Patch release notes 2005b
Release notes for Vyatta NOS 2005b, released September 22, 2020.
Issues resolved
Issues resolved in release 2005b.
| Issue number | Priority | Summary |
|---|---|---|
| VRVDR-52918 | Blocker | Hardware CPP not conforming to limiter rates |
| VRVDR-52879 | Blocker | PTP: Unable to peer with master when route to GM fails over to backup vlan |
| VRVDR-52643 | Blocker | request hard qsfp/sfp_status present X - performance degradation |
| VRVDR-52568 | Blocker | Revert SIAD kernel panic defaults |
| VRVDR-52505 | Blocker | Coredump triggered by vyatta-dataplane restart in bfd_main_destroy |
| VRVDR-52469 | Blocker | i2c MUX reset required on S9500 to mitigate bus lock due to malfunctioning SFP |
| VRVDR-52459 | Blocker | BFD IPv4 packet punting for hardware sessions does not work with cpp-rate-limiter |
| VRVDR-52453 | Blocker | IPv4 BFD sessions not updating negotiated tx value after config change |
| VRVDR-52447 | Blocker | PTP: switching between the same master on multiple ports does not work if the chosen port is down |
| VRVDR-52371 | Blocker | DHCP lease refused |
| VRVDR-52369 | Blocker | Adding authentication to a running BFD session does not take effect |
| VRVDR-52363 | Blocker | IPv6 BFD sessions stuck Down if neighbour brings session AdminDown then restarts BFD |
| VRVDR-52362 | Blocker | Dataplane crash seen when unconfiguring BFD |
| VRVDR-52248 | Blocker | vyatta-sfpd can start before platform init complete |
| VRVDR-52104 | Blocker | S9500 integration of BSP 3.0.11, 3.0.12 and 3.0.13 |
| VRVDR-48480 | Blocker | PTP servo reports 0 pps after path switch during ECMP |
| VRVDR-52995 | Critical | Grub update during image upgrade is broken |
| VRVDR-52994 | Critical | BFD: Show bfd session details shows incorrect stats |
| VRVDR-52841 | Critical | S9500-30XS: Receiving only 10Gig traffic going over 25Gig links |
| VRVDR-52641 | Critical | LACP Bonding - packets transmitted with vlan 0 on S9500/QAX for some members |
| VRVDR-52489 | Critical | Dataplane crashes after reset bgp session with SEGV signal for bfd-plug in thread |
| VRVDR-52467 | Critical | BFD V6: Session created in HW with wrong local diag |
| VRVDR-52418 | Critical | BFD IPv4 session creation fails if the peer sets the Control Plane Independent flag |
| VRVDR-52413 | Critical | IPv6 BFD session stuck in poll loop when Admin Down after a config change |
| VRVDR-52410 | Critical | IPsec: SNMP trap no longer sent when IPsec tunnel goes up or down |
| VRVDR-52409 | Critical | IPv6 BFD Neg Rx/Neg Tx values only update once every 30s |
| VRVDR-52401 | Critical | Degradation of throughput by 10%-40% on v150 with 100M physical interface & QOS |
| VRVDR-52383 | Critical | PTP: Internal errors causing PTP stack not to be created |
| VRVDR-52353 | Critical | BFD session gets stuck in software when new preferred tx interface appears with no neighbor |
| VRVDR-52190 | Critical | smartd attempting to send email |
| VRVDR-52179 | Critical | overlayfs file corruption of user accounting files |
| VRVDR-52215 | Critical | Memory use after free when deleting storm control profile |
| VRVDR-51860 | Critical | Dataplane crashes with SEGV/FPE signal in bfd cleanup scenario with OSPF/BGP |
| VRVDR-51846 | Critical | RIB table not updated correctly for ospfv3 routes after flapping the primary path by making dataplane/switch interface link failure/recovery |
| VRVDR-51543 | Critical | With multiple peers using the same local-address, no authentication ids, and unique pre-shared-keys IKEv1 based IPsec stuck in 'init' for all but one peer |
| VRVDR-51408 | Critical | For-us packets dropped when packets arrive over LAG and CPP configured |
| VRVDR-50951 | Critical | OSPFv3 logs are not generated when OSPFv3 process is reset |
| VRVDR-52739 | Major | Port value in tunnel policy without specifying protocol causes error protocol must be formatted as well-known string. for IPsec 'show' commands |
| VRVDR-52668 | Major | Configuration fails to load after upgrade from 1801ze to 1912e when firewall rule with port range 0-65535 statement is present |
