diff --git a/.github/workflows/build_rns.yml b/.github/workflows/build_rns.yml
index 151004fc16..e47cc43850 100644
--- a/.github/workflows/build_rns.yml
+++ b/.github/workflows/build_rns.yml
@@ -3,7 +3,7 @@ name: 'Release Note Publisher'
on:
push:
branches:
- - rn-stage
+ - stage
jobs:
release-notes:
diff --git a/build_trigger.txt b/build_trigger.txt
index 2567e86464..a132f34023 100644
--- a/build_trigger.txt
+++ b/build_trigger.txt
@@ -1 +1 @@
-build..
+build...
diff --git a/content/cumulus-linux-37/Layer-2/Multi-Chassis-Link-Aggregation-MLAG.md b/content/cumulus-linux-37/Layer-2/Multi-Chassis-Link-Aggregation-MLAG.md
index c5083b59be..a8524e7531 100644
--- a/content/cumulus-linux-37/Layer-2/Multi-Chassis-Link-Aggregation-MLAG.md
+++ b/content/cumulus-linux-37/Layer-2/Multi-Chassis-Link-Aggregation-MLAG.md
@@ -1008,7 +1008,7 @@ Peer priority and id: 32768 44:38:39:00:00:12; Peer role: secondary
```
{{%notice note%}}
-The MLAG healthCheck module listens on UDP port 5342. If you have not configured a backup VRF, the module listens on all VRFs, which is normal UDP socket behaviour. Make sure to configure a backup link and backup VRF so that the MLAG healtcheck module only listens on the backup VRF.
+The MLAG healthCheck module listens on UDP port 5342. If you have not configured a backup VRF, the module listens on all VRFs, which is normal UDP socket behavior. Make sure to configure a backup link and backup VRF so that the MLAG healthcheck module only listens on the backup VRF.
{{%/notice%}}
**Comparing VRF and Management VRF Configurations**
diff --git a/content/cumulus-linux-37/Layer-2/Spanning-Tree-and-Rapid-Spanning-Tree.md b/content/cumulus-linux-37/Layer-2/Spanning-Tree-and-Rapid-Spanning-Tree.md
index 99687c7fcd..b09004fef8 100644
--- a/content/cumulus-linux-37/Layer-2/Spanning-Tree-and-Rapid-Spanning-Tree.md
+++ b/content/cumulus-linux-37/Layer-2/Spanning-Tree-and-Rapid-Spanning-Tree.md
@@ -48,7 +48,7 @@ RSTP works with MST seamlessly, creating a single instance of spanning tree that
RSTP treats the MST domain as one giant switch, whereas MST treats the RSTP domain as a different region. To enable proper communication between the regions, MST creates a Common Spanning Tree (CST) that connects all the boundary switches and forms the overall view of the MST domain. Because changes in the CST need to be reflected in all regions, the RSTP tree is included in the CST to ensure that changes on the RSTP domain are reflected in the CST domain. This does cause topology changes on the RSTP domain to impact the rest of the network but keeps the MST domain informed of every change occurring in the RSTP domain, ensuring a loop-free network.
-Configure the root bridge within the MST domain by changing the priority on the relevant MST switch. When MST detects an RSTP link, it falls back into RSTP mode. The MST domain choses the switch with the lowest cost to the CST root bridge as the CIST root bridge.
+Configure the root bridge within the MST domain by changing the priority on the relevant MST switch. When MST detects an RSTP link, it falls back into RSTP mode. The MST domain chooses the switch with the lowest cost to the CST root bridge as the CIST root bridge.
### RSTP with MLAG
diff --git a/content/cumulus-linux-37/Layer-3/Policy-based-Routing.md b/content/cumulus-linux-37/Layer-3/Policy-based-Routing.md
index 8da3430e3d..74ac21ef0a 100644
--- a/content/cumulus-linux-37/Layer-3/Policy-based-Routing.md
+++ b/content/cumulus-linux-37/Layer-3/Policy-based-Routing.md
@@ -33,7 +33,7 @@ A PBR policy contains one or more policy maps. Each policy map:
- A set rule determines the PBR nexthop for the policy. The set rule can contain a single nexthop IP address or it can contain a nexthop group. A nexthop group has more than one nexthop IP address so that you can use multiple interfaces to forward traffic. To use ECMP, you configure a nexthop group.
-To use PBR in Cumulus linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Traffic is matched against the match rules in sequential order and forwarded according to the set rule in the first match. Traffic that does not match any rule is passed onto the normal destination based routing mechanism.
+To use PBR in Cumulus Linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Traffic is matched against the match rules in sequential order and forwarded according to the set rule in the first match. Traffic that does not match any rule is passed onto the normal destination based routing mechanism.
{{%notice note%}}
diff --git a/content/cumulus-linux-37/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md b/content/cumulus-linux-37/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md
index 2c014a67af..3f32e07d39 100644
--- a/content/cumulus-linux-37/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md
+++ b/content/cumulus-linux-37/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md
@@ -14,13 +14,13 @@ by FRRouting. These messages appear in `/var/log/frr/frr.log`.
| Babel | HIGH | 16777218 | BABEL Packet Error | Babel has detected a packet encode/decode problem. | Collect the relevant log files and report the issue for troubleshooting. |
| Babel | HIGH | 16777219 | BABEL Configuration Error | Babel has detected a configuration error of some sort. | Ensure that the configuration is correct. |
| Babel | HIGH | 16777220 | BABEL Route Error | Babel has detected a routing error and is in an inconsistent state. | Gather data to report the issue for troubleshooting. Restart FRR. |
-| BGP | HIGH | 33554433 | BGP attribute flag is incorrect | BGP attribute flag is set to the wrong value (Optional/Transitive/Partial). | Determine the soure of the attribute and determine why the attribute flag has been set incorrectly. |
-| BGP | HIGH | 33554434 | BGP attribute length is incorrect | BGP attribute length is incorrect. | Determine the soure of the attribute and determine why the attribute length has been set incorrectly. |
-| BGP | HIGH | 33554435 | BGP attribute origin value invalid | BGP attribute origin value is invalid. | Determine the soure of the attribute and determine why the origin attribute has been set incorrectly. |
-| BGP | HIGH | 33554436 | BGP as path is invalid | BGP AS path has been malformed. | Determine the soure of the update and determine why the AS path has been set incorrectly. |
-| BGP | HIGH | 33554437 | BGP as path first as is invalid | BGP update has invalid first AS in AS path. | Determine the soure of the update and determine why the AS path first AS value has been set incorrectly. |
-| BGP | HIGH | 33554439 | BGP PMSI tunnel attribute type is invalid | BGP update has invalid type for PMSI tunnel. | Determine the soure of the update and determine why the PMSI tunnel attribute type has been set incorrectly. |
-| BGP | HIGH | 33554440 | BGP PMSI tunnel attribute length is invalid | BGP update has invalid length for PMSI tunnel. | Determine the soure of the update and determine why the PMSI tunnel attribute length has been set incorrectly. |
+| BGP | HIGH | 33554433 | BGP attribute flag is incorrect | BGP attribute flag is set to the wrong value (Optional/Transitive/Partial). | Determine the source of the attribute and determine why the attribute flag has been set incorrectly. |
+| BGP | HIGH | 33554434 | BGP attribute length is incorrect | BGP attribute length is incorrect. | Determine the source of the attribute and determine why the attribute length has been set incorrectly. |
+| BGP | HIGH | 33554435 | BGP attribute origin value invalid | BGP attribute origin value is invalid. | Determine the source of the attribute and determine why the origin attribute has been set incorrectly. |
+| BGP | HIGH | 33554436 | BGP as path is invalid | BGP AS path has been malformed. | Determine the source of the update and determine why the AS path has been set incorrectly. |
+| BGP | HIGH | 33554437 | BGP as path first as is invalid | BGP update has invalid first AS in AS path. | Determine the source of the update and determine why the AS path first AS value has been set incorrectly. |
+| BGP | HIGH | 33554439 | BGP PMSI tunnel attribute type is invalid | BGP update has invalid type for PMSI tunnel. | Determine the source of the update and determine why the PMSI tunnel attribute type has been set incorrectly. |
+| BGP | HIGH | 33554440 | BGP PMSI tunnel attribute length is invalid | BGP update has invalid length for PMSI tunnel. | Determine the source of the update and determine why the PMSI tunnel attribute length has been set incorrectly. |
| BGP | HIGH | 33554442 | BGP peergroup operated on in error | BGP operating on peer-group instead of peers included. | Ensure the configuration doesn't contain peer-groups contained within peer-groups. |
| BGP | HIGH | 33554443 | BGP failed to delete peer structure | BGP was unable to delete the peer structure when the address-family was removed. | Determine if all expected peers are removed and restart FRR if not. This is most likely a bug. |
| BGP | HIGH | 33554444 | BGP failed to get table chunk memory | BGP unable to get chunk memory for table manager. | Ensure there is adequate memory on the device to support the table requirements. |
@@ -39,8 +39,8 @@ by FRRouting. These messages appear in `/var/log/frr/frr.log`.
| BGP | HIGH | 33554457 | BGP error receiving keepalive packet | BGP unable to process a keepalive packet. | BGP keepalive received while in a stopped state. If the problem persists, report it for troubleshooting. |
| BGP | HIGH | 33554458 | BGP error receiving route refresh message | BGP unable to process route refresh message. | BGP route refresh received while in a stopped state. If the problem persists, report it for troubleshooting. |
| BGP | HIGH | 33554459 | BGP error capability message | BGP unable to process received capability. | BGP capability message received while in a stopped state. If the problem persists, report it for troubleshooting. |
-| BGP | HIGH | 33554460 | BGP error with nexthopo update | BGP unable to process nexthop update. | BGP received the nexthop update but the nexthop is not reachable in this BGP instance. Report the problem for troubleshooting. |
-| BGP | HIGH | 33554461 | Failure to apply label | BGP attempted to attempted to apply a label but could not do so. | This is most likely a bug. If the problem persists, report it for troubleshooting. |
+| BGP | HIGH | 33554460 | BGP error with nexthop update | BGP unable to process nexthop update. | BGP received the nexthop update but the nexthop is not reachable in this BGP instance. Report the problem for troubleshooting. |
+| BGP | HIGH | 33554461 | Failure to apply label | BGP attempted to apply a label but could not do so. | This is most likely a bug. If the problem persists, report it for troubleshooting. |
| BGP | HIGH | 33554462 | Multipath specified is invalid | BGP was started with an invalid ECMP/multipath value. | Correct the ECMP/multipath value supplied when starting the BGP daemon. |
| BGP | HIGH | 33554463 | Failure to process a packet | BGP attempted to process a received packet but could not do so. | This is most likely a bug. If the problem persists, report it for troubleshooting. |
| BGP | HIGH | 33554464 | Failure to connect to peer | BGP attempted to send open to a peer but couldn't connect. | This is most likely a bug. If the problem persists, report it for troubleshooting. |
@@ -63,7 +63,7 @@ by FRRouting. These messages appear in `/var/log/frr/frr.log`.
| EIGRP | HIGH | 50331650 | EIGRP Configuration Error | EIGRP has detected a configuration error. | Correct the configuration issue. If it still persists, report the issue for troubleshooting. |
| General | HIGH | 100663297 | Failure to raise or lower privileges | FRR attempted to raise or lower its privileges and was unable to do so. | Ensure that you are running FRR as the frr user and that the user has sufficient privileges to properly access root privileges. |
| General | HIGH | 100663298 | VRF Failure on Start | Upon startup, FRR failed to properly initialize and start up the VRF subsystem. | Ensure that there is sufficient memory to start processes, then restart FRR. |
-| General | HIGH | 100663299 | Socket Error | When attempting to access a socket, a system error occured and FRR was unable to properly complete the request. | Ensure that there are sufficient system resources available and ensure that the frr user has sufficient permisions to work. |
+| General | HIGH | 100663299 | Socket Error | When attempting to access a socket, a system error occurred and FRR was unable to properly complete the request. | Ensure that there are sufficient system resources available and ensure that the frr user has sufficient permissions to work. |
| General | HIGH | 100663303 | System Call Error | FRR has detected an error from using a vital system call and has probably already exited. | Ensure permissions are correct for FRR users and groups. Additionally, check that sufficient system resources are available. |
| General | HIGH | 100663304 | VTY Subsystem Error | FRR has detected a problem with the specified configuration file. | Ensure the configuration file exists and has the correct permissions for operations. Additionally, ensure that all config lines are correct as well. |
| General | HIGH | 100663305 | SNMP Subsystem Error | FRR has detected a problem with the SNMP library it uses. A callback from this subsystem has indicated some error. | Examine the callback message and ensure SNMP is properly set up and working. |
@@ -87,7 +87,7 @@ by FRRouting. These messages appear in `/var/log/frr/frr.log`.
