483 | Major | Removing guest configuration fails with scripting error |
VRVDR-51443 | Major | ipv6 router-advert CLI missing on switch VLAN interfaces |
VRVDR-51428 | Major | Hardware BFD allows configuring unsupported timer values |
VRVDR-51247 | Major | S9500 - missing hw_rev.cfg file |
VRVDR-51238 | Major | After broadcast storm, TACACS doesn't recover |
VRVDR-51156 | Major | DHCPv4 client accepts duplicate DHCP IP of its static interface |
VRVDR-51008 | Major | When the /var/log partition exists journal files from previous installs are retained but not rotated |
VRVDR-50787 | Major | Wrong TX port used when multiple routes exist for BFD peer |
VRVDR-50655 | Major | vyatta-vrrp syntax error near unexpected token logger |
VRVDR-50619 | Major | LACP with VIF - still seeing Slaves not selected in 'balanced' mode |
VRVDR-50552 | Major | TACACS daemon is not running even with all TACACS config |
VRVDR-50271 | Major | PTP: No display of the current and historic calculated asymmetry value |
VRVDR-50188 | Major | PTP: sync and delay_resp pkt rates remain at 0 (from bootup) in "show ptp servo 0" |
VRVDR-49836 | Major | IPsec: Fails to be able to to ping from tunnel endpoint to tunnel endpoint with ping size 1419 using default mtu with site-2-site.Tunnel MTU discovery not working |
VRVDR-49447 | Major | show tech-support still logs /var/log/messages |
VRVDR-48438 | Major | LACP causing interface to remain down |
VRVDR-46464 | Major | VRRPv3: matching vip mask behaviour change in Dartmouth |
VRVDR-52196 | Minor | OAMd BFD dataplane offload debugs not enabled by "log all" configuration |
VRVDR-51114 | Minor | Change command not found error for users running in a sandbox |
VRVDR-50826 | Minor | Keepalived: No VRRP instance found for packet |
VRVDR-50925 | Trivial | Path Monitor logs may include "vrf" prefix in logs |
Security vulnerabilities resolved
Security vulnerabilities resolved in release 2005a.
Issue number | CVSS | Advisory | Summary |
---|---|---|---|
VRVDR-51236 | 8.6 | DSA-4689-1 | CVE-2019-6477, CVE-2020-8616, CVE-2020-8617: Debian DSA-4689-1 : bind9 - security update |
VRVDR-52198 | 7.8 | DSA-4723-1 | CVE-2020-11739, CVE-2020-11740, CVE-2020-11741, CVE-2020-11742, CVE-2020-11743, CVE-2020-15563, CVE-2020-15564, CVE-2020-15565, CVE-2020-15566, CVE-2020-15567: Debian DSA 4723-1: xen security update |
VRVDR-51526 | 7.8 | DSA-4699-1 | CVE-2019-19462, CVE-2019-3016, CVE-2020-0543, CVE-2020-10711, CVE-2020-10732, CVE-2020-10751, CVE-2020-10757, CVE-2020-12114, CVE-2020-12464, CVE-2020-12768, CVE-2020-12770, CVE-2020-13143: Debian DSA-4699-1 : linux - security update |