| VRVDR-52611 | Major | i40e driver silently drops multicast packets causing VRRP dual master |
| VRVDR-52468 | Major | Neg Rx value not updated if requested value cannot be used |
| VRVDR-52424 | Major | NETCONF edit-config applies changes with "none" default-operation, and no specified operation |
| VRVDR-52404 | Major | ICMP error returned with corrupted inner header causes seg-fault when passed through a FW/NAT44/PBR rule with logging enabled |
| VRVDR-52396 | Major | BFD session fails to program in hardware trying to use flood-group as tx-port |
| VRVDR-52221 | Major | Disabled PMTUD on GRE tunnel causes outer packet to inherit inner packet TTL value |
| VRVDR-52079 | Major | Update revision statement in DANOS-specific yang file |
| VRVDR-51643 | Major | SNMP Trap not receiving when CHILD_SA deleting |
| VRVDR-50831 | Major | Tunnels do not come up following a reboot |
| VRVDR-50775 | Major | Dataplane "PANIC in bond_mode_8023ad_ext_periodic_cb" w/ locally sourced and terminated GRE traffic |
| VRVDR-49836 | Major | IPsec: Fails to ping from tunnel endpoint to tunnel endpoint with ping size 1419 using default mtu with site-2-site; Tunnel MTU discovery not working |
| VRVDR-46493 | Major | IPSec RA-VPN Server : IKE proposal not found on server when setting the local-address to "any" |
| VRVDR-42123 | Major | opd adds node.tag values under the wrong location in tab completion |
| VRVDR-52825 | Minor | Configuring three sub-levels of time-zone is not possible, causing upgrade from earlier version to fail |
| VRVDR-52546 | Minor | GUI hangs/loads and finally time-outs with an error message on browser |
| VRVDR-52491 | Minor | PTP: show ptp apts output should include units in the value displays |
| VRVDR-52339 | Minor | PTP: Asymmetry output should contain currentValue to be inline with show ptp servo |
| VRVDR-52228 | Minor | The command show hardware sensors sel gives a traceback |
| VRVDR-50928 | Minor | PTP: ufispace-bsp-utils 3.0.10 causing /dev/ttyACM0 to disappear |
| VRVDR-50549 | Trivial | PTP: Spelling error in log msg Successfully configure DPLL 2 fast lcok |
Security vulnerabilities resolved
Security vulnerabilities resolved in release 2005b.
| Issue number | CVSS | Advisory | Summary |
|---|---|---|---|
| VRVDR-52618 | 9.8 | DLA-2323-1 | CVE-2019-18814, CVE-2019-18885, CVE-2019-20810, CVE-2020-10766, CVE-2020-10767, CVE-2020-10768, CVE-2020-12655, CVE-2020-12771, CVE-2020-13974, CVE-2020-15393: Debian DLA-2323-1 : linux-4.19 new package |
| VRVDR-52274 | 9.8 | DLA-2280-1 | CVE-2019-18348, CVE-2020-8492, CVE-2020-14422: Debian DLA-2280-1 : python3.7 security update |
| VRVDR-52419 | 8.2 | DSA-4735-1 | CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15706, CVE-2020-15707: Debian DSA-4735-1 : grub2 - security update |
| VRVDR-52921 | 7.9 | DSA-4760-1 | CVE-2020-12829, CVE-2020-14364, CVE-2020-15863, CVE-2020-16092: Debian DSA-4760-1: qemu security update |
| VRVDR-52627 | 7.8 | DSA-4746-1 | CVE-2020-15861, CVE-2020-15862: Debian DSA-4746-1: net-snmp security update |
| VRVDR-52484 | 7.8 | DSA-4741-1 | CVE-2020-12762: Debian DSA-4741-1 : json-c - security update |
| VRVDR-52787 | 7.5 | DSA-4752-1 | CVE-2020-8619, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624: Debian DSA-4752-1 : bind9 - security update |
| VRVDR-52357 | 5.6 | DSA-4733-1 | CVE-2020-8608: Debian DSA-4733-1: qemu security update |
Kernel panic behavior
VRVDR-49991 modified kernel panic defaults by introducing additional panic events for the S9500-30XS platforms in 1912b.
The following additional events are available:
panic-on-io-nmipanic-on-unrecovered-nmi
The reboot delay time that follows a kernel panic was also modified from 60 seconds to 30 seconds:
reboot-wait-after-panic = 30
VRVDR-52568 reverts the defaults in 1912f so the system no longer panics on the additional events. The reboot wait timer is also reverted to 60 seconds. The ability to use the CLI to change the behavior through configuration is still available, but the default behavior is different. No changes to the panic-of-oops default — it remains set.