Patch release notes 1912a
Release notes for Vyatta NOS 1912a, released February 14, 2020.
Issues resolved
Issues resolved in release 1912a.
Issue number | Priority | Summary |
---|---|---|
VRVDR-49684 | Blocker | DHCP services within VRF failed to start after enabling secure boot |
VRVDR-49631 | Blocker | PTP error message found on UFI06 |
VRVDR-49185 | Blocker | IP Packet Filter not applied at boot-up |
VRVDR-49031 | Blocker | RA-VPN Server +VFP+default VRF : IPsec encryption failing on RA-VPN server for traffic destined or originated between end hosts connected behind the RA-VPN server/client |
VRVDR-48728 | Blocker | Network link down observed with VM built from vyatta-1908b-amd64-vrouter_20191010T1100-amd64-Build3.14.hybrid.iso |
VRVDR-48593 | Blocker | Mellanox 100G: The dataplane interface is not up after disabling or enabling the interface |
VRVDR-47473 | Blocker | Mellanox-100G: The interface (one interface out of two) link shows down after conf/deleting the mtu. Hence observing the traffic loss at that time |
VRVDR-49822 | Critical | Only shows peering with 16 nodes in show ptp clock 0 |
VRVDR-49735 | Critical | IPsec RA VPN: default VRF + VFP is blocking traffic which is supposed to be forwarded |
VRVDR-49734 | Critical | Strongswan VRRP startup check breaks RA VPN server |
VRVDR-49633 | Critical | tcp_auth_collapse NULL pointer dereference causes kernel panic during SYN flood |
VRVDR-49618 | Critical | Servo notifications always using attVrouterPtpServoFailure |
VRVDR-49568 | Critical | Flexware XS and S: kernel panics on start after update to 4.19.93 |
VRVDR-49427 | Critical | Bridge commit failure when changing both max-age and forwarding-delay |
VRVDR-49417 | Critical | Wrong counts for pkts matching 3-tuple but not 5-tuple |
VRVDR-49415 | Critical | Python traceback with show cgnat session detail exclude-inner |
VRVDR-49403 | Critical | LACP - vmxnet3 PMD unable to support additional MAC addresses |
VRVDR-49376 | Critical | PTP: fails to issue clock servo recovery traps |
VRVDR-49365 | Critical | Remote Syslog broken by source interface status changes |
VRVDR-49350 | Critical | CGNAT - PCP session times outer sooner than expected |
VRVDR-49344 | Critical | Firewall VFP acceptance tests broken by VRVDR-48094 |
VRVDR-48944 | Critical | SIAD Dataplane crash when removing Tunnels interface config |
VRVDR-48371 | Critical | IPsec RA VPN - Unable to ping spoke after failover |
VRVDR-48094 | Critical | IPsec RA VPN client/server: v4 traffic not working with when a concrete remote traffic-selector |
VRVDR-46719 | Critical | Poor TCP performance in iperf over IPSEC VTI (expected ~600Mbps, actual ~2Mbps) |
VRVDR-45071 | Critical | vyatta-security-vpn: vpn-config.pl: l2tp remote-access dhcp-interface "lo.tag;/tmp/bad.sh;echo " / code injection |
VRVDR-45069 | Critical | vyatta-security-vpn: set security vpn rsa-keys local-key file "/tmp/bad.sh;/tmp/bad.sh" / code injection |
VRVDR-45068 | Critical | vyatta-security-vpn: s2s tunnel protocol syntax script / code injection |
VRVDR-45067 | Critical | vyatta-security-vpn: set security vpn ipsec site-to-site peer $CODE / code injection |
VRVDR-45066 | Critical | vyatta-security-vpn: check_file_in_config passed unsanitized user input / code injection |
VRVDR-45065 | Critical | vyatta-security-vpn-secrets: code injection |
VRVDR-49630 | Major | IPsec got warning on committing site-2-site tunnel config Warning: unable to [VPN toggle net.ipv6.conf.intf.disable_xfrm], received error code 65280 |
VRVDR-49513 | Major | Failed to connect to system bus error messages |