| OSPF | HIGH | 134217729 | Failure to process a packet | OSPF attempted to process a received packet but could not do so. | This is most likely a bug. If the problem persists, report it for troubleshooting. |
| OSPF | HIGH | 134217730 | Failure to process Router LSA | OSPF attempted to process a router LSA, but there was an advertising ID mismtach with the link ID. | Check the OSPF network configuration for any configuration issue. If the problem persists, report it for troubleshooting. |
| OSPF | HIGH | 134217731 | OSPF Domain Corruption | OSPF attempted to process a router LSA, but there was an advertising ID mismtach with the link ID. | Check OSPF network database for a corrupted LSA. If the problem persists, shut down the OSPF domain and report the problem for troubleshooting. |
-| OSPF | HIGH | 134217732 | OSPF Initialization failure | OSPF failed to initialized the OSPF default instance. | Ensure there is adequate memory on the device. If the problem persists, report it for troubleshooting. |
+| OSPF | HIGH | 134217732 | OSPF Initialization failure | OSPF failed to initialize the OSPF default instance. | Ensure there is adequate memory on the device. If the problem persists, report it for troubleshooting. |
| OSPF | HIGH | 134217733 | OSPF SR Invalid DB | OSPF segment routing database is invalid. | This is most likely a bug. If the problem persists, report it for troubleshooting. |
| OSPF | HIGH | 134217734 | OSPF SR hash node creation failed | OSPF segment routing node creation failed. | This is most likely a bug. If the problem persists, report it for troubleshooting. |
| OSPF | HIGH | 134217735 | OSPF SR Invalid lsa id | OSPF segment routing invalid LSA ID. | Restart the OSPF instance. If the problem persists, report it for troubleshooting. |
diff --git a/content/cumulus-linux-37/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/_index.md b/content/cumulus-linux-37/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/_index.md
index cae743ada8..dac9edcf63 100644
--- a/content/cumulus-linux-37/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/_index.md
+++ b/content/cumulus-linux-37/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/_index.md
@@ -1080,7 +1080,7 @@ way:
OPTIONS
- There are various options to control the behaviour of the monitored expression. These include:
+ There are various options to control the behavior of the monitored expression. These include:
-D indicates that the expression should be evaluated using delta differences between sample
values (rather than the values themselves).
-d OID or -di OID
@@ -1109,7 +1109,7 @@ way:
-S indicates that the monitor expression should not be evaluated when the agent first starts up.
The first evaluation will be done once the first repeat interval has expired.
-s indicates that the monitor expression should be evaluated when the agent first starts up.
- This is the default behaviour.
+ This is the default behavior.
Note: Notifications triggered by this initial evaluation will be sent before the coldStart trap.
-u SECNAME
specifies a security name to use for scanning the local host, instead of the default
diff --git a/content/cumulus-linux-37/Whats-New/rn.md b/content/cumulus-linux-37/Whats-New/rn.md
index 14f80e1b5c..bc42649770 100644
--- a/content/cumulus-linux-37/Whats-New/rn.md
+++ b/content/cumulus-linux-37/Whats-New/rn.md
@@ -14,8 +14,8 @@ pdfhidden: True
| Issue ID | Description | Affects | Fixed |
|--- |--- |--- |--- |
-| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0|
-| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | |
+| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0|
+| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5|
| [3330705](#3330705) | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0|
| [3327477](#3327477) | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | |
| [3216922](#3216922) None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0|
@@ -67,7 +67,7 @@ pdfhidden: True
| [2656291](#2656291) | The following CVEs affect the linux kernel package: CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 3.7.12-3.7.16 | 4.0.0-4.4.5|
| [2653400](#2653400) None | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration. | 3.7.10-3.7.16 | |
| [2652003](#2652003) | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static FDB entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration. | 3.7.10-4.3.0 | 4.3.1-4.4.5|
-| [2648658](#2648658) | If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure. | 3.7.15-4.3.1 | 4.4.0-4.4.5|
+| [2648658](#2648658) | If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure. | 3.7.15-4.3.2 | 4.4.0-4.4.5|
| [2638137](#2638137) | When you delete a static route using NCLU, the configuration is not deleted from the running configuration or from the /etc/frr/frr.conf file. | 3.7.13-3.7.16 | |
| [2633245](#2633245) | On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle. | 3.7.10-3.7.16 | |
| [2607965](#2607965) | On the EdgeCore AS7726 switch, when you run the NCLU net show system command, you see the error Command not found. | 3.7.14.2-3.7.16 | |
@@ -75,7 +75,7 @@ pdfhidden: True
| [2556037](#2556037) CM-33012 | After you add an interface to the bridge, an OSPF session flap might occur | 3.7.9-4.2.0 | 4.2.1-4.4.5|
| [2555908](#2555908) CM-32940 | If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command. | 3.7.12-4.0.1 | 4.1.0-4.4.5|
| [2555528](#2555528) CM-32750 | In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer's ARP policer. To work around this issue, increase the burst value of the ARP policers to 200 or higher. | 3.7.14-4.2.1 | 4.3.0-4.4.5|
-| [2555175](#2555175) CM-32528 | Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link. | 3.7.15-3.7.16, 4.2.1-4.4.5 | |
+| [2555175](#2555175) CM-32528 | Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5|
| [2554785](#2554785) CM-32275 | After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:
To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor 2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX="cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command 4. Reboot the switch. | 3.7.11-4.2.1 | 4.3.0-4.4.5|
| [2554709](#2554709) CM-32217 | The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface. To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM. | 3.7.13-3.7.16, 4.2.1-4.4.5 | |
| [2554588](#2554588) CM-32149 | If you try to reconfigure a DHCP server after you delete the switch configuration with the net del all command, the dhcpd service fails because a duplicate process is running To work around this issue, edit the /usr/lib/python2.7/dist-packages/nclu/plugins/dhcp.py file to change:
DHCPD_PID="-pf {0}"
to:
DHCPD_PID="-pf {1}"
| 3.7.13-4.2.1 | 4.3.0-4.4.5|
@@ -115,7 +115,7 @@ pdfhidden: True
| [2549782](#2549782) CM-29519 | The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| [2549731](#2549731) CM-29492 | When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:
[ebtables] -A FORWARD --in-interface swp10 -j span --dport swp1
| 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| [2549472](#2549472) CM-29367 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5|
-| [2549371](#2549371) CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.1 | 4.4.0-4.4.5|
+| [2549371](#2549371) CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.2 | 4.4.0-4.4.5|
| [2549307](#2549307) | The following vulnerabilities affect git, which is available in the repository for optional installation: CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host. CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. | 3.7.12-4.1.1 | 4.2.0-4.4.5|
| [2548962](#2548962) CM-29165 | With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table. | 3.7.12-4.1.1 | 4.2.0-4.4.5|
| [2548930](#2548930) CM-29148 | On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5|
@@ -308,7 +308,7 @@ pdfhidden: True
| [2699464](#2699464) | In a VXLAN fabric with ToR switches configured in a MLAG pair, BUM traffic received on a VXLAN tunnel is decapsulated and forwarded on the peer link bond. The BUM traffic is then encapsulated by the peer switch and sent back to the fabric. The issue has been seen in environments where the following conditions exist at the same time:1) high VNI scale2) switchd is busy processing updates3) clagd is in a transition state, such as Up, then Down, then Up. For example, when clagd restarts, the switch reboots, and so on The problem is seen on the switch that experiences the clagd state transition. | 3.7.12-3.7.15 | |
| [2690100](#2690100) | When you run the vtysh show ip bgp vrf statistics command, the bgpd service crashes if you use vrf all. For example:
spine01# show ip bgp vrf all statistics vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!
To workaround this issue, run the command against each VRF independently. | 3.7.15, 4.0.0-4.3.0 | |
| [2684404](#2684404) | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | |
-| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | |
+| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | |
| [2677063](#2677063) | CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | |
| [2677061](#2677061) | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | |
| [2677060](#2677060) | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | |
@@ -332,8 +332,8 @@ pdfhidden: True
| Issue ID | Description | Affects | Fixed |
|--- |--- |--- |--- |
-| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0|
-| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | |
+| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0|
+| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5|
| [3330705](#3330705) | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0|
| [3327477](#3327477) | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | |
| [3216922](#3216922) None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0|
@@ -448,7 +448,7 @@ pdfhidden: True
| [2687332](#2687332) | When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
ip route 10.10.0.0/16 Null0 ! address-family ipv4 unicast redistribute connected route-map DENY-COMPONENTS redistribute static exit-address-family ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17 ! route-map DENY-COMPONENTS deny 10 match ip address prefix-list NO-COMPONENTS ! route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5|
| [2684452](#2684452) | When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json { "vxlan": { "module_globals": { "vxlan-purge-remotes": "no" }, "defaults": { "vxlan-ageing": "1800", "vxlan-port": "4789", <==== This comma needs to be added at the end of this line "vxlan-learning": "off" <= This line needs to be added } } }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | |
| [2684404](#2684404) | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16|
-| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5|
+| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5|
| [2677063](#2677063) | CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16|
| [2677061](#2677061) | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16|
| [2677060](#2677060) | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16|
@@ -464,7 +464,7 @@ pdfhidden: True
| [2653521](#2653521) | CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1 | 3.7.0-3.7.15 | 3.7.16|
| [2653400](#2653400) None | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration. | 3.7.10-3.7.16 | |
| [2652003](#2652003) | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static FDB entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration. | 3.7.10-4.3.0 | 4.3.1-4.4.5|
-| [2648658](#2648658) | If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure. | 3.7.15-4.3.1 | 4.4.0-4.4.5|
+| [2648658](#2648658) | If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure. | 3.7.15-4.3.2 | 4.4.0-4.4.5|
| [2646974](#2646974) | The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22 | 3.7.0-3.7.15 | 3.7.16|
| [2646968](#2646968) | CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24 | 3.7.0-3.7.15 | 3.7.16|
| [2645846](#2645846) | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration. | 3.7.10-3.7.15 | 3.7.16, 4.3.1-4.4.5|
@@ -477,7 +477,7 @@ pdfhidden: True
| [2556037](#2556037) CM-33012 | After you add an interface to the bridge, an OSPF session flap might occur | 3.7.9-4.2.0 | 4.2.1-4.4.5|
| [2555908](#2555908) CM-32940 | If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command. | 3.7.12-4.0.1 | 4.1.0-4.4.5|
| [2555528](#2555528) CM-32750 | In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer's ARP policer. To work around this issue, increase the burst value of the ARP policers to 200 or higher. | 3.7.14-4.2.1 | 4.3.0-4.4.5|
-| [2555175](#2555175) CM-32528 | Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link. | 3.7.15-3.7.16, 4.2.1-4.4.5 | |
+| [2555175](#2555175) CM-32528 | Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5|
| [2554785](#2554785) CM-32275 | After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:
To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor 2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX="cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command 4. Reboot the switch. | 3.7.11-4.2.1 | 4.3.0-4.4.5|
| [2554709](#2554709) CM-32217 | The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface. To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM. | 3.7.13-3.7.16, 4.2.1-4.4.5 | |
| [2554588](#2554588) CM-32149 | If you try to reconfigure a DHCP server after you delete the switch configuration with the net del all command, the dhcpd service fails because a duplicate process is running To work around this issue, edit the /usr/lib/python2.7/dist-packages/nclu/plugins/dhcp.py file to change:
DHCPD_PID="-pf {0}"
to:
DHCPD_PID="-pf {1}"
| 3.7.13-4.2.1 | 4.3.0-4.4.5|
@@ -517,7 +517,7 @@ pdfhidden: True
| [2549782](#2549782) CM-29519 | The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| [2549731](#2549731) CM-29492 | When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:
[ebtables] -A FORWARD --in-interface swp10 -j span --dport swp1
| 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| [2549472](#2549472) CM-29367 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5|
-| [2549371](#2549371) CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.1 | 4.4.0-4.4.5|
+| [2549371](#2549371) CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.2 | 4.4.0-4.4.5|
| [2549307](#2549307) | The following vulnerabilities affect git, which is available in the repository for optional installation: CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host. CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. | 3.7.12-4.1.1 | 4.2.0-4.4.5|
| [2548962](#2548962) CM-29165 | With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table. | 3.7.12-4.1.1 | 4.2.0-4.4.5|
| [2548930](#2548930) CM-29148 | On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5|
@@ -641,7 +641,7 @@ pdfhidden: True
| Issue ID | Description | Affects |
|--- |--- |--- |
| [2635951](#2635951) | The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | |
-| [2628515](#2628515) | CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3 | 3.7.14-3.7.14.2, 4.3.0-4.3.1 | |
+| [2628515](#2628515) | CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3 | 3.7.14-3.7.14.2, 4.3.0-4.3.2 | |
| [2617009](#2617009) | CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | |
| [2617008](#2617008) | CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | |
| [2617007](#2617007) | CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | |
@@ -655,12 +655,12 @@ pdfhidden: True
| [2589570](#2589570) | The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3 | 3.7.0-3.7.14.2 | |
| [2589567](#2589567) | The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | |
| [2574294](#2574294) | CVE-2021-3410: A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context Vulnerable: <= 0.99.beta19-2+deb8u1Fixed: 0.99.beta19-2+deb8u2 | 3.7.14-3.7.14.2 | |
-| [2566880](#2566880) | CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-3.7.14.2, 4.0.0-4.3.1 | |
+| [2566880](#2566880) | CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-3.7.14.2, 4.0.0-4.3.2 | |
| [2562511](#2562511) | hostapd does not fail over to secondary RADIUS servers for 802.1x authentication when the primary radius is reachable but not responding to Access-Requests If the primary RADIUS server is having a problem servicing requests, you can remove it from the configuration temporarily to force requests to be sent to alternate servers. | 3.7.10-3.7.14.2 | |
| [2562396](#2562396) | CVE-2020-27824: Global buffer overflow on irreversible conversion when too many decomposition levels are specified. CVE-2020-27841: Crafted input to be processed by the openjpeg encoder could cause an out-of-bounds read. CVE-2020-27845: Crafted input can cause out-of-bounds-read. Vulnerable: <= 2.1.0-2+deb8u11 Fixed: 2.1.0-2+deb8u12 | 3.7.14-3.7.14.2 | |
| [2562301](#2562301) | CVE-2021-26937: encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence. Vulnerable: <= 4.2.1-3+deb8u1 Fixed: 4.2.1-3+deb8u2 | 3.7.14-3.7.14.2 | |
| [2556815](#2556815) CM-33419 | When ARP suppression is enabled, RARP packets sometimes get dropped and are not flooded by the local VTEP. To work around this issue, disable ARP suppression. | 3.7.14-3.7.14.2, 4.3.0 | |
-| [2556782](#2556782) CM-33398 | CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution. Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 | 3.7.14-3.7.14.2, 4.0.0-4.3.1 | |
+| [2556782](#2556782) CM-33398 | CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution. Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 | 3.7.14-3.7.14.2, 4.0.0-4.3.2 | |
| [2556780](#2556780) CM-33397 | CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets. Vulnerable: <= 2.4.40+dfsg-1+deb8u9 Fixed: 2.4.40+dfsg-1+deb8u10 | 3.7.14-3.7.14.2 | |
| [2556779](#2556779) CM-33396 | CVE-2020-8625: Buffer overflow attack in the bind9 DNS server caused by an issue in the GSSAPI (“Generic Security Services”) security policy negotiation. Vulnerable: <= 9.9.5.dfsg-9+deb8u20 Fixed: 9.9.5.dfsg-9+deb8u21 | 3.7.14-3.7.14.2 | |
| [2556763](#2556763) CM-33385 | In a configuration with both traditional and vlan-aware bridges, the VLAN membership check on a vlan-aware switch does not drop PVST BPBUs that come from a traditional bridge. | 3.7.14-3.7.14.2, 4.0.0-4.3.0 | |
@@ -707,8 +707,8 @@ pdfhidden: True
| Issue ID | Description | Affects | Fixed |
|--- |--- |--- |--- |
-| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0|
-| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | |
+| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0|
+| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5|
| [3330705](#3330705) | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0|
| [3327477](#3327477) | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | |
| [3216922](#3216922) None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0|
@@ -783,7 +783,7 @@ pdfhidden: True
| [2687332](#2687332) | When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
ip route 10.10.0.0/16 Null0 ! address-family ipv4 unicast redistribute connected route-map DENY-COMPONENTS redistribute static exit-address-family ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17 ! route-map DENY-COMPONENTS deny 10 match ip address prefix-list NO-COMPONENTS ! route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5|
| [2684452](#2684452) | When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json { "vxlan": { "module_globals": { "vxlan-purge-remotes": "no" }, "defaults": { "vxlan-ageing": "1800", "vxlan-port": "4789", <==== This comma needs to be added at the end of this line "vxlan-learning": "off" <= This line needs to be added } } }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | |
| [2684404](#2684404) | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16|
-| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5|
+| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5|
| [2677063](#2677063) | CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16|
| [2677061](#2677061) | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16|
| [2677060](#2677060) | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16|
@@ -804,7 +804,7 @@ pdfhidden: True
| [2638137](#2638137) | When you delete a static route using NCLU, the configuration is not deleted from the running configuration or from the /etc/frr/frr.conf file. | 3.7.13-3.7.16 | |
| [2635951](#2635951) | The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16|
| [2633245](#2633245) | On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle. | 3.7.10-3.7.16 | |
-| [2628515](#2628515) | CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3 | 3.7.14-3.7.14.2, 4.3.0-4.3.1 | 3.7.15-3.7.16, 4.4.0-4.4.5|
+| [2628515](#2628515) | CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3 | 3.7.14-3.7.14.2, 4.3.0-4.3.2 | 3.7.15-3.7.16, 4.4.0-4.4.5|
| [2617009](#2617009) | CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16|
| [2617008](#2617008) | CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16|
| [2617007](#2617007) | CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16|
@@ -819,13 +819,13 @@ pdfhidden: True
| [2589567](#2589567) | The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16|
| [2581473](#2581473) | When netq-agent is installed on the Dell N3048EP platform, switchd might crash if pluggables are installed in the SFP+ ports. | 3.7.13-3.7.15 | 3.7.16|
| [2574294](#2574294) | CVE-2021-3410: A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context Vulnerable: <= 0.99.beta19-2+deb8u1Fixed: 0.99.beta19-2+deb8u2 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16|
-| [2566880](#2566880) | CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-3.7.14.2, 4.0.0-4.3.1 | 3.7.15-3.7.16, 4.4.0-4.4.5|
+| [2566880](#2566880) | CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-3.7.14.2, 4.0.0-4.3.2 | 3.7.15-3.7.16, 4.4.0-4.4.5|
| [2562511](#2562511) | hostapd does not fail over to secondary RADIUS servers for 802.1x authentication when the primary radius is reachable but not responding to Access-Requests If the primary RADIUS server is having a problem servicing requests, you can remove it from the configuration temporarily to force requests to be sent to alternate servers. | 3.7.10-3.7.14.2 | 3.7.15-3.7.16|
| [2562396](#2562396) | CVE-2020-27824: Global buffer overflow on irreversible conversion when too many decomposition levels are specified. CVE-2020-27841: Crafted input to be processed by the openjpeg encoder could cause an out-of-bounds read. CVE-2020-27845: Crafted input can cause out-of-bounds-read. Vulnerable: <= 2.1.0-2+deb8u11 Fixed: 2.1.0-2+deb8u12 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16|
| [2562347](#2562347) | When you bring VXLAN interfaces up and down physically or administratively, the MTU for the SVIs changes to 1550 (the default value). | 3.7.14.2-3.7.16 | |
| [2562301](#2562301) | CVE-2021-26937: encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence. Vulnerable: <= 4.2.1-3+deb8u1 Fixed: 4.2.1-3+deb8u2 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16|
| [2556815](#2556815) CM-33419 | When ARP suppression is enabled, RARP packets sometimes get dropped and are not flooded by the local VTEP. To work around this issue, disable ARP suppression. | 3.7.14-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5|
-| [2556782](#2556782) CM-33398 | CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution. Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 | 3.7.14-3.7.14.2, 4.0.0-4.3.1 | 3.7.15-3.7.16, 4.4.0-4.4.5|
+| [2556782](#2556782) CM-33398 | CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution. Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 | 3.7.14-3.7.14.2, 4.0.0-4.3.2 | 3.7.15-3.7.16, 4.4.0-4.4.5|
| [2556780](#2556780) CM-33397 | CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets. Vulnerable: <= 2.4.40+dfsg-1+deb8u9 Fixed: 2.4.40+dfsg-1+deb8u10 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16|
| [2556779](#2556779) CM-33396 | CVE-2020-8625: Buffer overflow attack in the bind9 DNS server caused by an issue in the GSSAPI (“Generic Security Services”) security policy negotiation. Vulnerable: <= 9.9.5.dfsg-9+deb8u20 Fixed: 9.9.5.dfsg-9+deb8u21 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16|
| [2556763](#2556763) CM-33385 | In a configuration with both traditional and vlan-aware bridges, the VLAN membership check on a vlan-aware switch does not drop PVST BPBUs that come from a traditional bridge. | 3.7.14-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5|
@@ -899,7 +899,7 @@ pdfhidden: True
| [2549782](#2549782) CM-29519 | The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| [2549731](#2549731) CM-29492 | When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:
[ebtables] -A FORWARD --in-interface swp10 -j span --dport swp1
| 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| [2549472](#2549472) CM-29367 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5|
-| [2549371](#2549371) CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.1 | 4.4.0-4.4.5|
+| [2549371](#2549371) CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.2 | 4.4.0-4.4.5|
| [2549307](#2549307) | The following vulnerabilities affect git, which is available in the repository for optional installation: CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host. CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. | 3.7.12-4.1.1 | 4.2.0-4.4.5|
| [2549226](#2549226) CM-29259 | You might see the following gport error messages in switchd.log:
These messages are harmless and can be ignored. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5|
| [2548962](#2548962) CM-29165 | With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table. | 3.7.12-4.1.1 | 4.2.0-4.4.5|
@@ -1037,8 +1037,8 @@ pdfhidden: True
| Issue ID | Description | Affects | Fixed |
|--- |--- |--- |--- |
-| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0|
-| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | |
+| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0|
+| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5|
| [3330705](#3330705) | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0|
| [3327477](#3327477) | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | |
| [3216922](#3216922) None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0|
@@ -1106,7 +1106,7 @@ pdfhidden: True
| [2687332](#2687332) | When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
ip route 10.10.0.0/16 Null0 ! address-family ipv4 unicast redistribute connected route-map DENY-COMPONENTS redistribute static exit-address-family ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17 ! route-map DENY-COMPONENTS deny 10 match ip address prefix-list NO-COMPONENTS ! route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5|
| [2684452](#2684452) | When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json { "vxlan": { "module_globals": { "vxlan-purge-remotes": "no" }, "defaults": { "vxlan-ageing": "1800", "vxlan-port": "4789", <==== This comma needs to be added at the end of this line "vxlan-learning": "off" <= This line needs to be added } } }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | |
| [2684404](#2684404) | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16|
-| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5|
+| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5|
| [2677063](#2677063) | CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16|
| [2677061](#2677061) | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16|
| [2677060](#2677060) | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16|
@@ -1126,7 +1126,7 @@ pdfhidden: True
| [2638137](#2638137) | When you delete a static route using NCLU, the configuration is not deleted from the running configuration or from the /etc/frr/frr.conf file. | 3.7.13-3.7.16 | |