VRVDR-51525 | 7.8 | DSA-4698-1 | CVE-2019-2182, CVE-2019-5108, CVE-2019-19319, CVE-2019-19462, CVE-2019-19768, CVE-2019-20806, CVE-2019-20811, CVE-2020-0543, CVE-2020-2732, CVE-2020-8428, CVE-2020-8647, CVE-2020-8648, CVE-2020-8649, CVE-2020-9383, CVE-2020-10711, CVE-2020-10732, CVE-2020-10751, CVE-2020-10757, CVE-2020-10942, CVE-2020-11494, CVE-2020-11565, CVE-2020-11608, CVE-2020-11609, CVE-2020-11668, CVE-2020-12114, CVE-2020-12464, CVE-2020-12652, CVE-2020-12653, CVE-2020-12654, CVE-2020-12770, CVE-2020-13143: Debian DSA-4698-1: linux – security update |
VRVDR-52150 | 7.5 | DSA-4721-1 | CVE-2020-10663, CVE-2020-10933: Debian DSA-4721-1 : ruby2.5 - security update |
VRVDR-51849 | 7.5 | N/A | CVE-2018-19044, CVE-2018-19045, CVE-2018-19046: Insecure temporary file usage in keepalived |
VRVDR-51494 | 7.4 | DSA-4697-1 | CVE-2020-13777: Debian DSA-4697-1 : gnutls28 - security update |
VRVDR-50530 | 7.1 | DSA-4647-1 | CVE-2020-0556: Debian DSA-4647-1 : bluez - security update |
VRVDR-52273 | 6.7 | DSA-4728-1 | CVE-2020-10756, CVE-2020-13361, CVE-2020-13362, CVE-2020-13754, CVE-2020-13659: Debian DSA 4728-1: qemu security update |
VRVDR-51054 | 6.7 | DSA-4688-1 | CVE-2020-10722, CVE-2020-10723, CVE-2020-10724: Debian DSA-4688-1 : dpdk - security update |
VRVDR-52261 | 6.5 | DSA-4726-1 | CVE-2019-17006, CVE-2019-17023, CVE-2020-12399, CVE-2020-12402: Debian DSA 4726-1: nss security update |
VRVDR-51142 | 5.5 | DSA-4685-1 | CVE-2020-3810: Debian DSA-4685-1 : apt - security update |
VRVDR-52197 | N/A | N/A | Privilege escalation in reset ipv6 neighbors / reset ip arp commands |
VRVDR-46681 | N/A | N/A | ssh-known-hosts exposes hostname or IP addresses of remote-peers in plaintext, should be hashed |
VRVDR-44891 | N/A | N/A | opd does not escape input properly when completing commands |
New L3 ACL commands
Release 2005a adds some additional matches for the security ip-packet-filter command.
Source or destination port number, for TCP, UDP, UDP-Lite, DCCP, or SCTP
security ip-packet-filter group <group-name> rule <number> match destination port number <value>
security ip-packet-filter group <group-name> rule <number> match source port number <value>
DSCP, by name or by value
security ip-packet-filter group <group-name> rule <number> match dscp name (af11|af12|af13|af21|af22|af23|af31|af32|af33|af41|af42|af43|cs1|cs2|cs3|cs4|cs5|cs6|cs7|default|af|va)
security ip-packet-filter group <group-name> rule <number> match dscp value <value>
TTL, a value of 1 or 255
security ip-packet-filter group <group-name> rule <number> match ttl equals <value>
IPv6 base and final fragment
security ip-packet-filter group <group-name> rule <number> match protocol base name ipv6-frag
security ip-packet-filter group <group-name> rule <number> match protocol final name ipv6-frag
ICMP type
- ICMP type, and optionally code, for IPv4 and ICMPv6.
- Matching by named combination of type and possibly code, matching by numeric type alone, or matching by numeric type and code.
- For ICMPv6, matching on a
class
beingerror
orinfo
, that is non-error.
