Patch release notes 1912a
Release notes for Vyatta NOS 1912a, released February 14, 2020.
Issues resolved
Issues resolved in release 1912a.
| Issue number | Priority | Summary |
|---|---|---|
| VRVDR-49684 | Blocker | DHCP services within VRF failed to start after enabling secure boot |
| VRVDR-49631 | Blocker | PTP error message found on UFI06 |
| VRVDR-49185 | Blocker | IP Packet Filter not applied at boot-up |
| VRVDR-49031 | Blocker | RA-VPN Server +VFP+default VRF : IPsec encryption failing on RA-VPN server for traffic destined or originated between end hosts connected behind the RA-VPN server/client |
| VRVDR-48728 | Blocker | Network link down observed with VM built from vyatta-1908b-amd64-vrouter_20191010T1100-amd64-Build3.14.hybrid.iso |
| VRVDR-48593 | Blocker | Mellanox 100G: The dataplane interface is not up after disabling or enabling the interface |
| VRVDR-47473 | Blocker | Mellanox-100G: The interface (one interface out of two) link shows down after conf/deleting the mtu. Hence observing the traffic loss at that time |
| VRVDR-49822 | Critical | Only shows peering with 16 nodes in show ptp clock 0 |
| VRVDR-49735 | Critical | IPsec RA VPN: default VRF + VFP is blocking traffic which is supposed to be forwarded |
| VRVDR-49734 | Critical | Strongswan VRRP startup check breaks RA VPN server |
| VRVDR-49633 | Critical | tcp_auth_collapse NULL pointer dereference causes kernel panic during SYN flood |
| VRVDR-49618 | Critical | Servo notifications always using attVrouterPtpServoFailure |
| VRVDR-49568 | Critical | Flexware XS and S: kernel panics on start after update to 4.19.93 |
| VRVDR-49427 | Critical | Bridge commit failure when changing both max-age and forwarding-delay |
| VRVDR-49417 | Critical | Wrong counts for pkts matching 3-tuple but not 5-tuple |
| VRVDR-49415 | Critical | Python traceback with show cgnat session detail exclude-inner |
| VRVDR-49403 | Critical | LACP - vmxnet3 PMD unable to support additional MAC addresses |
| VRVDR-49376 | Critical | PTP: fails to issue clock servo recovery traps |
| VRVDR-49365 | Critical | Remote Syslog broken by source interface status changes |
| VRVDR-49350 | Critical | CGNAT - PCP session times outer sooner than expected |
| VRVDR-49344 | Critical | Firewall VFP acceptance tests broken by VRVDR-48094 |
| VRVDR-48944 | Critical | SIAD Dataplane crash when removing Tunnels interface config |
| VRVDR-48371 | Critical | IPsec RA VPN - Unable to ping spoke after failover |
| VRVDR-48094 | Critical | IPsec RA VPN client/server: v4 traffic not working with when a concrete remote traffic-selector |
| VRVDR-46719 | Critical | Poor TCP performance in iperf over IPSEC VTI (expected ~600Mbps, actual ~2Mbps) |
| VRVDR-45071 | Critical | vyatta-security-vpn: vpn-config.pl: l2tp remote-access dhcp-interface "lo.tag;/tmp/bad.sh;echo " / code injection |
| VRVDR-45069 | Critical | vyatta-security-vpn: set security vpn rsa-keys local-key file "/tmp/bad.sh;/tmp/bad.sh" / code injection |
| VRVDR-45068 | Critical | vyatta-security-vpn: s2s tunnel protocol syntax script / code injection |
| VRVDR-45067 | Critical | vyatta-security-vpn: set security vpn ipsec site-to-site peer $CODE / code injection |
| VRVDR-45066 | Critical | vyatta-security-vpn: check_file_in_config passed unsanitized user input / code injection |
| VRVDR-45065 | Critical | vyatta-security-vpn-secrets: code injection |
| VRVDR-49630 | Major | IPsec got warning on committing site-2-site tunnel config Warning: unable to [VPN toggle net.ipv6.conf.intf.disable_xfrm], received error code 65280 |
| VRVDR-49513 | Major | Failed to connect to system bus error messages |
| VRVDR-49426 | Major | Mellanox-100G: kernel interface shows up even when dataplane is stopped. |
| VRVDR-49391 | Major | PTP: disable (by default) logging of the time adjustments by the IDT servo |
| VRVDR-49351 | Major | CGNAT: TCP session with only ext to int traffic does not time out |
| VRVDR-49119 | Major | DUT stops responding following anomolous DHCP-DISCOVER packet |
| VRVDR-49020 | Major | RA VPN: Spoke not forwarding with ESP: Replay check failed for SPI logs |
| VRVDR-48761 | Major | J2: packets with too small IP length value forwarded rather than dropped |
| VRVDR-48663 | Major | New SSH errors in 1903h make syslog more chatty |
| VRVDR-46641 | Major | IKE control-plane incorrectly assumes that the IPsec dataplane supports ESP Traffic Flow Confidentiality |
| VRVDR-49656 | Minor | IDT servo is built without optimization |
| VRVDR-49584 | Minor | GRE over IPsec in transport mode (IKEv1) - responder intermittently replies no acceptable traffic selectors found |
| VRVDR-49431 | Minor | Use upstream fix for correcting link speed when link is down |
| VRVDR-45753 | Minor | Share storage help text for size missing units |
Security vulnerabilities resolved
Security vulnerabilities resolved in release 1912a.