| [2635951](#2635951) | The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16|
| [2633245](#2633245) | On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle. | 3.7.10-3.7.16 | |
-| [2628515](#2628515) | CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3 | 3.7.14-3.7.14.2, 4.3.0-4.3.1 | 3.7.15-3.7.16, 4.4.0-4.4.5|
+| [2628515](#2628515) | CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3 | 3.7.14-3.7.14.2, 4.3.0-4.3.2 | 3.7.15-3.7.16, 4.4.0-4.4.5|
| [2617009](#2617009) | CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16|
| [2617008](#2617008) | CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16|
| [2617007](#2617007) | CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16|
@@ -1140,12 +1140,12 @@ pdfhidden: True
| [2589567](#2589567) | The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16|
| [2581473](#2581473) | When netq-agent is installed on the Dell N3048EP platform, switchd might crash if pluggables are installed in the SFP+ ports. | 3.7.13-3.7.15 | 3.7.16|
| [2574294](#2574294) | CVE-2021-3410: A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context Vulnerable: <= 0.99.beta19-2+deb8u1Fixed: 0.99.beta19-2+deb8u2 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16|
-| [2566880](#2566880) | CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-3.7.14.2, 4.0.0-4.3.1 | 3.7.15-3.7.16, 4.4.0-4.4.5|
+| [2566880](#2566880) | CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-3.7.14.2, 4.0.0-4.3.2 | 3.7.15-3.7.16, 4.4.0-4.4.5|
| [2562511](#2562511) | hostapd does not fail over to secondary RADIUS servers for 802.1x authentication when the primary radius is reachable but not responding to Access-Requests If the primary RADIUS server is having a problem servicing requests, you can remove it from the configuration temporarily to force requests to be sent to alternate servers. | 3.7.10-3.7.14.2 | 3.7.15-3.7.16|
| [2562396](#2562396) | CVE-2020-27824: Global buffer overflow on irreversible conversion when too many decomposition levels are specified. CVE-2020-27841: Crafted input to be processed by the openjpeg encoder could cause an out-of-bounds read. CVE-2020-27845: Crafted input can cause out-of-bounds-read. Vulnerable: <= 2.1.0-2+deb8u11 Fixed: 2.1.0-2+deb8u12 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16|
| [2562301](#2562301) | CVE-2021-26937: encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence. Vulnerable: <= 4.2.1-3+deb8u1 Fixed: 4.2.1-3+deb8u2 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16|
| [2556815](#2556815) CM-33419 | When ARP suppression is enabled, RARP packets sometimes get dropped and are not flooded by the local VTEP. To work around this issue, disable ARP suppression. | 3.7.14-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5|
-| [2556782](#2556782) CM-33398 | CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution. Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 | 3.7.14-3.7.14.2, 4.0.0-4.3.1 | 3.7.15-3.7.16, 4.4.0-4.4.5|
+| [2556782](#2556782) CM-33398 | CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution. Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 | 3.7.14-3.7.14.2, 4.0.0-4.3.2 | 3.7.15-3.7.16, 4.4.0-4.4.5|
| [2556780](#2556780) CM-33397 | CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets. Vulnerable: <= 2.4.40+dfsg-1+deb8u9 Fixed: 2.4.40+dfsg-1+deb8u10 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16|
| [2556779](#2556779) CM-33396 | CVE-2020-8625: Buffer overflow attack in the bind9 DNS server caused by an issue in the GSSAPI (“Generic Security Services”) security policy negotiation. Vulnerable: <= 9.9.5.dfsg-9+deb8u20 Fixed: 9.9.5.dfsg-9+deb8u21 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16|
| [2556763](#2556763) CM-33385 | In a configuration with both traditional and vlan-aware bridges, the VLAN membership check on a vlan-aware switch does not drop PVST BPBUs that come from a traditional bridge. | 3.7.14-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5|
@@ -1227,7 +1227,7 @@ pdfhidden: True
| [2549782](#2549782) CM-29519 | The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| [2549731](#2549731) CM-29492 | When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:
[ebtables] -A FORWARD --in-interface swp10 -j span --dport swp1
| 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| [2549472](#2549472) CM-29367 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5|
-| [2549371](#2549371) CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.1 | 4.4.0-4.4.5|
+| [2549371](#2549371) CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.2 | 4.4.0-4.4.5|
| [2549307](#2549307) | The following vulnerabilities affect git, which is available in the repository for optional installation: CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host. CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. | 3.7.12-4.1.1 | 4.2.0-4.4.5|
| [2549226](#2549226) CM-29259 | You might see the following gport error messages in switchd.log:
These messages are harmless and can be ignored. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5|
| [2548962](#2548962) CM-29165 | With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table. | 3.7.12-4.1.1 | 4.2.0-4.4.5|
@@ -1417,8 +1417,8 @@ pdfhidden: True
| Issue ID | Description | Affects | Fixed |
|--- |--- |--- |--- |
-| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0|
-| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | |
+| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0|
+| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5|
| [3330705](#3330705) | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0|
| [3327477](#3327477) | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | |
| [3216922](#3216922) None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0|
@@ -1486,7 +1486,7 @@ pdfhidden: True
| [2687332](#2687332) | When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
ip route 10.10.0.0/16 Null0 ! address-family ipv4 unicast redistribute connected route-map DENY-COMPONENTS redistribute static exit-address-family ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17 ! route-map DENY-COMPONENTS deny 10 match ip address prefix-list NO-COMPONENTS ! route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5|
| [2684452](#2684452) | When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json { "vxlan": { "module_globals": { "vxlan-purge-remotes": "no" }, "defaults": { "vxlan-ageing": "1800", "vxlan-port": "4789", <==== This comma needs to be added at the end of this line "vxlan-learning": "off" <= This line needs to be added } } }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | |
| [2684404](#2684404) | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16|
-| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5|
+| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5|
| [2677063](#2677063) | CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16|
| [2677061](#2677061) | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16|
| [2677060](#2677060) | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16|
@@ -1606,7 +1606,7 @@ pdfhidden: True
| [2549782](#2549782) CM-29519 | The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| [2549731](#2549731) CM-29492 | When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:
[ebtables] -A FORWARD --in-interface swp10 -j span --dport swp1
| 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| [2549472](#2549472) CM-29367 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5|
-| [2549371](#2549371) CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.1 | 4.4.0-4.4.5|
+| [2549371](#2549371) CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.2 | 4.4.0-4.4.5|
| [2549307](#2549307) | The following vulnerabilities affect git, which is available in the repository for optional installation: CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host. CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. | 3.7.12-4.1.1 | 4.2.0-4.4.5|
| [2549226](#2549226) CM-29259 | You might see the following gport error messages in switchd.log:
These messages are harmless and can be ignored. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5|
| [2548962](#2548962) CM-29165 | With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table. | 3.7.12-4.1.1 | 4.2.0-4.4.5|
@@ -1799,8 +1799,8 @@ pdfhidden: True
| Issue ID | Description | Affects | Fixed |
|--- |--- |--- |--- |
-| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0|
-| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | |
+| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0|
+| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5|
| [3330705](#3330705) | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0|
| [3327477](#3327477) | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | |
| [3216922](#3216922) None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0|
@@ -1867,7 +1867,7 @@ pdfhidden: True
| [2687332](#2687332) | When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
ip route 10.10.0.0/16 Null0 ! address-family ipv4 unicast redistribute connected route-map DENY-COMPONENTS redistribute static exit-address-family ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17 ! route-map DENY-COMPONENTS deny 10 match ip address prefix-list NO-COMPONENTS ! route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5|
| [2684452](#2684452) | When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json { "vxlan": { "module_globals": { "vxlan-purge-remotes": "no" }, "defaults": { "vxlan-ageing": "1800", "vxlan-port": "4789", <==== This comma needs to be added at the end of this line "vxlan-learning": "off" <= This line needs to be added } } }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | |
| [2684404](#2684404) | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16|
-| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5|
+| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5|
| [2677063](#2677063) | CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16|
| [2677061](#2677061) | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16|
| [2677060](#2677060) | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16|
@@ -1985,7 +1985,7 @@ pdfhidden: True
| [2549676](#2549676) CM-29471 | After you add or remove a bridge VLAN identifier (VID) on a trunk port, the layer 2 VNI is put into VLAN 1. To work around this issue, revert the configuration change. | 3.7.10-4.1.1 | 4.2.0-4.4.5|
| [2549472](#2549472) CM-29367 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5|
| [2549397](#2549397) CM-29322 | When the BGP Multi-protocol Unreach NLRI attribute is received in a BGP update without a next hop attribute, the BGP session is brought down unexpectedly. RFC 4760 defines that the next-hop attribute is not required for updates containing MP_UNREACH_NLRI. | 3.7.12 | 3.7.13-3.7.16, 4.0.0-4.4.5|
-| [2549371](#2549371) CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.1 | 4.4.0-4.4.5|
+| [2549371](#2549371) CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.2 | 4.4.0-4.4.5|
| [2549307](#2549307) | The following vulnerabilities affect git, which is available in the repository for optional installation: CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host. CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. | 3.7.12-4.1.1 | 4.2.0-4.4.5|
| [2549226](#2549226) CM-29259 | You might see the following gport error messages in switchd.log:
These messages are harmless and can be ignored. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5|
| [2548962](#2548962) CM-29165 | With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table. | 3.7.12-4.1.1 | 4.2.0-4.4.5|
@@ -2180,8 +2180,8 @@ pdfhidden: True
| Issue ID | Description | Affects | Fixed |
|--- |--- |--- |--- |
-| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0|
-| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | |
+| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0|
+| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5|
| [3330705](#3330705) | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0|
| [3327477](#3327477) | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | |
| [3216922](#3216922) None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0|
@@ -2234,7 +2234,7 @@ pdfhidden: True
| [2705168](#2705168) | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16|
| [2702519](#2702519) | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16|
| [2684404](#2684404) | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16|
-| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5|
+| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5|
| [2677063](#2677063) | CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16|
| [2677061](#2677061) | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16|
| [2677060](#2677060) | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16|
@@ -2288,7 +2288,7 @@ pdfhidden: True
| [2549794](#2549794) CM-29525 | The asic-monitor.service fails when you configure /etc/cumulus/datapath/monitor.conf with monitor.histogram_pg.collect.port_group_list = [all_packet_pg] and there is traffic passing through the buffer. When the service fails, you see the following traceback in journalctl:
asic-monitor[7389]: asic-monitor-module INFO: 2020-05-01 18:28:12.548734: Egress queue(s) greater than 500 bytes in monitor port group histogram_pg asic-monitor[7389]: asic-monitor ERROR: ASIC monitor exception: sx_api_port_counter_tc_get failed: Parameter Error asic-monitor[7389]: File "/usr/bin/asic-monitor", line 139, in asic-monitor[7389]: main(sys.argv[1:]) asic-monitor[7389]: File "/usr/bin/asic-monitor", line 126, in main asic-monitor[7389]: traceback.print_stack() asic-monitor[7389]: Traceback (most recent call last): asic-monitor[7389]: File "/usr/bin/asic-monitor", line 117, in main asic-monitor[7389]: monitor.run() asic-monitor[7389]: File "/usr/lib/python2.7/dist-packages/cumulus/asic_monitor.py", line 158, in run ...