security ip-packet-filter group <group-name> rule <number> match icmp name required-option-missing
security ip-packet-filter group <group-name> rule <number> match icmp name router-advertisement
security ip-packet-filter group <group-name> rule <number> match icmp name router-solicitation
security ip-packet-filter group <group-name> rule <number> match icmp name source-quench
security ip-packet-filter group <group-name> rule <number> match icmp name source-route-failed
security ip-packet-filter group <group-name> rule <number> match icmp name time-exceeded
security ip-packet-filter group <group-name> rule <number> match icmp name timestamp-reply
security ip-packet-filter group <group-name> rule <number> match icmp name timestamp-request
security ip-packet-filter group <group-name> rule <number> match icmp name ttl-zero-during-reassembly
security ip-packet-filter group <group-name> rule <number> match icmp name ttl-zero-during-transit
security ip-packet-filter group <group-name> rule <number> match icmp type <type-number>
security ip-packet-filter group <group-name> rule <number> match icmp type <type-number> code <value>
security ip-packet-filter group <group-name> rule <number> match icmpv6 class error
security ip-packet-filter group <group-name> rule <number> match icmpv6 class info
security ip-packet-filter group <group-name> rule <number> match icmpv6 name address-unreachable
security ip-packet-filter group <group-name> rule <number> match icmpv6 name bad-header
security ip-packet-filter group <group-name> rule <number> match icmpv6 name communication-prohibited
security ip-packet-filter group <group-name> rule <number> match icmpv6 name destination-unreachable
security ip-packet-filter group <group-name> rule <number> match icmpv6 name echo-reply
security ip-packet-filter group <group-name> rule <number> match icmpv6 name echo-request
security ip-packet-filter group <group-name> rule <number> match icmpv6 name mobile-prefix-advertisement
security ip-packet-filter group <group-name> rule <number> match icmpv6 name mobile-prefix-solicitation
security ip-packet-filter group <group-name> rule <number> match icmpv6 name multicast-listener-done
security ip-packet-filter group <group-name> rule <number> match icmpv6 name multicast-listener-query
security ip-packet-filter group <group-name> rule <number> match icmpv6 name multicast-listener-report
security ip-packet-filter group <group-name> rule <number> match icmpv6 name neighbor-advertisement
security ip-packet-filter group <group-name> rule <number> match icmpv6 name neighbor-solicitation
security ip-packet-filter group <group-name> rule <number> match icmpv6 name no-route
security ip-packet-filter group <group-name> rule <number> match icmpv6 name packet-too-big
security ip-packet-filter group <group-name> rule <number> match icmpv6 name parameter-problem
security ip-packet-filter group <group-name> rule <number> match icmpv6 name port-unreachable
security ip-packet-filter group <group-name> rule <number> match icmpv6 name redirect
security ip-packet-filter group <group-name> rule <number> match icmpv6 name router-advertisement
security ip-packet-filter group <group-name> rule <number> match icmpv6 name router-solicitation
security ip-packet-filter group <group-name> rule <number> match icmpv6 name time-exceeded
security ip-packet-filter group <group-name> rule <number> match icmpv6 name ttl-zero-during-reassembly
security ip-packet-filter group <group-name> rule <number> match icmpv6 name ttl-zero-during-transit
security ip-packet-filter group <group-name> rule <number> match icmpv6 name unknown-header-type
security ip-packet-filter group <group-name> rule <number> match icmpv6 name unknown-option
security ip-packet-filter group <group-name> rule <number> match icmpv6 type <type-number>
security ip-packet-filter group <group-name> rule <number> match icmpv6 type <type-number> code <value>
security ip-packet-filter group <group-name> rule <number> match icmp name TOS-host-redirect
security ip-packet-filter group <group-name> rule <number> match icmp name TOS-host-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name TOS-network-redirect
security ip-packet-filter group <group-name> rule <number> match icmp name TOS-network-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name address-mask-reply
security ip-packet-filter group <group-name> rule <number> match icmp name address-mask-request
security ip-packet-filter group <group-name> rule <number> match icmp name communication-prohibited
security ip-packet-filter group <group-name> rule <number> match icmp name destination-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name echo-reply
security ip-packet-filter group <group-name> rule <number> match icmp name echo-request
security ip-packet-filter group <group-name> rule <number> match icmp name fragmentation-needed
security ip-packet-filter group <group-name> rule <number> match icmp name host-precedence-violation
security ip-packet-filter group <group-name> rule <number> match icmp name host-prohibited
security ip-packet-filter group <group-name> rule <number> match icmp name host-redirect
security ip-packet-filter group <group-name> rule <number> match icmp name host-unknown
security ip-packet-filter group <group-name> rule <number> match icmp name host-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name ip-header-bad
security ip-packet-filter group <group-name> rule <number> match icmp name network-prohibited
security ip-packet-filter group <group-name> rule <number> match icmp name network-redirect
security ip-packet-filter group <group-name> rule <number> match icmp name network-unknown
security ip-packet-filter group <group-name> rule <number> match icmp name network-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name parameter-problem
security ip-packet-filter group <group-name> rule <number> match icmp name port-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name precedence-cutoff
security ip-packet-filter group <group-name> rule <number> match icmp name protocol-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name redirect