VRVDR-49426 | Major | Mellanox-100G: kernel interface shows up even when dataplane is stopped. |
VRVDR-49391 | Major | PTP: disable (by default) logging of the time adjustments by the IDT servo |
VRVDR-49351 | Major | CGNAT: TCP session with only ext to int traffic does not time out |
VRVDR-49119 | Major | DUT stops responding following anomolous DHCP-DISCOVER packet |
VRVDR-49020 | Major | RA VPN: Spoke not forwarding with ESP: Replay check failed for SPI logs |
VRVDR-48761 | Major | J2: packets with too small IP length value forwarded rather than dropped |
VRVDR-48663 | Major | New SSH errors in 1903h make syslog more chatty |
VRVDR-46641 | Major | IKE control-plane incorrectly assumes that the IPsec dataplane supports ESP Traffic Flow Confidentiality |
VRVDR-49656 | Minor | IDT servo is built without optimization |
VRVDR-49584 | Minor | GRE over IPsec in transport mode (IKEv1) - responder intermittently replies no acceptable traffic selectors found |
VRVDR-49431 | Minor | Use upstream fix for correcting link speed when link is down |
VRVDR-45753 | Minor | Share storage help text for size missing units |
Security vulnerabilities resolved
Security vulnerabilities resolved in release 1912a.
Issue number | CVSS | Advisory | Summary |
---|---|---|---|
VRVDR-49642 | 9.8 | DSA-4602-1 | CVE-2019-17349, CVE-2019-17350, CVE-2019-18420, CVE-2019-18421, CVE-2019-18422, CVE-2019-18423, CVE-2019-18424, CVE-2019-18425, CVE-2019-19577, CVE-2019-19578, CVE-2019-19579, CVE-2019-19580, CVE-2019-19581, CVE-2019-19582, CVE-2019-19583, CVE-2018-12207, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091, CVE-2019-11135, CVE-2019-17348, CVE-2019-17347, CVE-2019-17346, CVE-2019-17345, CVE-2019-17344, CVE-2019-17343, CVE-2019-17342, CVE-2019-17341, CVE-2019-17340: Debian DSA-4602-1 : xen - security update (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) |
VRVDR-49450 | 9.8 | DSA-4587-1 | CVE-2019-15845, CVE-2019-16201, CVE-2019-16254, CVE-2019-16255: Debian DSA-4587-1 : ruby2.3 - security update |
VRVDR-49132 | 7.8 | DSA-4564-1 | CVE-2018-12207, CVE-2019-0154, CVE-2019-0155, CVE-2019-11135: Debian DSA-4564-1: linux – security update |
VRVDR-49477 | 7.5 | DSA-4591-1 | CVE-2019-19906: Debian DSA-4591-1 : cyrus-sasl2 - security update |
VRVDR-49486 | 5.3 | DSA-4594-1 | CVE-2019-1551: Debian DSA-4594-1 : openssl1.0 - security update |
VRVDR-49728 | N/A | DSA-4609-1 | CVE-2019-15795, CVE-2019-15796: Debian DSA-4609-1 : python-apt - security update |
Hotfix command
1912a adds a new CLI command to simplify adding a new hotfix (a modified Debian package) to Vyatta NOS.
clone system image
before installing a hotfix. After installation, you can verify hotfixes with either show system image image_name all
or show version image image_name
.add system image image_name packages list_of_pkgs
show system image image_name packages
To install hotfixes, you must have elevated privileges to avoid a security hole. This command should be available to only the most trusted users. The default ACM ruleset allows only users of the "superuser" level to execute the command.
# set system acm operational-ruleset rule 9970 action deny
# set system acm operational-ruleset rule 9970 command '/add/system/image/*/packages/*'
# set system acm operational-ruleset rule 9970 group vyattaop
# set system acm operational-ruleset rule 9970 group vyattaadm
If you are migrating an ACM ruleset from an earlier release, apply a similar rule to your existing ruleset.
With command authorization enabled, ACM rules do not apply to TACACS+ users. Therefore, verify your TACACS+ server configuration to make sure only appropriate users can execute this command.