| 3.7.11-3.7.13, 4.1.1-4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5|
| [2549676](#2549676) CM-29471 | After you add or remove a bridge VLAN identifier (VID) on a trunk port, the layer 2 VNI is put into VLAN 1. To work around this issue, revert the configuration change. | 3.7.10-4.1.1 | 4.2.0-4.4.5|
| [2549472](#2549472) CM-29367 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5|
-| [2549371](#2549371) CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.1 | 4.4.0-4.4.5|
+| [2549371](#2549371) CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.2 | 4.4.0-4.4.5|
| [2548930](#2548930) CM-29148 | On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5|
| [2548746](#2548746) CM-29068 | On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5|
| [2548673](#2548673) CM-29044 | A large number of flapping peers causes FRR to require a corresponding update to internal data structures that track peer information. Updating this internal data structure does not delete links that are down due to the flapping. The size of this array then grows to contain both current peers as well as peers that should have been deleted during the flap processing. The contents of this array is processed by FRR to poll the links, which consumes CPU for all items in the array. This additional polling consumes more CPU than necessary but has no functional impact. To work around this issue, restart FRR. | 3.7.11-4.1.1 | 4.2.0-4.4.5|
@@ -2530,8 +2530,8 @@ pdfhidden: True
| Issue ID | Description | Affects | Fixed |
|--- |--- |--- |--- |
-| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0|
-| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | |
+| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0|
+| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5|
| [3330705](#3330705) | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0|
| [3327477](#3327477) | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | |
| [3216922](#3216922) None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0|
@@ -2584,7 +2584,7 @@ pdfhidden: True
| [2705168](#2705168) | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16|
| [2702519](#2702519) | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16|
| [2684404](#2684404) | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16|
-| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5|
+| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5|
| [2677063](#2677063) | CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16|
| [2677061](#2677061) | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16|
| [2677060](#2677060) | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16|
@@ -2818,8 +2818,8 @@ pdfhidden: True
| Issue ID | Description | Affects | Fixed |
|--- |--- |--- |--- |
-| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0|
-| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | |
+| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0|
+| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5|
| [3330705](#3330705) | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0|
| [3327477](#3327477) | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | |
| [3216922](#3216922) None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0|
@@ -2871,7 +2871,7 @@ pdfhidden: True
| [2705168](#2705168) | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16|
| [2702519](#2702519) | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16|
| [2684404](#2684404) | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16|
-| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5|
+| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5|
| [2677063](#2677063) | CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16|
| [2677061](#2677061) | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16|
| [2677060](#2677060) | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16|
@@ -3117,8 +3117,8 @@ pdfhidden: True
| Issue ID | Description | Affects | Fixed |
|--- |--- |--- |--- |
-| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0|
-| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | |
+| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0|
+| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5|
| [3330705](#3330705) | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0|
| [3327477](#3327477) | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | |
| [3216922](#3216922) None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0|
@@ -3170,7 +3170,7 @@ pdfhidden: True
| [2705168](#2705168) | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16|
| [2702519](#2702519) | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16|
| [2684404](#2684404) | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16|
-| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5|
+| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5|
| [2677063](#2677063) | CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16|
| [2677061](#2677061) | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16|
| [2677060](#2677060) | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16|
@@ -3368,8 +3368,8 @@ pdfhidden: True
| Issue ID | Description | Affects | Fixed |
|--- |--- |--- |--- |
-| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0|
-| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | |
+| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0|
+| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5|
| [3330705](#3330705) | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0|
| [3327477](#3327477) | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | |
| [3216922](#3216922) None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0|
@@ -3421,7 +3421,7 @@ pdfhidden: True
| [2705168](#2705168) | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16|
| [2702519](#2702519) | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16|
| [2684404](#2684404) | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16|
-| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5|
+| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5|
| [2677063](#2677063) | CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16|
| [2677061](#2677061) | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16|
| [2677060](#2677060) | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16|
@@ -3657,8 +3657,8 @@ pdfhidden: True
| Issue ID | Description | Affects | Fixed |
|--- |--- |--- |--- |
-| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0|
-| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | |
+| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0|
+| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5|
| [3330705](#3330705) | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0|
| [3327477](#3327477) | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | |
| [3216922](#3216922) None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0|
@@ -3710,7 +3710,7 @@ pdfhidden: True
| [2705168](#2705168) | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16|
| [2702519](#2702519) | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16|
| [2684404](#2684404) | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16|
-| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5|
+| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5|
| [2677063](#2677063) | CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16|
| [2677061](#2677061) | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16|
| [2677060](#2677060) | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16|
@@ -3919,8 +3919,8 @@ pdfhidden: True
| Issue ID | Description | Affects | Fixed |
|--- |--- |--- |--- |
-| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0|
-| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | |
+| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0|
+| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5|
| [3330705](#3330705) | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0|
| [3327477](#3327477) | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | |
| [3216922](#3216922) None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0|
@@ -3972,7 +3972,7 @@ pdfhidden: True
| [2705168](#2705168) | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16|
| [2702519](#2702519) | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16|
| [2684404](#2684404) | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16|
-| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5|
+| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5|
| [2677063](#2677063) | CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16|
| [2677061](#2677061) | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16|
| [2677060](#2677060) | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16|
@@ -4136,8 +4136,8 @@ pdfhidden: True
| Issue ID | Description | Affects | Fixed |
|--- |--- |--- |--- |
-| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0|
-| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | |
+| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0|
+| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5|
| [3330705](#3330705) | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0|
| [3327477](#3327477) | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | |
| [3216922](#3216922) None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0|
@@ -4189,7 +4189,7 @@ pdfhidden: True
| [2705168](#2705168) | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16|
| [2702519](#2702519) | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16|
| [2684404](#2684404) | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16|
-| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5|
+| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5|
| [2677063](#2677063) | CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16|
| [2677061](#2677061) | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16|
| [2677060](#2677060) | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16|
@@ -4362,8 +4362,8 @@ pdfhidden: True
| Issue ID | Description | Affects | Fixed |
|--- |--- |--- |--- |
-| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0|
-| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | |
+| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0|
+| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5|
| [3330705](#3330705) | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0|
| [3327477](#3327477) | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | |
| [3216922](#3216922) None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0|
@@ -4415,7 +4415,7 @@ pdfhidden: True
| [2705168](#2705168) | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16|
| [2702519](#2702519) | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16|
| [2684404](#2684404) | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16|
-| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5|
+| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5|
| [2677063](#2677063) | CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16|
| [2677061](#2677061) | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16|
| [2677060](#2677060) | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16|
@@ -4602,8 +4602,8 @@ pdfhidden: True
| Issue ID | Description | Affects | Fixed |
|--- |--- |--- |--- |
-| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0|
-| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | |
+| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0|
+| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5|
| [3330705](#3330705) | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0|
| [3327477](#3327477) | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | |
| [3216922](#3216922) None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0|
@@ -4655,7 +4655,7 @@ pdfhidden: True
| [2705168](#2705168) | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16|
| [2702519](#2702519) | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16|
| [2684404](#2684404) | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16|
-| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5|
+| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5|
| [2677063](#2677063) | CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16|
| [2677061](#2677061) | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16|
| [2677060](#2677060) | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16|
@@ -4835,8 +4835,8 @@ pdfhidden: True
| Issue ID | Description | Affects | Fixed |
|--- |--- |--- |--- |
-| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0|
-| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | |
+| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0|
+| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5|
| [3330705](#3330705) | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0|
| [3327477](#3327477) | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | |
| [3216922](#3216922) None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0|
@@ -4888,7 +4888,7 @@ pdfhidden: True
| [2705168](#2705168) | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16|
| [2702519](#2702519) | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16|
| [2684404](#2684404) | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16|
-| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5|
+| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5|
| [2677063](#2677063) | CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16|
| [2677061](#2677061) | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16|
| [2677060](#2677060) | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16|
@@ -4987,8 +4987,8 @@ pdfhidden: True
| Issue ID | Description | Affects | Fixed |
|--- |--- |--- |--- |
-| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0|
-| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | |
+| [3418046](#3418046) None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0|
+| [3376798](#3376798) | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5|
| [3330705](#3330705) | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0|
| [3327477](#3327477) | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | |
| [3216922](#3216922) None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0|
@@ -5040,7 +5040,7 @@ pdfhidden: True
| [2705168](#2705168) | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16|
| [2702519](#2702519) | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16|
| [2684404](#2684404) | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16|
-| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5|
+| [2679950](#2679950) | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5|
| [2677063](#2677063) | CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16|
| [2677061](#2677061) | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16|
| [2677060](#2677060) | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16|
diff --git a/content/cumulus-linux-37/rn.xml b/content/cumulus-linux-37/rn.xml
index 0532ee4e34..3d6bd99031 100644
--- a/content/cumulus-linux-37/rn.xml
+++ b/content/cumulus-linux-37/rn.xml
@@ -9,8 +9,8 @@
3418046
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.
-
3.7.0-5.4.0
-
5.5.0-5.6.0
+
3.7.0-4.3.1
+
4.3.2-4.4.5, 5.5.0-5.6.0
3376798
@@ -19,8 +19,8 @@
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready
MAC learning looks correct, but traffic does not flow as expected.
-
If you try to use more than one percent of {{max-ecmp-nexthops}}, you get an error indicating a failure.
-
3.7.15-4.3.1
+
3.7.15-4.3.2
4.4.0-4.4.5
@@ -530,9 +530,9 @@ To work around this issue, increase the burst value of the ARP policers to 200 o
2555175
-
Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link.
-
3.7.15-3.7.16, 4.2.1-4.4.5
-
+
Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps.
+
3.7.15-4.3.1
+
4.3.2-4.4.5
2554785
@@ -893,7 +893,7 @@ If you flap the link with the {{ip link set vni10100 down; ip link set vni10100
2549371
When Optimized Multicast Flooding (OMF) is enabled with the {{bridge.optimized_mcast_flood = TRUE}} setting in the {{/etc/cumulus/switchd.conf}} file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive.
-
3.7.11-4.3.1
+
3.7.11-4.3.2
4.4.0-4.4.5
@@ -2361,7 +2361,7 @@ Fixed: 1.6.2-5+deb8u9
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash.
Vulnerable: <= 4.3.1-6-cl3.7.14u1
Fixed: 4.3.1-6-cl3.7.16u1
-
3.7.0-3.7.15, 4.0.0-4.3.1
+
3.7.0-3.7.15, 4.0.0-4.3.2
2677063
@@ -2493,8 +2493,8 @@ Fixed: 6.8.9.9-5+deb8u24
3418046
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.
-
3.7.0-5.4.0
-
5.5.0-5.6.0
+
3.7.0-4.3.1
+
4.3.2-4.4.5, 5.5.0-5.6.0
3376798
@@ -2503,8 +2503,8 @@ Fixed: 6.8.9.9-5+deb8u24
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready
MAC learning looks correct, but traffic does not flow as expected.
-
3.7.0-3.7.16, 4.3.1-4.4.5
-
+
3.7.0-4.3.1
+
4.3.2-4.4.5
3330705
@@ -3472,7 +3472,7 @@ Fixed: 1.6.2-5+deb8u9
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash.
Vulnerable: <= 4.3.1-6-cl3.7.14u1
Fixed: 4.3.1-6-cl3.7.16u1
-
3.7.0-3.7.15, 4.0.0-4.3.1
+
3.7.0-3.7.15, 4.0.0-4.3.2
3.7.16, 4.4.0-4.4.5
@@ -3602,7 +3602,7 @@ Fixed: 0.4.1-1.2+deb8u1
2648658
If you try to use more than one percent of {{max-ecmp-nexthops}}, you get an error indicating a failure.
-
3.7.15-4.3.1
+
3.7.15-4.3.2
4.4.0-4.4.5
@@ -3691,9 +3691,9 @@ To work around this issue, increase the burst value of the ARP policers to 200 o
2555175
-
Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link.
-
3.7.15-3.7.16, 4.2.1-4.4.5
-
+
Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps.
+
3.7.15-4.3.1
+
4.3.2-4.4.5
2554785
@@ -4054,7 +4054,7 @@ If you flap the link with the {{ip link set vni10100 down; ip link set vni10100
2549371
When Optimized Multicast Flooding (OMF) is enabled with the {{bridge.optimized_mcast_flood = TRUE}} setting in the {{/etc/cumulus/switchd.conf}} file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive.
-
3.7.11-4.3.1
+
3.7.11-4.3.2
4.4.0-4.4.5
@@ -5043,7 +5043,7 @@ Fixed: 1.4.4-2+deb8u3
CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service.
Vulnerable: <= 2.8.0-cl3.7.15u2
Fixed: 2.8.0-cl3.7.15u3
-
3.7.14-3.7.14.2, 4.3.0-4.3.1
+
3.7.14-3.7.14.2, 4.3.0-4.3.2
2617009
@@ -5134,7 +5134,7 @@ Fixed: 0.99.beta19-2+deb8u2
2566880
CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.
-
3.7.14-3.7.14.2, 4.0.0-4.3.1
+
3.7.14-3.7.14.2, 4.0.0-4.3.2
2562511
@@ -5168,7 +5168,7 @@ To work around this issue, disable ARP suppression.
2556782
CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution.
Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1
-
3.7.14-3.7.14.2, 4.0.0-4.3.1
+
3.7.14-3.7.14.2, 4.0.0-4.3.2
2556780
@@ -5472,8 +5472,8 @@ These messages are harmless and can be ignored.
3418046
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.
-
3.7.0-5.4.0
-
5.5.0-5.6.0
+
3.7.0-4.3.1
+
4.3.2-4.4.5, 5.5.0-5.6.0
3376798
@@ -5482,8 +5482,8 @@ These messages are harmless and can be ignored.
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready
MAC learning looks correct, but traffic does not flow as expected.
-
3.7.0-3.7.16, 4.3.1-4.4.5
-
+
3.7.0-4.3.1
+
4.3.2-4.4.5
3330705
@@ -6137,7 +6137,7 @@ Fixed: 1.6.2-5+deb8u9
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash.