| Issue number | CVSS | Advisory | Summary |
|---|---|---|---|
| VRVDR-49642 | 9.8 | DSA-4602-1 | CVE-2019-17349, CVE-2019-17350, CVE-2019-18420, CVE-2019-18421, CVE-2019-18422, CVE-2019-18423, CVE-2019-18424, CVE-2019-18425, CVE-2019-19577, CVE-2019-19578, CVE-2019-19579, CVE-2019-19580, CVE-2019-19581, CVE-2019-19582, CVE-2019-19583, CVE-2018-12207, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091, CVE-2019-11135, CVE-2019-17348, CVE-2019-17347, CVE-2019-17346, CVE-2019-17345, CVE-2019-17344, CVE-2019-17343, CVE-2019-17342, CVE-2019-17341, CVE-2019-17340: Debian DSA-4602-1 : xen - security update (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) |
| VRVDR-49450 | 9.8 | DSA-4587-1 | CVE-2019-15845, CVE-2019-16201, CVE-2019-16254, CVE-2019-16255: Debian DSA-4587-1 : ruby2.3 - security update |
| VRVDR-49132 | 7.8 | DSA-4564-1 | CVE-2018-12207, CVE-2019-0154, CVE-2019-0155, CVE-2019-11135: Debian DSA-4564-1: linux – security update |
| VRVDR-49477 | 7.5 | DSA-4591-1 | CVE-2019-19906: Debian DSA-4591-1 : cyrus-sasl2 - security update |
| VRVDR-49486 | 5.3 | DSA-4594-1 | CVE-2019-1551: Debian DSA-4594-1 : openssl1.0 - security update |
| VRVDR-49728 | N/A | DSA-4609-1 | CVE-2019-15795, CVE-2019-15796: Debian DSA-4609-1 : python-apt - security update |
Hotfix command
1912a adds a new CLI command to simplify adding a new hotfix (a modified Debian package) to Vyatta NOS.
Note: This is a one-way operation, as you cannot uninstall a hotfix. With this command, you can only upgrade existing packages, and you cannot install new packages.
To preserve the original system state, use clone system image before installing a hotfix. After installation, you can verify hotfixes with either show system image image_name all or show version image image_name.The following command introduces the hotfix:
add system image image_name packages list_of_pkgs
show system image image_name packages
To install hotfixes, you must have elevated privileges to avoid a security hole. This command should be available to only the most trusted users. The default ACM ruleset allows only users of the "superuser" level to execute the command.
The following commands configure this new rule:
# set system acm operational-ruleset rule 9970 action deny
# set system acm operational-ruleset rule 9970 command '/add/system/image/*/packages/*'
# set system acm operational-ruleset rule 9970 group vyattaop
# set system acm operational-ruleset rule 9970 group vyattaadm
If you are migrating an ACM ruleset from an earlier release, apply a similar rule to your existing ruleset.
With command authorization enabled, ACM rules do not apply to TACACS+ users. Therefore, verify your TACACS+ server configuration to make sure only appropriate users can execute this command.