Vulnerable: <= 4.3.1-6-cl3.7.14u1
Fixed: 4.3.1-6-cl3.7.16u1
-
3.7.0-3.7.15, 4.0.0-4.3.1
+
3.7.0-3.7.15, 4.0.0-4.3.2
3.7.16, 4.4.0-4.4.5
@@ -6309,7 +6309,7 @@ Fixed: 1.4.4-2+deb8u3
CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service.
Vulnerable: <= 2.8.0-cl3.7.15u2
Fixed: 2.8.0-cl3.7.15u3
-
3.7.14-3.7.14.2, 4.3.0-4.3.1
+
3.7.14-3.7.14.2, 4.3.0-4.3.2
3.7.15-3.7.16, 4.4.0-4.4.5
@@ -6420,7 +6420,7 @@ Fixed: 0.99.beta19-2+deb8u2
2566880
CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.
-
3.7.14-3.7.14.2, 4.0.0-4.3.1
+
3.7.14-3.7.14.2, 4.0.0-4.3.2
3.7.15-3.7.16, 4.4.0-4.4.5
@@ -6465,7 +6465,7 @@ To work around this issue, disable ARP suppression.
2556782
CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution.
Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1
-
3.7.14-3.7.14.2, 4.0.0-4.3.1
+
3.7.14-3.7.14.2, 4.0.0-4.3.2
3.7.15-3.7.16, 4.4.0-4.4.5
@@ -7108,7 +7108,7 @@ If you flap the link with the {{ip link set vni10100 down; ip link set vni10100
2549371
When Optimized Multicast Flooding (OMF) is enabled with the {{bridge.optimized_mcast_flood = TRUE}} setting in the {{/etc/cumulus/switchd.conf}} file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive.
-
3.7.11-4.3.1
+
3.7.11-4.3.2
4.4.0-4.4.5
@@ -8160,8 +8160,8 @@ You can see the temperature reading in the output of the {{sensors}} command.
3418046
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.
-
3.7.0-5.4.0
-
5.5.0-5.6.0
+
3.7.0-4.3.1
+
4.3.2-4.4.5, 5.5.0-5.6.0
3376798
@@ -8170,8 +8170,8 @@ You can see the temperature reading in the output of the {{sensors}} command.
-
3.7.0-3.7.16, 4.3.1-4.4.5
-
+
3.7.0-4.3.1
+
4.3.2-4.4.5
3330705
@@ -8782,7 +8782,7 @@ Fixed: 1.6.2-5+deb8u9
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash.
Vulnerable: <= 4.3.1-6-cl3.7.14u1
Fixed: 4.3.1-6-cl3.7.16u1
-
3.7.0-3.7.15, 4.0.0-4.3.1
+
3.7.0-3.7.15, 4.0.0-4.3.2
3.7.16, 4.4.0-4.4.5
@@ -8943,7 +8943,7 @@ Fixed: 1.4.4-2+deb8u3
CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service.
Vulnerable: <= 2.8.0-cl3.7.15u2
Fixed: 2.8.0-cl3.7.15u3
-
3.7.14-3.7.14.2, 4.3.0-4.3.1
+
3.7.14-3.7.14.2, 4.3.0-4.3.2
3.7.15-3.7.16, 4.4.0-4.4.5
@@ -9048,7 +9048,7 @@ Fixed: 0.99.beta19-2+deb8u2
2566880
CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.
-
3.7.14-3.7.14.2, 4.0.0-4.3.1
+
3.7.14-3.7.14.2, 4.0.0-4.3.2
3.7.15-3.7.16, 4.4.0-4.4.5
@@ -9087,7 +9087,7 @@ To work around this issue, disable ARP suppression.
2556782
CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution.
Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1
-
3.7.14-3.7.14.2, 4.0.0-4.3.1
+
3.7.14-3.7.14.2, 4.0.0-4.3.2
3.7.15-3.7.16, 4.4.0-4.4.5
@@ -9792,7 +9792,7 @@ If you flap the link with the {{ip link set vni10100 down; ip link set vni10100
2549371
When Optimized Multicast Flooding (OMF) is enabled with the {{bridge.optimized_mcast_flood = TRUE}} setting in the {{/etc/cumulus/switchd.conf}} file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive.
-
3.7.11-4.3.1
+
3.7.11-4.3.2
4.4.0-4.4.5
@@ -11214,8 +11214,8 @@ To work around this issue, modify the routing design or policy such that routes
3418046
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.
-
3.7.0-5.4.0
-
5.5.0-5.6.0
+
3.7.0-4.3.1
+
4.3.2-4.4.5, 5.5.0-5.6.0
3376798
@@ -11224,8 +11224,8 @@ To work around this issue, modify the routing design or policy such that routes
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready
MAC learning looks correct, but traffic does not flow as expected.
-
3.7.0-3.7.16, 4.3.1-4.4.5
-
+
3.7.0-4.3.1
+
4.3.2-4.4.5
3330705
@@ -11836,7 +11836,7 @@ Fixed: 1.6.2-5+deb8u9
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash.
Vulnerable: <= 4.3.1-6-cl3.7.14u1
Fixed: 4.3.1-6-cl3.7.16u1
When Optimized Multicast Flooding (OMF) is enabled with the {{bridge.optimized_mcast_flood = TRUE}} setting in the {{/etc/cumulus/switchd.conf}} file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive.
-
3.7.11-4.3.1
+
3.7.11-4.3.2
4.4.0-4.4.5
@@ -14323,8 +14323,8 @@ Typically, the destination MAC address 01:00:5e:xx:xx:xx is used only for PIM/IG
3418046
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.
-
3.7.0-5.4.0
-
5.5.0-5.6.0
+
3.7.0-4.3.1
+
4.3.2-4.4.5, 5.5.0-5.6.0
3376798
@@ -14333,8 +14333,8 @@ Typically, the destination MAC address 01:00:5e:xx:xx:xx is used only for PIM/IG
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready
MAC learning looks correct, but traffic does not flow as expected.
-
3.7.0-3.7.16, 4.3.1-4.4.5
-
+
3.7.0-4.3.1
+
4.3.2-4.4.5
3330705
@@ -14938,7 +14938,7 @@ Fixed: 1.6.2-5+deb8u9
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash.
Vulnerable: <= 4.3.1-6-cl3.7.14u1
Fixed: 4.3.1-6-cl3.7.16u1
-
3.7.0-3.7.15, 4.0.0-4.3.1
+
3.7.0-3.7.15, 4.0.0-4.3.2
3.7.16, 4.4.0-4.4.5
@@ -15928,7 +15928,7 @@ To work around this issue, revert the configuration change.
2549371
When Optimized Multicast Flooding (OMF) is enabled with the {{bridge.optimized_mcast_flood = TRUE}} setting in the {{/etc/cumulus/switchd.conf}} file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive.
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.
-
3.7.0-5.4.0
-
5.5.0-5.6.0
+
3.7.0-4.3.1
+
4.3.2-4.4.5, 5.5.0-5.6.0
3376798
@@ -17407,8 +17407,8 @@ net.ipv6.ip6frag_high_thresh = 262144
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready
MAC learning looks correct, but traffic does not flow as expected.
-
3.7.0-3.7.16, 4.3.1-4.4.5
-
+
3.7.0-4.3.1
+
4.3.2-4.4.5
3330705
@@ -17834,7 +17834,7 @@ Fixed: 1.6.2-5+deb8u9
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash.
Vulnerable: <= 4.3.1-6-cl3.7.14u1
Fixed: 4.3.1-6-cl3.7.16u1
-
3.7.0-3.7.15, 4.0.0-4.3.1
+
3.7.0-3.7.15, 4.0.0-4.3.2
3.7.16, 4.4.0-4.4.5
@@ -18274,7 +18274,7 @@ To work around this issue, revert the configuration change.
2549371
When Optimized Multicast Flooding (OMF) is enabled with the {{bridge.optimized_mcast_flood = TRUE}} setting in the {{/etc/cumulus/switchd.conf}} file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive.
-
3.7.11-4.3.1
+
3.7.11-4.3.2
4.4.0-4.4.5
@@ -20098,8 +20098,8 @@ To work around this issue, use {{net show interface}} command for LLDP output wh
3418046
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.
-
3.7.0-5.4.0
-
5.5.0-5.6.0
+
3.7.0-4.3.1
+
4.3.2-4.4.5, 5.5.0-5.6.0
3376798
@@ -20108,8 +20108,8 @@ To work around this issue, use {{net show interface}} command for LLDP output wh
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready
MAC learning looks correct, but traffic does not flow as expected.
-
3.7.0-3.7.16, 4.3.1-4.4.5
-
+
3.7.0-4.3.1
+
4.3.2-4.4.5
3330705
@@ -20535,7 +20535,7 @@ Fixed: 1.6.2-5+deb8u9
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash.
Vulnerable: <= 4.3.1-6-cl3.7.14u1
Fixed: 4.3.1-6-cl3.7.16u1
-
3.7.0-3.7.15, 4.0.0-4.3.1
+
3.7.0-3.7.15, 4.0.0-4.3.2
3.7.16, 4.4.0-4.4.5
@@ -22330,8 +22330,8 @@ To work around this issue, use {{net show interface}} command for LLDP output wh
3418046
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.
-
3.7.0-5.4.0
-
5.5.0-5.6.0
+
3.7.0-4.3.1
+
4.3.2-4.4.5, 5.5.0-5.6.0
3376798
@@ -22340,8 +22340,8 @@ To work around this issue, use {{net show interface}} command for LLDP output wh
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready
MAC learning looks correct, but traffic does not flow as expected.
-
3.7.0-3.7.16, 4.3.1-4.4.5
-
+
3.7.0-4.3.1
+
4.3.2-4.4.5
3330705
@@ -22760,7 +22760,7 @@ Fixed: 1.6.2-5+deb8u9
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash.
Vulnerable: <= 4.3.1-6-cl3.7.14u1
Fixed: 4.3.1-6-cl3.7.16u1
-
3.7.0-3.7.15, 4.0.0-4.3.1
+
3.7.0-3.7.15, 4.0.0-4.3.2
3.7.16, 4.4.0-4.4.5
@@ -24883,8 +24883,8 @@ To work around this issue, run the {{sudo ethtool -S swp1}} command to collect i
3418046
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.
-
3.7.0-5.4.0
-
5.5.0-5.6.0
+
3.7.0-4.3.1
+
4.3.2-4.4.5, 5.5.0-5.6.0
3376798
@@ -24893,8 +24893,8 @@ To work around this issue, run the {{sudo ethtool -S swp1}} command to collect i
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready
MAC learning looks correct, but traffic does not flow as expected.
-
3.7.0-3.7.16, 4.3.1-4.4.5
-
+
3.7.0-4.3.1
+
4.3.2-4.4.5
3330705
@@ -25313,7 +25313,7 @@ Fixed: 1.6.2-5+deb8u9
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash.
Vulnerable: <= 4.3.1-6-cl3.7.14u1
Fixed: 4.3.1-6-cl3.7.16u1
-
3.7.0-3.7.15, 4.0.0-4.3.1
+
3.7.0-3.7.15, 4.0.0-4.3.2
3.7.16, 4.4.0-4.4.5
@@ -26863,8 +26863,8 @@ To work around this issue, use {{net show interface}} command for LLDP output wh
3418046
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.
-
3.7.0-5.4.0
-
5.5.0-5.6.0
+
3.7.0-4.3.1
+
4.3.2-4.4.5, 5.5.0-5.6.0
3376798
@@ -26873,8 +26873,8 @@ To work around this issue, use {{net show interface}} command for LLDP output wh
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready
MAC learning looks correct, but traffic does not flow as expected.
-
3.7.0-3.7.16, 4.3.1-4.4.5
-
+
3.7.0-4.3.1
+
4.3.2-4.4.5
3330705
@@ -27293,7 +27293,7 @@ Fixed: 1.6.2-5+deb8u9
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash.
Vulnerable: <= 4.3.1-6-cl3.7.14u1
Fixed: 4.3.1-6-cl3.7.16u1
-
3.7.0-3.7.15, 4.0.0-4.3.1
+
3.7.0-3.7.15, 4.0.0-4.3.2
3.7.16, 4.4.0-4.4.5
@@ -29182,8 +29182,8 @@ If you need link pause or PFC functionality, you must use a switch that does not
3418046
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.
-
3.7.0-5.4.0
-
5.5.0-5.6.0
+
3.7.0-4.3.1
+
4.3.2-4.4.5, 5.5.0-5.6.0
3376798
@@ -29192,8 +29192,8 @@ If you need link pause or PFC functionality, you must use a switch that does not
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready
MAC learning looks correct, but traffic does not flow as expected.
-
3.7.0-3.7.16, 4.3.1-4.4.5
-
+
3.7.0-4.3.1
+
4.3.2-4.4.5
3330705
@@ -29612,7 +29612,7 @@ Fixed: 1.6.2-5+deb8u9
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash.
Vulnerable: <= 4.3.1-6-cl3.7.14u1
Fixed: 4.3.1-6-cl3.7.16u1
-
3.7.0-3.7.15, 4.0.0-4.3.1
+
3.7.0-3.7.15, 4.0.0-4.3.2
3.7.16, 4.4.0-4.4.5
@@ -31246,8 +31246,8 @@ This issue was discovered on the Helix4 switch but applies to all switches.
3418046
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.
-
3.7.0-5.4.0
-
5.5.0-5.6.0
+
3.7.0-4.3.1
+
4.3.2-4.4.5, 5.5.0-5.6.0
3376798
@@ -31256,8 +31256,8 @@ This issue was discovered on the Helix4 switch but applies to all switches.
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready
MAC learning looks correct, but traffic does not flow as expected.
-
3.7.0-3.7.16, 4.3.1-4.4.5
-
+
3.7.0-4.3.1
+
4.3.2-4.4.5
3330705
@@ -31676,7 +31676,7 @@ Fixed: 1.6.2-5+deb8u9
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash.
Vulnerable: <= 4.3.1-6-cl3.7.14u1
Fixed: 4.3.1-6-cl3.7.16u1
-
3.7.0-3.7.15, 4.0.0-4.3.1
+
3.7.0-3.7.15, 4.0.0-4.3.2
3.7.16, 4.4.0-4.4.5
@@ -32955,8 +32955,8 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu
3418046
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.
-
3.7.0-5.4.0
-
5.5.0-5.6.0
+
3.7.0-4.3.1
+
4.3.2-4.4.5, 5.5.0-5.6.0
3376798
@@ -32965,8 +32965,8 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready
MAC learning looks correct, but traffic does not flow as expected.
-
3.7.0-3.7.16, 4.3.1-4.4.5
-
+
3.7.0-4.3.1
+
4.3.2-4.4.5
3330705
@@ -33385,7 +33385,7 @@ Fixed: 1.6.2-5+deb8u9
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash.
Vulnerable: <= 4.3.1-6-cl3.7.14u1
Fixed: 4.3.1-6-cl3.7.16u1
-
3.7.0-3.7.15, 4.0.0-4.3.1
+
3.7.0-3.7.15, 4.0.0-4.3.2
3.7.16, 4.4.0-4.4.5
@@ -34691,8 +34691,8 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu
3418046
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.
-
3.7.0-5.4.0
-
5.5.0-5.6.0
+
3.7.0-4.3.1
+
4.3.2-4.4.5, 5.5.0-5.6.0
3376798
@@ -34701,8 +34701,8 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready
MAC learning looks correct, but traffic does not flow as expected.
-
3.7.0-3.7.16, 4.3.1-4.4.5
-
+
3.7.0-4.3.1
+
4.3.2-4.4.5
3330705
@@ -35121,7 +35121,7 @@ Fixed: 1.6.2-5+deb8u9
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash.
Vulnerable: <= 4.3.1-6-cl3.7.14u1
Fixed: 4.3.1-6-cl3.7.16u1
-
3.7.0-3.7.15, 4.0.0-4.3.1
+
3.7.0-3.7.15, 4.0.0-4.3.2
3.7.16, 4.4.0-4.4.5
@@ -36527,8 +36527,8 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu
3418046
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.
-
3.7.0-5.4.0
-
5.5.0-5.6.0
+
3.7.0-4.3.1
+
4.3.2-4.4.5, 5.5.0-5.6.0
3376798
@@ -36537,8 +36537,8 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready
MAC learning looks correct, but traffic does not flow as expected.
-
3.7.0-3.7.16, 4.3.1-4.4.5
-
+
3.7.0-4.3.1
+
4.3.2-4.4.5
3330705
@@ -36957,7 +36957,7 @@ Fixed: 1.6.2-5+deb8u9
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash.
Vulnerable: <= 4.3.1-6-cl3.7.14u1
Fixed: 4.3.1-6-cl3.7.16u1
-
3.7.0-3.7.15, 4.0.0-4.3.1
+
3.7.0-3.7.15, 4.0.0-4.3.2
3.7.16, 4.4.0-4.4.5
@@ -38406,8 +38406,8 @@ Permanent MAC address sync between MLAG peers is now supported.
3418046
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.
-
3.7.0-5.4.0
-
5.5.0-5.6.0
+
3.7.0-4.3.1
+
4.3.2-4.4.5, 5.5.0-5.6.0
3376798
@@ -38416,8 +38416,8 @@ Permanent MAC address sync between MLAG peers is now supported.
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready
MAC learning looks correct, but traffic does not flow as expected.
-
3.7.0-3.7.16, 4.3.1-4.4.5
-
+
3.7.0-4.3.1
+
4.3.2-4.4.5
3330705
@@ -38836,7 +38836,7 @@ Fixed: 1.6.2-5+deb8u9
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash.
Vulnerable: <= 4.3.1-6-cl3.7.14u1
Fixed: 4.3.1-6-cl3.7.16u1
-
3.7.0-3.7.15, 4.0.0-4.3.1
+
3.7.0-3.7.15, 4.0.0-4.3.2
3.7.16, 4.4.0-4.4.5
@@ -39598,8 +39598,8 @@ To work around this issue, remove the matching {{network}} statement.
3418046
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.
-
3.7.0-5.4.0
-
5.5.0-5.6.0
+
3.7.0-4.3.1
+
4.3.2-4.4.5, 5.5.0-5.6.0
3376798
@@ -39608,8 +39608,8 @@ To work around this issue, remove the matching {{network}} statement.
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready
MAC learning looks correct, but traffic does not flow as expected.
-
3.7.0-3.7.16, 4.3.1-4.4.5
-
+
3.7.0-4.3.1
+
4.3.2-4.4.5
3330705
@@ -40028,7 +40028,7 @@ Fixed: 1.6.2-5+deb8u9
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash.
Vulnerable: <= 4.3.1-6-cl3.7.14u1
Fixed: 4.3.1-6-cl3.7.16u1
-
3.7.0-3.7.15, 4.0.0-4.3.1
+
3.7.0-3.7.15, 4.0.0-4.3.2
3.7.16, 4.4.0-4.4.5
diff --git a/content/cumulus-linux-40/Layer-2/Spanning-Tree-and-Rapid-Spanning-Tree.md b/content/cumulus-linux-40/Layer-2/Spanning-Tree-and-Rapid-Spanning-Tree.md
index 9ad72feee0..f8cdd50a41 100644
--- a/content/cumulus-linux-40/Layer-2/Spanning-Tree-and-Rapid-Spanning-Tree.md
+++ b/content/cumulus-linux-40/Layer-2/Spanning-Tree-and-Rapid-Spanning-Tree.md
@@ -48,7 +48,7 @@ RSTP works with MST seamlessly, creating a single instance of spanning tree that
RSTP treats the MST domain as one giant switch, whereas MST treats the RSTP domain as a different region. To enable proper communication between the regions, MST creates a Common Spanning Tree (CST) that connects all the boundary switches and forms the overall view of the MST domain. Because changes in the CST need to be reflected in all regions, the RSTP tree is included in the CST to ensure that changes on the RSTP domain are reflected in the CST domain. This does cause topology changes on the RSTP domain to impact the rest of the network but keeps the MST domain informed of every change occurring in the RSTP domain, ensuring a loop-free network.
-Configure the root bridge within the MST domain by changing the priority on the relevant MST switch. When MST detects an RSTP link, it falls back into RSTP mode. The MST domain choses the switch with the lowest cost to the CST root bridge as the CIST root bridge.
+Configure the root bridge within the MST domain by changing the priority on the relevant MST switch. When MST detects an RSTP link, it falls back into RSTP mode. The MST domain chooses the switch with the lowest cost to the CST root bridge as the CIST root bridge.
### RSTP with MLAG
diff --git a/content/cumulus-linux-40/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md b/content/cumulus-linux-40/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md
index a98e894dd8..3ad931decb 100644
--- a/content/cumulus-linux-40/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md
+++ b/content/cumulus-linux-40/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md
@@ -391,7 +391,7 @@ cumulus@switch:~$ net add bgp neighbor swp51 remove-private-AS replace-AS
## ECMP
-BGP supports equal-cost multipathing ({{}}). If a BGP node hears a certain prefix from multiple peers, it has all the information necessary to program the routing table and forward traffic for that prefix through all of these peers. BGP typically choses one best path for each prefix and installs that route in the forwarding table.
+BGP supports equal-cost multipathing ({{}}). If a BGP node hears a certain prefix from multiple peers, it has all the information necessary to program the routing table and forward traffic for that prefix through all of these peers. BGP typically chooses one best path for each prefix and installs that route in the forwarding table.
In Cumulus Linux, the *BGP multipath* option is enabled by default with the maximum number of paths set to 64 so that the switch can install multiple equal-cost BGP paths to the forwarding table and load balance traffic across multiple links. You can change the number of paths allowed, according to your needs.
diff --git a/content/cumulus-linux-40/Layer-3/Policy-based-Routing.md b/content/cumulus-linux-40/Layer-3/Policy-based-Routing.md
index 01935433cd..65ce75cffc 100644
--- a/content/cumulus-linux-40/Layer-3/Policy-based-Routing.md
+++ b/content/cumulus-linux-40/Layer-3/Policy-based-Routing.md
@@ -30,7 +30,7 @@ A PBR policy contains one or more policy maps. Each policy map:
- To match on a source and destination address, a policy map can contain both match source and match destination IP rules.
- A set rule determines the PBR next hop for the policy. The set rule can contain a single next hop IP address or it can contain a next hop group. A next hop group has more than one next hop IP address so that you can use multiple interfaces to forward traffic. To use ECMP, you configure a next hop group.
-To use PBR in Cumulus linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Traffic is matched against the match rules in sequential order and forwarded according to the set rule in the first match. Traffic that does not match any rule is passed onto the normal destination based routing mechanism.
+To use PBR in Cumulus Linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Traffic is matched against the match rules in sequential order and forwarded according to the set rule in the first match. Traffic that does not match any rule is passed onto the normal destination based routing mechanism.
{{%notice note%}}
diff --git a/content/cumulus-linux-40/Layer-3/Routing.md b/content/cumulus-linux-40/Layer-3/Routing.md
index dcc50c58cd..a7b6a9c726 100644
--- a/content/cumulus-linux-40/Layer-3/Routing.md
+++ b/content/cumulus-linux-40/Layer-3/Routing.md
@@ -468,7 +468,7 @@ When {{}}). If a BGP node hears a certain prefix from multiple peers, it has all the information necessary to program the routing table and forward traffic for that prefix through all of these peers. BGP typically choses one best path for each prefix and installs that route in the forwarding table.
+BGP supports equal-cost multipathing ({{}}). If a BGP node hears a certain prefix from multiple peers, it has all the information necessary to program the routing table and forward traffic for that prefix through all of these peers. BGP typically chooses one best path for each prefix and installs that route in the forwarding table.
In Cumulus Linux, the *BGP multipath* option is enabled by default with the maximum number of paths set to 64 so that the switch can install multiple equal-cost BGP paths to the forwarding table and load balance traffic across multiple links. You can change the number of paths allowed, according to your needs.
diff --git a/content/cumulus-linux-41/Layer-3/Policy-based-Routing.md b/content/cumulus-linux-41/Layer-3/Policy-based-Routing.md
index 78b6377506..f700e2525b 100644
--- a/content/cumulus-linux-41/Layer-3/Policy-based-Routing.md
+++ b/content/cumulus-linux-41/Layer-3/Policy-based-Routing.md
@@ -30,7 +30,7 @@ A PBR policy contains one or more policy maps. Each policy map:
- To match on a source and destination address, a policy map can contain both match source and match destination IP rules.
- A set rule determines the PBR next hop for the policy. The set rule can contain a single next hop IP address or it can contain a next hop group. A next hop group has more than one next hop IP address so that you can use multiple interfaces to forward traffic. To use ECMP, you configure a next hop group.
-To use PBR in Cumulus linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Traffic is matched against the match rules in sequential order and forwarded according to the set rule in the first match. Traffic that does not match any rule is passed onto the normal destination based routing mechanism.
+To use PBR in Cumulus Linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Traffic is matched against the match rules in sequential order and forwarded according to the set rule in the first match. Traffic that does not match any rule is passed onto the normal destination based routing mechanism.
{{%notice note%}}
diff --git a/content/cumulus-linux-41/Layer-3/Routing.md b/content/cumulus-linux-41/Layer-3/Routing.md
index 07c01ef194..ddbbc44da5 100644
--- a/content/cumulus-linux-41/Layer-3/Routing.md
+++ b/content/cumulus-linux-41/Layer-3/Routing.md
@@ -505,7 +505,7 @@ When {{}}). If a BGP node hears a certain prefix from multiple peers, it has all the information necessary to program the routing table and forward traffic for that prefix through all of these peers. BGP typically choses one best path for each prefix and installs that route in the forwarding table.
+BGP supports equal-cost multipathing ({{}}). If a BGP node hears a certain prefix from multiple peers, it has all the information necessary to program the routing table and forward traffic for that prefix through all of these peers. BGP typically chooses one best path for each prefix and installs that route in the forwarding table.
In Cumulus Linux, the *BGP multipath* option is enabled by default with the maximum number of paths set to 64 so that the switch can install multiple equal-cost BGP paths to the forwarding table and load balance traffic across multiple links. You can change the number of paths allowed, according to your needs.
diff --git a/content/cumulus-linux-42/Layer-3/Routing/Policy-based-Routing.md b/content/cumulus-linux-42/Layer-3/Routing/Policy-based-Routing.md
index ba46216b8e..6680e865a8 100644
--- a/content/cumulus-linux-42/Layer-3/Routing/Policy-based-Routing.md
+++ b/content/cumulus-linux-42/Layer-3/Routing/Policy-based-Routing.md
@@ -30,7 +30,7 @@ A PBR policy contains one or more policy maps. Each policy map:
- To match on a source and destination address, a policy map can contain both match source and match destination IP rules.
- A set rule determines the PBR next hop for the policy. The set rule can contain a single next hop IP address or it can contain a next hop group. A next hop group has more than one next hop IP address so that you can use multiple interfaces to forward traffic. To use ECMP, you configure a next hop group.
-To use PBR in Cumulus linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Traffic is matched against the match rules in sequential order and forwarded according to the set rule in the first match. Traffic that does not match any rule is passed onto the normal destination based routing mechanism.
+To use PBR in Cumulus Linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Traffic is matched against the match rules in sequential order and forwarded according to the set rule in the first match. Traffic that does not match any rule is passed onto the normal destination based routing mechanism.
{{%notice note%}}
diff --git a/content/cumulus-linux-42/Layer-3/Routing/Supported-Route-Table-Entries.md b/content/cumulus-linux-42/Layer-3/Routing/Supported-Route-Table-Entries.md
index b94b50e521..1df5e196ab 100644
--- a/content/cumulus-linux-42/Layer-3/Routing/Supported-Route-Table-Entries.md
+++ b/content/cumulus-linux-42/Layer-3/Routing/Supported-Route-Table-Entries.md
@@ -46,10 +46,8 @@ After you specify a different profile, {{%link url="Configuring-switchd#restart-
The following tables list the number of MAC addresses, layer 3 neighbors, and LPM routes validated for each forwarding table profile for supported platforms. If you do not specify any profiles as described above, the switch uses the *default* values.
-{{%notice tip%}}
-
-The values in the following tables reflect results from testing on supported platforms, which might differ from published manufacturer specifications.
-
+{{%notice note%}}
+The values provided in the profiles below are the maximum values that Cumulus Linux software allocates; the theoretical hardware limits might be higher. These limits refer to values that have been validated as part of the unidimensional scale validation. If you try to achieve maximum scalability with multiple features enabled, results might differ from the values listed in this guide.
{{%/notice%}}
### Mellanox Spectrum Switches
@@ -129,4 +127,4 @@ When {{}}
-{{< tab "Upgrade to Cumulus Linux 4.3.1 ">}}
+{{< tab "Upgrade to Cumulus Linux 4.3.1 and later ">}}
To ensure that 4.3.1 package update is available only for Broadcom switches, you must either run `apt update` and `apt upgrade` twice *or* manually edit the `sources.list` file, then run `apt update` and `apt upgrade` once. Both procedures are below.
diff --git a/content/cumulus-linux-43/Layer-1-and-Switch-Ports/DHCP/DHCP-Relays.md b/content/cumulus-linux-43/Layer-1-and-Switch-Ports/DHCP/DHCP-Relays.md
index 5080ade623..9b7617b8c2 100644
--- a/content/cumulus-linux-43/Layer-1-and-Switch-Ports/DHCP/DHCP-Relays.md
+++ b/content/cumulus-linux-43/Layer-1-and-Switch-Ports/DHCP/DHCP-Relays.md
@@ -109,7 +109,7 @@ NCLU commands are not currently available to configure IPv6 relays. Use the Linu
## Optional Configuration
-This section describes optional DHCP relay configuration. The steps provided in this section assume that you already done basic DHCP relay configuration, described above.
+This section describes optional DHCP relay configurations. The steps provided in this section assume that you have already configured basic DHCP relay, as described above.
### DHCP Agent Information Option (Option 82)
diff --git a/content/cumulus-linux-43/Layer-2/Spanning-Tree-and-Rapid-Spanning-Tree.md b/content/cumulus-linux-43/Layer-2/Spanning-Tree-and-Rapid-Spanning-Tree.md
index f704f3781e..2848b32c55 100644
--- a/content/cumulus-linux-43/Layer-2/Spanning-Tree-and-Rapid-Spanning-Tree.md
+++ b/content/cumulus-linux-43/Layer-2/Spanning-Tree-and-Rapid-Spanning-Tree.md
@@ -48,7 +48,7 @@ RSTP works with MST seamlessly, creating a single instance of spanning tree that
RSTP treats the MST domain as one giant switch, whereas MST treats the RSTP domain as a different region. To enable proper communication between the regions, MST creates a Common Spanning Tree (CST) that connects all the boundary switches and forms the overall view of the MST domain. Because changes in the CST need to be reflected in all regions, the RSTP tree is included in the CST to ensure that changes on the RSTP domain are reflected in the CST domain. This does cause topology changes on the RSTP domain to impact the rest of the network but keeps the MST domain informed of every change occurring in the RSTP domain, ensuring a loop-free network.
-Configure the root bridge within the MST domain by changing the priority on the relevant MST switch. When MST detects an RSTP link, it falls back into RSTP mode. The MST domain choses the switch with the lowest cost to the CST root bridge as the CIST root bridge.
+Configure the root bridge within the MST domain by changing the priority on the relevant MST switch. When MST detects an RSTP link, it falls back into RSTP mode. The MST domain chooses the switch with the lowest cost to the CST root bridge as the CIST root bridge.
### RSTP with MLAG
diff --git a/content/cumulus-linux-43/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md b/content/cumulus-linux-43/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md
index fdf3258a2c..11058b05c2 100644
--- a/content/cumulus-linux-43/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md
+++ b/content/cumulus-linux-43/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md
@@ -634,7 +634,7 @@ Total number of neighbors 1
## ECMP
-BGP supports equal-cost multipathing ({{}}). If a BGP node hears a certain prefix from multiple peers, it has all the information necessary to program the routing table and forward traffic for that prefix through all of these peers. BGP typically choses one best path for each prefix and installs that route in the forwarding table.
+BGP supports equal-cost multipathing ({{}}). If a BGP node hears a certain prefix from multiple peers, it has all the information necessary to program the routing table and forward traffic for that prefix through all of these peers. BGP typically chooses one best path for each prefix and installs that route in the forwarding table.
In Cumulus Linux, the *BGP multipath* option is enabled by default with the maximum number of paths set to 64 so that the switch can install multiple equal-cost BGP paths to the forwarding table and load balance traffic across multiple links. You can change the number of paths allowed, according to your needs.
diff --git a/content/cumulus-linux-43/Layer-3/Routing/Policy-based-Routing.md b/content/cumulus-linux-43/Layer-3/Routing/Policy-based-Routing.md
index ea5ef8dcdf..b17ea06cc5 100644
--- a/content/cumulus-linux-43/Layer-3/Routing/Policy-based-Routing.md
+++ b/content/cumulus-linux-43/Layer-3/Routing/Policy-based-Routing.md
@@ -30,7 +30,7 @@ A PBR policy contains one or more policy maps. Each policy map:
- To match on a source and destination address, a policy map can contain both match source and match destination IP rules.
- A set rule determines the PBR next hop for the policy. The set rule can contain a single next hop IP address or it can contain a next hop group. A next hop group has more than one next hop IP address so that you can use multiple interfaces to forward traffic. To use ECMP, you configure a next hop group.
-To use PBR in Cumulus linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Traffic is matched against the match rules in sequential order and forwarded according to the set rule in the first match. Traffic that does not match any rule is passed onto the normal destination based routing mechanism.
+To use PBR in Cumulus Linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Traffic is matched against the match rules in sequential order and forwarded according to the set rule in the first match. Traffic that does not match any rule is passed onto the normal destination based routing mechanism.
{{%notice note%}}
diff --git a/content/cumulus-linux-43/Layer-3/Routing/Supported-Route-Table-Entries.md b/content/cumulus-linux-43/Layer-3/Routing/Supported-Route-Table-Entries.md
index 39fe19ebdb..869361b9bf 100644
--- a/content/cumulus-linux-43/Layer-3/Routing/Supported-Route-Table-Entries.md
+++ b/content/cumulus-linux-43/Layer-3/Routing/Supported-Route-Table-Entries.md
@@ -46,10 +46,8 @@ After you specify a different profile, {{%link url="Configuring-switchd#restart-
The following tables list the number of MAC addresses, layer 3 neighbors, and LPM routes validated for each forwarding table profile for supported platforms. If you do not specify any profiles as described above, the switch uses the *default* values.
-{{%notice tip%}}
-
-The values in the following tables reflect results from testing on supported platforms, which might differ from published manufacturer specifications.
-
+{{%notice note%}}
+The values provided in the profiles below are the maximum values that Cumulus Linux software allocates; the theoretical hardware limits might be higher. These limits refer to values that have been validated as part of the unidimensional scale validation. If you try to achieve maximum scalability with multiple features enabled, results might differ from the values listed in this guide.
{{%/notice%}}
### Mellanox Spectrum Switches
@@ -129,4 +127,4 @@ When {{MIB Name | Suggested Uses |
| -------- | -------------- |
| {{}} {{}} {{}} {{}} | You can enable FRRouting SNMP support to provide support for OSPF-MIB (RFC-1850), OSPFV3-MIB (RFC-5643), and BGP4-MIB (RFC-1657). See the FRRouting section above. |
-| {{}} | Cumulus Linux also includes its own BGP unnumbered MIB for BGP unnumbered peers, defined in `/usr/share/snmp/mibs/Cumulus-BGPUN-MIB.txt`, which has the OID `1.3.6.1.4.1.40310.7`. CUMULUS-BGPVRF-MIB replaces CUMULUS-BGPUN-MIB.|
+| {{}} | Cumulus Linux also includes its own BGP unnumbered MIB for BGP unnumbered peers, defined in `/usr/share/snmp/mibs/Cumulus-BGPUN-MIB.txt`, which has the OID `1.3.6.1.4.1.40310.7`.|
| {{}} | Discard counters: Cumulus Linux also includes its own counters MIB, defined in `/usr/share/snmp/mibs/Cumulus-Counters-MIB.txt`. It has the OID `.1.3.6.1.4.1.40310.2`. |
| {{}} | The custom {{}} defined in the `/usr/share/snmp/mibs/Cumulus-POE-MIB.txt` file. For devices that provide PoE, this provides users with the system wide power information in `poeSystemValues` as well as per interface `PoeObjectsEntry` values for the `poeObjectsTable`. Most of this information comes from the `poectl` command. To enable this MIB, uncomment the following line in `/etc/snmp/snmpd.conf`: