+
+| Issue ID |
+ Description |
+ Affects |
+ Fixed |
+
+
+| 3418046 |
+If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. |
+3.7.0-4.3.1 |
+4.3.2-4.4.5, 5.5.0-5.6.0 |
+
+
+| 3376798 |
+On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during {{switchd}} restart. The {{/var/log/switchd.log}} file includes the following exception logs shortly after {{switchd}} restarts:
+
+switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready
+
+MAC learning looks correct, but traffic does not flow as expected. |
+3.7.0-4.3.1 |
+4.3.2-4.4.5 |
+
+
+| 3330705 |
+When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the {{prefer_ip_version}} configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. |
+3.7.0-5.3.1 |
+5.4.0-5.6.0 |
+
+
+| 3327477 |
+If you use {{su}} to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run {{sudo}} commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. |
+3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 |
+ |
+
+
+| 3216922 |
+RADIUS authenticated users with read-only access to NCLU commands (users in the {{users_with_show}} list) can run edit commands if a username for a non-local account is on the {{users_with_edit}} line of the {{/etc/netd.conf}} file. To work around this issue, make sure that all usernames on the {{users_with_edit}} line of the {{/etc/netd.conf}} file are configured local users for the system (real Linux users). |
+3.7.0-5.2.1 |
+5.3.0-5.6.0 |
+
+
+| 3216921 |
+RADIUS authenticated users with read-only access to NCLU commands (users in the {{users_with_show}} list) can run edit commands if a username for a non-local account is on the {{users_with_edit}} line of the {{/etc/netd.conf}} file. To work around this issue, make sure that all usernames on the {{users_with_edit}} line of the {{/etc/netd.conf}} file are configured local users for the system (real Linux users).
+ |
+3.7.0-3.7.16, 4.3.0-4.4.5 |
+ |
+
+
+| 3209699 |
+RADIUS authenticated users with read-only access to NCLU commands (users in the {{users_with_show}} list) can run edit commands if a username for a non-local account is on the {{users_with_edit}} line of the {{/etc/netd.conf}} file. To work around this issue, make sure that all usernames on the {{users_with_edit}} line of the {{/etc/netd.conf}} file are configured local users for the system (real Linux users).
+
+ |
+3.7.0-4.3.0, 4.4.0-5.2.1 |
+4.3.1, 5.3.0-5.6.0 |
+
+
+| 2959454 |
+CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact.
+Vulnerable: <= 2.1.0-6+deb8u6
+Fixed: 2.1.0-6+deb8u7 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2959444 |
+CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information.
+Vulnerable: <= 4.2-3+deb8u4
+Fixed: 4.2-3+deb8u5 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2957684 |
+CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability.
+Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3
+Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2949602 |
+CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2949586 |
+CVE-2022-21699: ipython may execute untrusted files in the current working directory.
+Vulnerable: 2.3.0-2
+Fixed: 2.3.0-2+deb8u1 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2949585 |
+CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog. |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2949584 |
+CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service.
+Vulnerable: <= 3.26-1+debu8u15
+Fixed: 3.26-1+debu8u16 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2941560 |
+CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed.
+Vulnerable: <= 9.26a~dfsg-0+deb8u7
+Fixed: 9.26a~dfsg-0+deb8u |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2910862 |
+CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value "zzip_file_read" in the function "unzzip_cat_file".
+Vulnerable: <= 0.13.62-3+deb8u2
+Fixed: 0.13.62-3+deb8u3 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2910861 |
+CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse.
+CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods.
+Vulnerable: <= 2.1.5-2+deb8u12
+Fixed: 2.1.5-2+deb8u13 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2885241 |
+CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code.
+Vulnerable: <= 3.26-1+debu8u13
+Fixed: 3.26-1+debu8u14 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2885239 |
+CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.
+Vulnerable: 6.0.0+dfsg-6 on armel platform
+Fixed: 6.0.0+dfsg-6+deb8u1 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2885238 |
+The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:
+CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data.
+CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response.
+CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash.
+Vulnerable: <= 5.43-2+deb9u2~deb8u3
+Fixed: 5.43-2+deb9u2~deb8u4 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2866111 |
+CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2862269 |
+CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client's queries when a connection is first established.
+Vulnerable: <= 9.4.26-0+deb8u4
+Fixed: 9.4.26-0+deb8u5 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2855881 |
+A number of vulnerabilities were discovered in Redis, a popular key/value database:
+CVE-2021-32672: Random heap reading issue with Lua Debugger.
+CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value.
+CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections.
+CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow.
+Vulnerable: <= 2:2.8.17-1+deb8u8
+Fixed: 2:2.8.17-1+deb8u9 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2855879 |
+The following vulnerabilities have been announced in the python3.4 package:
+CVE-2021-3426: Running 'pydoc -p' allows other local users to extract arbitrary files. The '/getfile?key=path' URL allows to read arbitrary file on the filesystem.
+CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexity
+and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.
+CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a '100 Continue' HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server.
+Vulnerable: <= 3.4.2-1+deb8u10
+Fixed: 3.4.2-1+deb8u11 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2850806 |
+CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts).
+Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22
+Fixed: 1:9.9.5.dfsg-9+deb8u23 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2845540 |
+CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling.
+Vulnerable: <= 1.7.5-11+deb8u8
+Fixed: 1.7.5-11+deb8u9 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2841003 |
+CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference.
+Vulnerable: <= 0.13-4~deb8u2
+Fixed: 0.13-4~deb8u3 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2835994 |
+CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function.
+Vulnerable: <= 1.0.1t-1+deb8u15
+Fixed: 1.0.1t-1+deb8u16 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2823255 |
+CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode).
+Vulnerable: <= 52.1-8+deb8u8
+Fixed: 52.1-8+deb8u9 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2821981 |
+The following vulnerabilities have been announced in the ruby2.1 package:
+CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename.
+CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).
+CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
+Vulnerable: <= 2.1.5-2+deb8u11
+Fixed: 2.1.5-2+deb8u12 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2820758 |
+The following vulnerabilities have been announced in curl:
+CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected.
+CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data.
+Vulnerable: <= 7.38.0-4+deb8u21
+Fixed: 7.38.0-4+deb8u22 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2813826 |
+Two security issues were found in TIFF, a widely used format for storing image data, as follows:
+CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the "invertImage()" function in the component "tiffcrop".
+CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the 'in _TIFFmemcpy' funtion in the component 'tif_unix.c'.
+Vulnerable: <= 4.0.3-12.3+deb8u11
+Fixed: 4.0.3-12.3+deb8u12 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2813823 |
+Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash.
+CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer.
+CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may.
+CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user.
+Vulnerable: <= 2.4.10-10+deb8u18
+Fixed: 2.4.10-10+deb8u19 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2801126 |
+CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures.
+Vulnerable: <= 2.7.1-5+deb8u2
+Fixed: 2.7.1-5+deb8u3 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2801125 |
+OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01.
+Vulnerable: <= 1.0.1t-1+deb8u14
+Fixed: 1.0.1t-1+deb8u15 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2801124 |
+GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01.
+Vulnerable: <= 3.3.30-0+deb8u1
+Fixed: 3.3.30-0+deb8u2 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2798139 |
+CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions.
+Vulnerable: <= 9.4.26-0+deb8u3
+Fixed: 9.4.26-0+deb8u4 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2769687 |
+CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library.
+Vulnerable: <= 7.38.0-4+deb8u20
+Fixed: 7.38.0-4+deb8u21 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2769633 |
+CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames.
+Vulnerable: <= 1.10.0-2+deb8u2
+Fixed: 1.10.0-2+deb8u3 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2769632 |
+CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made.
+Vulnerable: <= 0.80.7-2+deb8u4
+Fixed: 0.80.7-2+deb8u5 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2769631 |
+CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data.
+Vulnerable: <= 2.8.9dev1-2+deb8u1
+Fixed: 2.8.9dev1-2+deb8u2 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2743132 |
+CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code.
+Vulnerable: <= 1.0.25-9.1+deb8u5
+Fixed: 1.0.25-9.1+deb8u6 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2736247 |
+CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.c
+Vulnerable: <= 1.900.1-debian1-2.4+deb8u10
+Fixed: 1.900.1-debian1-2.4+deb8u11 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2736245 |
+CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems.
+Vulnerable: <= 2.8.17-1+deb8u7
+Fixed: 2.8.17-1+deb8u8 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2728207 |
+CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. |
+3.7.0-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2728206 |
+CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. |
+3.7.0-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2728205 |
+CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. |
+3.7.0-4.4.1 |
+4.4.2-4.4.5 |
+
+
+| 2726776 |
+CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour.
+Vulnerable: <= 2.4.10-10+deb8u17
+Fixed: 2.4.10-10+deb8u18 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2716841 |
+CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository.
+Vulnerable: <= 1.5.6-5+deb8u1
+Fixed: 1.5.6-5+deb8u2 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2705169 |
+CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed.
+Vulnerable: <= 4.0.3-12.3+deb8u10
+Fixed: 4.0.3-12.3+deb8u11 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2705168 |
+CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
+ CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access.
+Vulnerable: <= 5.43-2+deb9u2~deb8u2
+Fixed: 5.43-2+deb9u2~deb8u3 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2702519 |
+CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt.
+Vulnerable: <= 1.6.3-2+deb8u8
+Fixed: 1.6.2-2+dev8u9 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2684404 |
+CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module.
+Vulnerable: <= 1.6.2-5+deb8u8
+Fixed: 1.6.2-5+deb8u9 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2679950 |
+CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash.
+Vulnerable: <= 4.3.1-6-cl3.7.14u1
+Fixed: 4.3.1-6-cl3.7.16u1 |
+3.7.0-3.7.15, 4.0.0-4.3.2 |
+3.7.16, 4.4.0-4.4.5 |
+
+
+| 2677063 |
+CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion.
+Vulnerable: <= 2.9.1+dfsg1-5+deb8u10
+Fixed: 2.9.1+dfsg1-5+deb8u11 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2677061 |
+CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code.
+Vulnerable: <= 1.6.2-5+deb8u7
+Fixed: 1.6.2-5+deb8u8 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2677060 |
+CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
+Vulnerable: <= 2.7.9-2-ds1-1+deb8u6
+Fixed: 2.7.9-2-ds1-1+deb8u7 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2668477 |
+CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions.
+Vulnerable: <= 1.6.2-3+deb8u4
+Fixed: 1.6.2-3+deb8u5 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2660693 |
+CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request.
+Vulnerable: 7.38.0-4+deb8u19
+Fixed: 7.38.0-4+deb8u20 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2660582 |
+In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure).
+
+To recover restart the clagd service with
+sudo systemctl restart clagd.service |
+3.7.8-3.7.15 |
+3.7.16 |
+
+
+| 2658233 |
+The following vulnerabilities have been announced in the graphviz package:
+CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (application
+crash) via a crafted file.
+CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file.
+Vulnerable: 2.38.0-7
+Fixed: 2.38.0-7+deb8u1 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2654684 |
+CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files.
+Vulnerable: <= 2.9.1+dfsg1-5+deb8u9
+Fixed: 2.9.1+dfsg1-5+deb8u10 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2653521 |
+CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code.
+Vulnerable: 0.4.1-1.2
+Fixed: 0.4.1-1.2+deb8u1 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2646974 |
+The following vulnerabilities have been announced in bind9:
+CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service.
+CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query.
+CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries.
+Vulnerable: <= 9.9.5.dfsg-9+deb8u21
+Fixed: 9.9.5.dfsg-9+deb8u22 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2646968 |
+CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service.
+Vulnerable: <= 6.8.9.9-5+deb8u23
+Fixed: 6.8.9.9-5+deb8u24 |
+3.7.0-3.7.15 |
+3.7.16 |
+
+
+| 2635951 |
+The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1.
+Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.
+Vulnerable: <= 1.4.4-2+deb8u2
+Fixed: 1.4.4-2+deb8u3 |
+3.7.0-3.7.14.2 |
+3.7.15-3.7.16 |
+
+
+| 2617009 |
+CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code.
+Vulnerable: 1.7.0~dfsg-1
+Fixed: 1.7.0~dfsg-1+deb8u1 |
+3.7.0-3.7.14.2 |
+3.7.15-3.7.16 |
+
+
+| 2617008 |
+CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.
+Vulnerable: <= 1.22.0-9+deb8u4
+Fixed: 1.22.0-9+deb8u5 |
+3.7.0-3.7.14.2 |
+3.7.15-3.7.16 |
+
+
+| 2617007 |
+CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited.
+Vulnerable: <= 1.900.1-debian1-2.4+deb8u9
+Fixed: 1.900.1-debian1-2.4+deb8u10 |
+3.7.0-3.7.14.2 |
+3.7.15-3.7.16 |
+
+
+| 2617006 |
+CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute.
+Vulnerable: <= 3.4.0-1+deb8u3
+Fixed: 3.4.0-1+deb8u4 |
+3.7.0-3.7.14.2 |
+3.7.15-3.7.16 |
+
+
+| 2617002 |
+CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact.
+Vulnerable: 6.8.9.9-5+deb8u22
+Fixed: 6.8.9.9-5+deb8u23 |
+3.7.0-3.7.14.2 |
+3.7.15-3.7.16 |
+
+
+| 2589570 |
+The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:
+CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input.
+Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2
+Fixed: 2.0.1+dfsg-1.1+deb8u3 |
+3.7.0-3.7.14.2 |
+3.7.15-3.7.16 |
+
+
+| 2589567 |
+The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:
+CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.
+CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size.
+Vulnerable: <= 2.6.1-2+deb8u5
+FIxed: 2.6.1-2+deb8u6 |
+3.7.0-3.7.14.2 |
+3.7.15-3.7.16 |
+
+
+| 2556233 |
+Some ECMP next-hops might fail installation into hardware at high ECMP group and route scale. The following log message will be observed when this condition occurs:
+{{WARN xx routes reverted to non-ECMP due to NH table capacity}} |
+3.7.9-3.7.14.2 |
+3.7.15-3.7.16 |
+
+
+| 2556037 |
+After you add an interface to the bridge, an OSPF session flap might occur.
+
+ |
+3.7.9-4.2.0 |
+4.2.1-4.4.5 |
+
+
+| 2556019 |
+After you add an interface to a bridge using the NCLU {{net add bridge bridge ports <interface>}} command, the bridge can go down and its MAC address changes.
+To work around this issue, use Linux commands to add an interface to a bridge. |
+3.7.9-3.7.13 |
+3.7.14-3.7.16 |
+
+
+| 2553887 |
+When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as {{net add}} and {{net del}} and see an error similar to the following:
+
+ERROR: You do not have permission to execute that command.
+
+To work around this issue, remove the DEFAULT user from the TACACS+ server. |
+3.7.7-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2552739 |
+Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. |
+3.7.2-3.7.16 |
+ |
+
+
+| 2552528 |
+Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated. |
+3.7.7-3.7.13, 4.0.0-4.2.1 |
+3.7.14-3.7.16, 4.3.0-4.4.5 |
+
+
+| 2552352 |
+The following security vulnerabilities have been announced in the nss / libnss3 packages:
+CVE-2020-6829: Side channel attack on ECDSA signature generation
+CVE-2020-12400: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function
+CVE-2020-12401: ECDSA timing attack mitigation bypass
+Vulnerable: <= 3.26-1+debu8u11
+Fixed: 3.26-1+debu8u12 |
+3.7.0-3.7.13 |
+3.7.14-3.7.16 |
+
+
+| 2552351 |
+The following vulnerability has been announced in the libx11 packages:
+CVE-2020-14344: The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method.
+Vulnerable: <= 1.6.2-3+deb8u2
+Fixed: 1.6.2-3+deb8u3 |
+3.7.0-3.7.13 |
+3.7.14-3.7.16 |
+
+
+| 2551675 |
+When you restart {{clagd}}, the edge port setting on the peer link changes. |
+3.7.2-3.7.13, 4.0.0-4.2.0 |
+3.7.14-3.7.16, 4.2.1-4.4.5 |
+
+
+| 2551288 |
+When you remove BFD configuration by editing the {{/etc/frr/frr.conf}} file and restarting FRR, you see a traceback.
+To work around this issue, either use NCLU or vtysh commands to remove the BFD configuration, or restart FRR with the new {{/etc/frr/frr.conf}} file. |
+3.7.7-3.7.16 |
+4.0.0-4.4.5 |
+
+
+| 2550600 |
+The received PVST BPDU for a VLAN is flooded even though the ingress port doesn't have the VLAN tagged. |
+3.7.8-4.3.0 |
+4.3.1-4.4.5, 4.4.0-4.4.5 |
+
+
+| 2550479 |
+VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches. |
+3.7.7-4.2.0 |
+4.2.1-4.4.5, 4.3.0-4.4.5 |
+
+
+| 2550375 |
+CPU utilization may increase when clag-managed bond interfaces are operationally/LACP down but the physical carrier remains up on the bond member switchports. This condition occurs when clag bond redirection is enabled and bond members remain up while the parent bond does not negotiate LACP.
+
+This issue is resolved in Cumulus Linux 3.7.14. |
+3.7.9-3.7.13, 4.0.0-4.2.1 |
+3.7.14-3.7.16, 4.3.0-4.4.5 |
+
+
+| 2550323 |
+After a neighbor is removed, the redistributed neighbor entry is withdrawn from the BGP table, but the prefix might still be selected as the bestpath when the host's originated prefix is not advertised.
+To work around this issue, recreate the neighbor entry and flap the interface to the host.
+Or, if the host is already down, manually create a neighbor entry with an invalid MAC address, which forces redistribute neighbor to re-withdraw the entry. |
+3.7.3-3.7.12 |
+3.7.13-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2548475 |
+After you add a new VNI and a layer 3 SVI to a set of leafs, certain leafs might not be able to communicate on the layer 3 VNI.
+To work around this issue, reboot the leaf switch or restart {{switchd}}. |
+3.7.6-3.7.13 |
+3.7.14-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2548382 |
+The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog. |
+3.7.5-4.1.1 |
+4.2.0-4.4.5 |
+
+
+| 2548243 |
+On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. |
+3.7.3-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2548111 |
+When you remove, then re-add an NSX VTEP binding, the VXLAN VTEP interface is not recreated. |
+3.7.9-3.7.12, 4.0.0-4.0.1 |
+3.7.13-3.7.16, 4.1.0-4.4.5 |
+
+
+| 2547769 |
+{{syslog}} might report a high load average with the CPU running a later microcode revision. |
+3.7.4-3.7.12 |
+3.7.13-3.7.16 |
+
+
+| 2547663 |
+When traffic from a double tag interface (facing a different site) is forwarded through VXLAN, the inner tag is not removed. The destination does not know this tag, so it discards it. |
+3.7.8-3.7.12, 4.0.0-4.0.1 |
+3.7.13-3.7.16, 4.1.0-4.4.5 |
+
+
+| 2547573 |
+On Tomahawk switches, when the {{vxlan_tnl_arp_punt_disable}} option is set to FALSE, ARP packets are not forwarded to the CPU. |
+3.7.9-3.7.16 |
+ |
+
+
+| 2547293 |
+On the Broadcom Trident3 switch with DHCP relay, where the DHCP server is reachable through the EVPN overlay, DHCP discover packets forwarded to the CPU might appear corrupt and might not get forwarded. |
+3.7.9-3.7.12, 4.0.0-4.0.1 |
+3.7.13-3.7.16, 4.1.0-4.4.5 |
+
+
+| 2547068 |
+Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly.
+To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below.
+To permanently disable C-states using a kernel boot parameter:
+1. Edit {{/etc/default/grub}} to add the argument {{processor.max_cstate=0}} to the variable {{GRUB_CMDLINE_LINUX}}. For example, if {{/etc/default/grub}} file contains the line {{GRUB_CMDLINE_LINUX="cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off"}}, change it to {{GRUB_CMDLINE_LINUX="cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0"}}
+2. Run {{sudo update-grub}}.
+3. Reboot the system with {{sudo reboot}}.
+To disable cstates in realtime on the current system, which does not persist through a reboot:
+1. Confirm that the libpci3 package is installed. Run {{dpkg-query -l libpci3}} and confirm the following line is displayed:
+{{ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)}}
+The first field above should read {{ii}}. If not, install the libpci3 package by running {{sudo apt upgrade;sudo apt install libpci3}}.
+2. Disable C-states by running the command {{./cpupower idle-set -d 2}}.
+C-states are disabled by default in Cumulus Linux 4.3.0 and later. |
+3.7.9-4.2.1 |
+4.3.0-4.4.5 |
+
+
+| 2547012 |
+On the Mellanox Spectrum switch, {{switchd}} can sometimes fail when PBR rules are installed or removed from hardware if the rule is setting a next hop learned via a routing protocol. |
+3.7.7-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2546998 |
+When you configure Cumulus Linux with a /32 address on a switch port with a configured peer address (for example, to connect to a device using IP unnumbered), the switch sends GARPs for the peer address. |
+3.7.5-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2546868 |
+Broadcom Field Alert - SID - MMU 2B Errors
+A few of the MMU memories on Broadcom switches are grouped together with single parity control. During SER correction when a parity error occurs on one of those groups, other memory in that group might also report a SER error. This occurs when the memory is accessed either by a packet hit or through a schan operation. This issue can cause SER errors in other memory and cause traffic mis-forwarding or a packet drop. |
+3.7.0-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2546702 |
+The FRR cl-support module times out on switches on the ARM platform even when the switch is not under heavy load.
+To work around this issue, run the {{cl-support -M}} command to disable timeouts. |
+3.7.0-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2546501 |
+On the EdgeCore AS7326-56X switch, eth0 and swp1 use the same MAC address. |
+3.7.9-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2546385 |
+SNMP ifLastChange reports link transitions when there are none. |
+3.7.6-3.7.16 |
+ |
+
+
+| 2545867 |
+If you delete, then re-add a PBR policy on an interface, the configured PBR policy is not programmed in the kernel or {{switchd}}. |
+3.7.9-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2545865 |
+After making a series of PBR configuration changes using NCLU commands, the stale PBR entry is still present in the kernel. |
+3.7.9-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2545693 |
+On rare occasions, after rebooting the MLAG secondary switch, one MLAG device might see the peer as down, which can cause traffic disruption to connected hosts. |
+3.7.7-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2545607 |
+The protocol daemon {{bgpd}} crashes when a link/neighbor flaps if static routes pointing to Null0 are advertising through BGP.
+To work around this issue, reboot the switch, then remove the static routes or stop advertising these routes. |
+3.7.9-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2545599 |
+IPv6 table rules might affect forwarding. For example, if you create the following rule in the {{/etc/cumulus/acl/policy.d/03-sshd.rules}} file, the rule counter increments but IPv4 SSH traffic might be dropped.
+
+[ip6tables]
+-A INPUT -p tcp --dport 22 -j DROP
+ |
+3.7.2-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2545505 |
+If you change multiple BGP or BFD timers in the {{/etc/frr/frr.conf}} file and then reload FRR, a traceback is encountered and the change does not take effect. |
+3.7.9-3.7.10 |
+3.7.11-3.7.16 |
+
+
+| 2545405 |
+The {{ospfd}} daemon might crash with the following kernel trace:
+
+2019-11-06T23:00:08.261749+09:00 cumulus ospfd[5339]: Assertion 'node' failed in file ospfd/ospf_packet.c, line 671, function ospf_write
+ |
+3.7.6-3.7.10 |
+3.7.11-3.7.16 |
+
+
+| 2545316 |
+When an interface flap occurs, numbered IPv6 BGP sessions might fail to establish.
+To work around this issue, run the {{ip -6 route flush cache <IPv6-address>}} command to flush the IPv6 route cache. |
+3.7.9-3.7.11 |
+3.7.12-3.7.16 |
+
+
+| 2545235 |
+On the Edgecore AS6812 switch, you might see rare I2C errors. |
+3.7.2-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2545193 |
+{{switchd}} does not program multicast routes 224/8 into hardware. |
+3.7.9-3.7.10 |
+3.7.11-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2545132 |
+On the Mellanox switch, ACL lookups are performed for VLAN matches when no rules with {{UNTAGGED}} match are present. |
+3.7.2-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2545048 |
+When networking fails to start properly, an MLAG memory leak occurs, which might cause memory issues. |
+3.7.9-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2545027 |
+In the default VRF, VRRP might crash and stay in an initialize state. As a result, VRRP multicast traffic is not generated. |
+3.7.8-3.7.10 |
+3.7.11-3.7.16 |
+
+
+| 2544978 |
+If you delete an undefined bond, then add a bond slave, the {{net commit}} command fails. |
+3.7.9-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2544968 |
+FRR configuration commands for an SVI interface might have the {{\n}} misplaced in the output. For example:
+
+sudo sh -c "printf 'interface 50\nvrf TEST description L3 routing interface\n' >> /etc/frr/frr.conf"
+
+should be:
+
+sudo sh -c "printf 'interface 50 vrf TEST\ndescription L3 routing interface\n' >> /etc/frr/frr.conf"
+
+To work around this issue, configure the interface manually in the {{/etc/frr/frr.conf}} file. |
+3.7.9-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2544937 |
+The {{neighmgrd}} service does not ignore neighbors on reserved devices (lo and management devices). This issue is not seen when management VRF is enabled. |
+3.7.8-3.7.11 |
+3.7.12-3.7.16 |
+
+
+| 2544904 |
+After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements.
+To work around this issue, restart FRR after removing the IPv6 numbered configuration. |
+3.7.9-4.1.1 |
+4.2.0-4.4.5 |
+
+
+| 2544846 |
+You might experience a {{bgpd}} memory usage increase and significant update exchanges due to host moves between VTEPs. |
+3.7.7-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2544829 |
+Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with {{tcpdump}}. |
+3.7.8-3.7.16 |
+ |
+
+
+| 2544723 |
+Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. |
+3.7.6-3.7.10, 4.0.0-4.4.5 |
+3.7.11-3.7.16 |
+
+
+| 2544671 |
+Package : sudo
+CVE ID : CVE-2019-14287
+Debian Bug : 942322
+Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID -1 or 4294967295. This could allow a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access.
+Details can be found in the upstream advisory at https://www.sudo.ws/alerts/minus_1_uid.html .
+We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudo
+Vulnerable versions: < 1.8.27-1+deb10u1
+Fixed versions: >= 1.8.27-1+deb10u1
+To work around this iisue, disable (comment out) any sudoers entries in {{/etc/sudoers}} or files in {{/etc/sudoers.d}} that have entries with {{!root}} in them. Only root or other users with a uid of 0 that are affected. |
+3.7.9-3.7.16 |
+4.0.0-4.4.5 |
+
+
+| 2544624 |
+VXLAN encapsulated ICMP packets hit the catchall EFP policer instead of the ICMP policer and you might experience partial packet loss.
+ |
+3.7.9-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2544609 |
+BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. |
+3.7.7-3.7.10 |
+3.7.11-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2544559 |
+When you install a large number of new rules with nonatomic mode enabled, there is a chance that you install more rules than the number of available slots in the slice, which results in the slice being completely wiped and reinstalled. This causes a large drop increase, including to cpu0, and might cause a major outage by dropping all BGP sessions. |
+3.7.8-3.7.10 |
+3.7.11-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2544556 |
+If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as {{iburst}}), an invalid configuration is added to the {{/etc/ntp.conf}} file. For example:
+
+net add time ntp server 1.2.3.4 iburst
+net commit
+net add time ntp server 1.2.3.4
+net commit
+
+If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. |
+3.7.9-4.1.1 |
+4.2.0-4.4.5 |
+
+
+| 2544463 |
+Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with {{ethtool -s swp<#> autoneg on}} returns {{Operation not supported}}.
+To work around this issue, do not use auto-negotiation and set the local port speed to 10G. |
+3.7.9-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2544456 |
+The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. |
+3.7.9-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2544401 |
+Package: openssl
+CVE ID: CVE-2019-1547 CVE-2019-1549 CVE-2019-1563
+Three security issues were discovered in OpenSSL: A timing attack against
+ECDSA, a padding oracle in PKCS7_dataDecode() and CMS_decrypt_set1_pkey()
+and it was discovered that a feature of the random number generator (RNG)
+intended to protect against shared RNG state between parent and child
+processes in the event of a fork() syscall was not used by default.
+Fixed version: 1.1.1d-0+deb10u1
+We recommend that you upgrade your openssl packages.
+For the detailed security status of openssl, refer to its security tracker page at:
+https://security-tracker.debian.org/tracker/openssl |
+3.7.0-3.7.10 |
+3.7.11-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2544385 |
+The QCT QuantaMesh BMS T7032-IX7 switch may report "failed to request GPIO pin" errors during the boot up. |
+3.7.5-3.7.10 |
+3.7.11-3.7.16 |
+
+
+| 2544324 |
+Package: hostapd
+CVE ID: CVE-2019-13377 CVE-2019-16275
+Two vulnerabilities were found in the WPA protocol implementation found in wpa_supplication (station) and hostapd (access point).
+CVE-2019-13377
+A timing-based side-channel attack against WPA3's Dragonfly handshake when using Brainpool curves could be used by an attacker to retrieve the password.
+CVE-2019-16275
+Insufficient source address validation for some received Management frames in hostapd could lead to a denial of service for stations associated to an access point. An attacker in radio range of the access point could inject a specially constructed unauthenticated IEEE 802.11 frame to the access point to cause associated stations to be disconnected and require a reconnection to the network.
+Fixed version: 1:2.8.0-cl4u3 |
+3.7.0-3.7.10 |
+3.7.11-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2544311 |
+Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. |
+3.7.5-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2544212 |
+Cumulus Linux poed generates excessive debug log entries. These will be reduced in a future release. |
+3.7.3-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2544199 |
+Traffic sent to the SVI IP address of a switch might be lost if all of the following conditions are met:
+* The switch is a member of an MLAG pair
+* The traffic is sourced from a layer 2 adjacent host
+* The host is located within a VRF of the MLAG pair
+* The traffic from the source crosses the peer link
+* VXLAN is configured on the MLAG pair
+
+This issue does not impact transit traffic or traffic that does not meet all of the described conditions.
+To workaround this issue, restart {{switchd}}. |
+3.7.9-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2544182 |
+NCLU crashes when you run the {{net add interface storage-optimized pfc}} command because non-ascii quotes exist in the {{datapath.conf}} file.
+To work around this issue, manually edit the {{/usr/lib/python2.7/dist-packages/cumulus/__chip_config/mlx/datapath.conf}} file and replace the non-ascii single quotes with ascii single quotes (standard single quote on the keyboard). |
+3.7.9-3.7.10 |
+3.7.11-3.7.16 |
+
+
+| 2544155 |
+NCLU requires you to specify an interface with multiple {{address-virtual}} statements in ascending MAC address order.
+
+ |
+3.7.5-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2544113 |
+Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
+To work around this issue, disable MAC learning on QinQ VLANs by adding {{bridge-learning off}} to the VLAN stanza in the {{etc/network/interfaces}} file. |
+3.7.9-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2544073 |
+After upgrading to Cumulus Linux 3.7.9 on a Broadcom switch, CPU generated traffic (such as ICMP, OSPF, ARP, and so on) egresses access ports with a 802.1Q header or interfaces with a bridge-pvid, with a VLAN ID of 0. Equipment from other vendors might drop this traffic. |
+3.7.9 |
+3.7.10-3.7.16 |
+
+
+| 2544057 |
+FRR crashes when adding an IPv6 neighbor with extended-nexthop capability. |
+3.7.9-3.7.10 |
+3.7.11-3.7.16 |
+
+
+| 2544012 |
+After you remove a subinterface, the BGP session stays in a Connect state. |
+3.7.8-3.7.11 |
+3.7.12-3.7.16 |
+
+
+| 2543937 |
+An interface alias configured outside FRR using {{iproute2}} is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
+To work around this issue, remove the interface alias description from {{iproute2}}. |
+3.7.8-3.7.10, 4.0.0-4.4.5 |
+3.7.11-3.7.16 |
+
+
+| 2543900 |
+On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. |
+3.7.8-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2543875 |
+On the Mellanox Spectrum switch, a route withdrawal might cause the associated next hop neighbor entry to be deleted in hardware but remain in the kernel. This can cause traffic going through the directly connected route to the removed neighbor entry to be forwarded to the CPU. |
+3.7.6-3.7.10 |
+3.7.11-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2543841 |
+The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output.
+ |
+3.7.8-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2543840 |
+On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the {{traffic.conf}} file.
+
+ |
+3.7.6-3.7.16 |
+ |
+
+
+| 2543835 |
+The following CVEs were announced that affect the ghostscript package:
+CVE ID : CVE-2019-14811 CVE-2019-14812 CVE-2019-14813 CVE-2019-14817
+It was discovered that various procedures in Ghostscript, the GPL PostScript/PDF interpreter, do not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox.
+We recommend that you upgrade your ghostscript packages.
+For the detailed security status of ghostscript, refer to its security tracker page at:
+https://security-tracker.debian.org/tracker/ghostscript |
+3.7.0-3.7.10 |
+3.7.11-3.7.16 |
+
+
+| 2543816 |
+On the Dell S5248F-ON switch, {{smond}} might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
+ |
+3.7.6-3.7.11, 4.0.0-4.4.5 |
+3.7.12-3.7.16 |
+
+
+| 2543800 |
+When {{local-tunnelip}} is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if {{local-tunnelip}} is a loopback or a physical layer 3 interface.
+ |
+3.7.8-3.7.16 |
+4.0.0-4.4.5 |
+
+
+| 2543792 |
+On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:
+
+2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
+2019-09-05T05:15:17.274521+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
+2019-09-05T05:15:17.469556+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
+2019-09-05T05:15:17.497514+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
+ |
+3.7.9-3.7.12, 4.0.0-4.0.1 |
+3.7.13-3.7.16, 4.1.0-4.4.5 |
+
+
+| 2543781 |
+NCLU does not allow you to configure OSPF NSSAs. For example:
+
+cumulus@switch:~$ net add ospf area 0.0.0.1 nssa
+ERROR: Command not found.
+net add ospf area 0.0.0.1 nssa
+
+To work around this issue, use FRR instead. For example:
+
+switch# configure terminal
+switch(config)# router ospf
+switch(config-router)# area 0.0.0.1 nssa
+ |
+3.7.7-3.7.10, 4.0.0-4.4.5 |
+3.7.11-3.7.16 |
+
+
+| 2543727 |
+ACL rules, such as the following, fail to install if you use swp+ (interfaces mentioned as wildcards).
+
+-A FORWARD -i swp+ -j LOG
+-A FORWARD -i swp+ -j DROP
+
+You can now install such rules with swp+. |
+3.7.3-3.7.10 |
+3.7.11-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2543724 |
+If a hostname contains utf-8 characters, the NCLU {{net show lldp}} command outputs the following error:
+
+ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128)
+See /var/log/netd.log for more details.
+ |
+3.7.7-3.7.10, 4.0.0-4.4.5 |
+3.7.11-3.7.16 |
+
+
+| 2543708 |
+Cumulus Linux does not map QinQ packets to VXLANs in a configuration with a VLAN-aware bridge and MLAG on the Trident3 platform.
+ |
+3.7.9-3.7.10 |
+3.7.11-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2543689 |
+On the Mellanox switch, UFT profiles are unable to support the documented capacity for routes to addresses that are more than 64 bits in length. The listed capacities assume 64-bit destination IP addresses. |
+3.7.8-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2543667 |
+On the EdgeCore AS4610 switch, the {{ping}} command fails unless you run the command with {{sudo}}.
+ To work around this issue, run the following commands:
+
+ cumulus@switch:~$ sudo setcap cap_net_raw+ep /usr/share/mgmt-vrf/bin/ping
+ cumulus@switch:~$ sudo setcap cap_net_raw+ep /usr/share/mgmt-vrf/bin/ping6
+
+ Run the following command to verify the workaround:
+
+ cumulus@switch:~$ getcap /usr/share/mgmt-vrf/bin/ping*
+
+ You should see the following output:
+
+ /usr/share/mgmt-vrf/bin/ping = cap_net_raw+ep
+ /usr/share/mgmt-vrf/bin/ping6 = cap_net_raw+ep
+
+ |
+3.7.6-4.1.1 |
+4.2.0-4.4.5 |
+
+
+| 2543665 |
+{{clagd}} memory consumption increases under certain unknown conditions.
+ |
+3.7.8-3.7.10 |
+3.7.11-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2543648 |
+You cannot specify a source and destination MAC address in an ERSPAN ebtables rule. For example, the following rule does not work:
+
+-A FORWARD -i swp5 -s 00:25:90:b2:bd:9d -d 50:6b:4b:96:c4:04 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
+ |
+3.7.6-4.1.1 |
+4.2.0-4.4.5 |
+
+
+| 2543647 |
+ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:
+
+-A FORWARD -i vni10 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
+ |
+3.7.6-4.2.1 |
+4.3.0-4.4.5 |
+
+
+| 2543646 |
+In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). |
+3.7.6-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2543627 |
+Tomahawk 40G DACs cannot disable auto-negotiation. |
+3.7.7-3.7.16 |
+4.0.0-4.4.5 |
+
+
+| 2543473 |
+Configuring an inbound route map to manually change the next hop IP address received from an eBGP peer locally causes the next hop to not be updated when advertising this route out to other eBGP peers.
+To work around this issue, set a "dummy" route map outbound to the eBGP peer or configure the route map to manually set the next hop outbound from the originating eBGP peer. |
+3.7.6-3.7.10 |
+3.7.11-3.7.16 |
+
+
+| 2543472 |
+On switches with the Spectrum ASIC, the underlay hashes VXLAN packets for a given overlay flow randomly.
+To work around this issue, configure the ECMP hash seed to the same value on the EVPN egress leaf switches. |
+3.7.7-3.7.12, 4.0.0-4.0.1 |
+3.7.13-3.7.16, 4.1.0-4.4.5 |
+
+
+| 2543374 |
+After a remote VTEP peer link goes down, the tunnel destination IP address might be incorrect in hardware, which might cause loss of overlay communication between VTEPs. |
+3.7.8-3.7.10 |
+3.7.11-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2543325 |
+Lenovo switches do not send or receive LLDP on eth0 interfaces. |
+3.7.7-3.7.10 |
+3.7.11-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2543270 |
+The default route injected through OSPF when you configure {{default-information originate always}} is unreliable and might age out unexpectedly.
+To work around this issue, rely on a different source of default route other than injection with {{default-information originate}}. |
+3.7.8-4.1.1 |
+4.2.0-4.4.5 |
+
+
+| 2543211 |
+In some cases, the {{switchd}} service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
+ |
+3.7.0-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2543164 |
+The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The {{net commit}} command succeeds even though the MTU is not changed as expected.
+To work around this issue, change the MTU on all SVIs and the bridge manually in the {{/etc/network/interfaces}} file, then apply the change with the {{ifreload -a}} command. |
+3.7.7-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2543113 |
+NCLU restarts FRR when attempting to remove a BGP VRF stanza. This happens regardless of whether the VRF is valid/configured elsewhere on the switch or the removal is successful.
+To work around this issue, remove the stanza using vtysh.
+ |
+3.7.3-3.7.10 |
+3.7.11-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2543096 |
+When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the {{/etc/network/interfaces}} file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
+ |
+3.7.6-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2543058 |
+The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.
+To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. |
+3.7.7-3.7.16 |
+4.0.0-4.4.5 |
+
+
+| 2543052 |
+Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as "inactive" in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR.
+To work around this issue, either restart the FRR service on the affected switch with the {{sudo systemctl restart frr.service}} command or bounce the layer 3 SVI for the affected VRF; for example:
+
+ifdown vlan123 ; sleep 2 ; ifup vlan123
+
+You can run the {{net show vrf vni}} command to print a mapping of VRF : L3-VNI : L3-SVI. |
+3.7.5-3.7.16 |
+4.0.0-4.4.5 |
+
+
+| 2543044 |
+Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
+You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. |
+3.7.2-3.7.16 |
+4.0.0-4.4.5 |
+
+
+| 2542979 |
+On the Dell-N3048EP-ON switch, when you run the {{sudo -E apt upgrade}} command, the upgrade does not work. |
+3.7.7-4.1.1 |
+4.2.0-4.4.5 |
+
+
+| 2542958 |
+When transitioning from a down state to an up state due to peerlink failure and recovery, MLAG does not start the initDelay timer before trying to bring everything back up. |
+3.7.7-3.7.10 |
+3.7.11-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2542945 |
+On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
+To work around this issue, configure the bridge with {{bridge-vlan-protocol 802.1ad}}:
+
+cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
+ |
+3.7.6-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2542913 |
+IF-MIB::ifHCInOctets reports significantly lower values than reported by interface counters seen elsewhere. |
+3.7.6-3.7.10 |
+3.7.11-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2542871 |
+After you issue the NCLU {{net del bgp vrf <vrf> autonomous-system <AS>}} command and commit the change, Cumulus Linux does not remove the configuration from the {{/etc/frr/frr.conf}} file or the {{net show config commands}}.
+ |
+3.7.3-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2542835 |
+{{snmpd}} fails because NCLU does not remove {{agentaddress @vrf}} lines when running the {{net add snmp-server listening-address all}} command. |
+3.7.4-3.7.10 |
+3.7.11-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2542823 |
+On the Broadcom Trident 3 switch, VXLAN encapsulated packets are dropped on the ingress port (tagged layer 2 port) during transit forwarding (the local switch does not terminate the VXLAN tunnel). An example of where this two-layer VXLAN inside VXLAN encapsulation might occur:
+- VXLAN tunnel (#1) between two servers (different racks) to provide layer 2 extension for containers or VM hosts.
+- VXLAN tunnel (#2) between the TOR switch in rack 1 to the TOR switch located in the remote rack.
+
+To work around this issue, either:
+- Configure the edge port (facing the servers) to be an access port (instead of a trunk/tagged port)
+- Change the destination port from 4789 to something else (VXLAN tunnel terminated by the servers) |
+3.7.5-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2542767 |
+If the BMC operating system fails to respond to IPMI, you see a traceback in {{bmcd}} and all the sensors might report ABSENT devices in {{smonctl}}.
+To work around this issue, power cycle the switch.
+ |
+3.7.6-3.7.12, 4.0.0-4.0.1 |
+3.7.13-3.7.16, 4.1.0-4.4.5 |
+
+
+| 2542765 |
+When you configure the switch to send an EAP request with the {{net add dot1x send-eap-request-id}} command, the switch ignores re-authentication attempts and does not send back an EAPol.
+ |
+3.7.6-3.7.10 |
+3.7.11-3.7.16 |
+
+
+| 2542509 |
+In EVPN symmetric or centralized configurations with BGP peering over a peer link, VXLAN routed packets transiting an MLAG peer are dropped until the {{clagd}} {{init-delay}} timer expires during the bring-up sequence following a reboot.
+The problem is caused by a race condition when programming the anycast IP address (used to terminate VXLAN tunnels), where the hardware is programmed before the software by {{clagd}}.
+To work around this issue, configure the BGP path across the peer link to be less preferred. The example below uses AS path prepending and the MLAG switches are iBGP neighbors. However, other BGP configurations achieve the same result.
+In the {{/etc/frr/frr.conf}} file, make a new AS path access list and route map to apply BGP pre-pending of the local ASN one or more times. For example:
+
+ip as-path access-list MY_ASN permit ^$
+
+route-map peerlink-add-asn permit 10
+match as-path MY_ASN
+set as-path prepend 4200000101
+route-map peerlink-add-asn permit 20
+ |
+3.7.6-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2542384 |
+When you define a trap destination using @mgmt, {{snmpd}} indicates that the network is unreachable even though the IP address is reachable in the management VRF.
+ To work around this issue, remove {{@mgmt vrf}} references in the {{/etc/snmp/snmpd.conf}} file, stop {{snmpd}}, then start {{snmpd}} manually in the management VRF with the {{systemctl start snmpd@mgmt}} command.
+ |
+3.7.6-3.7.10 |
+3.7.11-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2542310 |
+{{hsflow}} disregards the setting for {{agent.cidr}} in the {{/etc/hsflowd.conf}} file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the {{hsflow}} payload shows IPv6.
+ |
+3.7.6-3.7.16 |
+ |
+
+
+| 2542305 |
+If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the {{vlan-id}} and the raw-device bridge stanzas are not added automatically.
+ |
+3.7.6-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2542301 |
+When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
+ |
+3.7.3-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2542248 |
+When you generate a cl-support file, {{clagd.service}} prints log messages similar to the following:
+
+ 019-03-21T07:18:15.727581+00:00 leaf01 clagd[20912]: DumpThreadStacks - start
+ 2019-03-21T07:18:15.728157+00:00 leaf01 clagd[20912]: #012thread: CollectSysInfo (140608446367488)
+ 2019-03-21T07:18:15.735986+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/threading.py, line 783, in __bootstrap
+ 2019-03-21T07:18:15.736585+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/threading.py, line 810, in __bootstrap_inner
+ 2019-03-21T07:18:15.737045+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/threading.py, line 763, in run
+ 2019-03-21T07:18:15.737933+00:00 leaf01 clagd[20912]: file: /usr/sbin/clagd, line 930, in CollectSysInfoT
+ 2019-03-21T07:18:15.739527+00:00 leaf01 clagd[20912]: file: /usr/sbin/clagd, line 187, in CollectSysInfo
+ 2019-03-21T07:18:15.740540+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/threading.py, line 621, in wait
+ 2019-03-21T07:18:15.742293+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/dist-packages/clag/clagthread.py, line 48, in wait
+ .
+ .
+ 2019-03-21T07:18:16.456061+00:00 leaf01 clagd[20912]: DumpThreadStacks - end
+
+ |
+3.7.6-3.7.10 |
+3.7.11-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2542100 |
+On the EdgeCore AS7816 switch, PCIE errors cause {{switchd}} startup to fail. |
+3.7.9-3.7.10 |
+3.7.11-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2541212 |
+The {{maximum-prefix}} configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. |
+3.7.5-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2541165 |
+On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, {{poectl}} reports that {{four_pair_mode_enabled}} is true. However, this configuration is not supported on the port so {{poectl}} should report that {{four_pair_mode_enabled}} is false.
+ |
+3.7.6-3.7.16 |
+ |
+
+
+| 2541029 |
+On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped.
+This issue only affects QinQ configurations.
+ |
+3.7.5-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2540950 |
+On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status.
+ |
+3.7.3-4.1.1 |
+4.2.0-4.4.5 |
+
+
+| 2540885 |
+The Dell N3048EP-ON switch does not support 1G Base-T modules in the SFP ports. |
+3.7.7-3.7.16 |
+ |
+
+
+| 2540863 |
+On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number.
+ |
+3.7.3-3.7.16 |
+ |
+
+
+| 2540753 |
+If the interface alias contains a single or double quotation mark, or an apostrophe, the {{net show configuration}} commands fail with the following error:
+
+ ERROR: No closing quotation
+ See /var/log/netd.log for more details.
+
+ |
+3.7.5-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2540444 |
+SNMP incorrectly requires engine ID specification.
+ |
+3.7.4-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2540352 |
+When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
+ For example, this command is incorrect:
+
+ net add routing route-map Proxy-ARP permit 25 match interface swp9-10
+
+ These commands are correct:
+
+ net add routing route-map Proxy-ARP permit 25 match interface swp9
+ net add routing route-map Proxy-ARP permit 30 match interface swp10
+
+ |
+3.7.2-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2540340 |
+NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the {{net add vrf <name>}} command just displays <ENTER>. For example:
+
+ cumulus@switch:~$ net add vrf mgmt
+ <ENTER>
+
+ Tab completion for the {{net add vrf <name> ip address <address>}} command works correctly. |
+3.7.4-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2540274 |
+On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. |
+3.7.5-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2540204 |
+When links come up after FRR is started, VRF connected routes do not get redistributed. |
+3.7.4-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2540192 |
+The {{net del bridge bridge mcsnoop yes}} command does not return the value to the default of disabled.
+To work around this issue, use the {{net add bridge bridge mcsnoop no}} command to delete the {{mcsnoop attribute}} and return to the default value. |
+3.7.4-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2540155 |
+On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
+ |
+3.7.3-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2540042 |
+When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the {{net commit}} command fails.
+ To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
+
+ cumulus@switch:~$ sudo vtysh
+ switch# configure terminal
+ switch(config)# interface br0.100
+ switch(config-if)# vrrp 1 priority 110
+ switch(config-if)# vrrp 1 advertisement-interval
+ switch(config-if)# end
+ switch# write memory
+ switch# exit
+ cumulus@switch:~
+
+ |
+3.7.4-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2540041 |
+On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU.
+ To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
+
+ cumulus@switch:~$ sudo vtysh
+ switch# configure terminal
+ switch(config)# interface vlan100
+ switch(config-if)# vrrp 1 priority 110
+ switch(config-if)# end
+ switch# write memory
+ switch# exit
+ cumulus@switch:~
+
+ |
+3.7.4-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2540040 |
+Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU.
+To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
+
+ cumulus@switch:~$ sudo vtysh
+ switch# configure terminal
+ switch(config)# interface swp4
+ switch(config-if)# vrrp 1 version 2
+ switch(config-if)# no vrrp 1 preempt
+ switch(config-if)# end
+ switch# write memory
+ switch# exit
+ cumulus@switch:~
+
+ |
+3.7.4-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2540031 |
+NCLU does not honor {{auto all}} in the {{/etc/network/interfaces}} file and removes the existing configuration if no individual {{auto <iface>}} lines exist.
+ |
+3.7.3-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2539994 |
+When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
+
+cumulus@switch:~$ net del bgp neighbor fabric peer-group
+'router bgp 65001' configuration does not have 'neighbor fabric peer-group'
+
+ |
+3.7.2-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2539962 |
+When an LDAP user that does not have NCLU privileges (either in the {{netshow}} or {{netedit}} group, or in the {{/etc/netd.conf}} file) runs an NCLU command, a traceback occurs instead of a permissions error.
+ |
+3.7.0-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2539670 |
+On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type.
+ |
+3.7.2-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2539124 |
+The {{net add interface <interface> ptm-enable}} command adds {{no ptm-enable}} for that interface in the {{frr.conf}} file.
+ Running the {{net add}} or the {{net del}} command does not remove {{no ptm-enable}} from the {{frr.conf}} file. You have to remove it manually using vtysh.
+ |
+3.7.2-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2539081 |
+When you delete post-up and pre-down IP peer entries from the {{etc/network/interfaces}} file, then run the {{ifreload}} command, the IP addresses are not removed and the route remains in the route table.
+ To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the {{ip addr flush dev <interface>}} command.
+ |
+3.7.0-3.7.16 |
+4.0.0-4.4.5 |
+
+
+| 2538875 |
+IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the {{bridge.optimized_mcast_flood = TRUE}} setting in the {{/etc/cumulus/swichd.conf}} file.
+ |
+3.7.2-3.7.16 |
+ |
+
+
+| 2538790 |
+NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run {{net add vxlan <layer3-vni> bridge access <vlan>}}. This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.
+To restore connectivity, remove the VLAN ID from the bridge. |
+3.7.2-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2538590 |
+When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain.
+ |
+3.7.2-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2538562 |
+On an RMP/1G-T switch, when you remove {{link-speed 100}} with the NCLU command or by editing the {{etc/network/interfaces}} file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
+After you remove the link-speed, {{ethtool}} shows the advertised link modes as not reported and Speed/Duplex as unknown.
+To work around this issue and bring the interface back up, either restart {{switchd}} or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
+Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. |
+3.7.2-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2538302 |
+{{portwd}} allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap.
+ |
+3.7.0-3.7.16 |
+ |
+
+
+| 2538294 |
+If you use NCLU to create an iBGP peering across the peer link, running the {{net add bgp l2vpn evpn neighbor peerlink.4094 activate}} command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. |
+3.7.0-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2538256 |
+On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
+ |
+3.7.2-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2537820 |
+When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
+ |
+3.7.2-3.7.16 |
+4.0.0-4.4.5 |
+
+
+| 2537699 |
+There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the {{/etc/default/isc-dhcp-relay}} file. For example, 1500 SVI interfaces causes the {{dhcrelay}} service to exit without a core file and logs similar to the following are generated for the interfaces:
+
+ 2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51
+ 2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51
+
+ Eventually the {{dhcrelay}} service stops.
+ |
+3.7.1-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2537544 |
+When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. |
+3.7.1-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2537536 |
+When FRR restarts, {{snmp[err] dev/kmem: Permission denied}} error messages are recorded in the log file and SNMPd might crash periodically. |
+3.7.5-3.7.10 |
+3.7.11-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2537378 |
+NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the {{/etc/snmp/snmpd.conf}} file but the SNMPv3 user cache file {{/var/lib/snmp/snmpd.conf}} fails to update correctly and the configuration does not reflect in operation.
+ To work around this issue, stop {{snmpd}}, remove the cache file, then restart {{snmpd}}.
+ |
+3.7.1-3.7.16 |
+ |
+
+
+| 2537188 |
+When an event in the network, such as a {{switchd}} or networking service restart, leads to an OVSDB server high availability transition, an {{ovs-vtepd}} core might occur.
+ This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
+ |
+3.7.2-3.7.16 |
+ |
+
+
+| 2537104 |
+When you try to stop {{hsflowd}} on the Trident II+ switch with the {{systemctl stop hsflowd}} command, the process hangs until you stop it with {{SIGKILL}}.
+ |
+3.7.1-3.7.16 |
+4.0.0-4.4.5 |
+
+
+| 2537061 |
+The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
+ |
+3.7.1-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2536639 |
+On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the {{/etc/network/interfaces}} file, the {{igb}} driver crashes, which brings down eth0.
+To work around this issue:
+* If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000).
+* If eth0 is configured in the default VRF and you power cycle after the crash, {{igb}} continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the {{/etc/network/interfaces}} file. |
+3.7.0-3.7.10 |
+3.7.11-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2536616 |
+CVE-2018-5391 (FragmentSmack) is a network vulnerability where an attacker can trigger time and calculation expensive fragment reassembly with specially crafted packets, leading to a denial of service. On a Cumulus Linux switch, the impact is limited to control plane and management plane traffic. Any control plane traffic coming in the front panel ports will be limited by existing policer ACLs.
+To work around this issue, create a file called {{/etc/sysctl.d/ip.conf}} and add these settings:
+
+net.ipv4.ipfrag_low_thresh = 196608
+net.ipv6.ip6frag_low_thresh = 196608
+net.ipv4.ipfrag_high_thresh = 262144
+net.ipv6.ip6frag_high_thresh = 262144
+ |
+3.7.0-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2536608 |
+Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
+ |
+3.7.0-3.7.16 |
+ |
+
+
+| 2536559 |
+When deleting an interface using NCLU, if the {{/etc/network/interfaces}} alias is different than the {{/etc/frr/frr.conf}} description, the {{net commit}} command returns the following error:
+
+ /etc/frr/daemons was modified by another user.
+
+Despite this error, the change is made and the description is removed from the {{frr.conf}} file. |
+3.7.3-3.7.10 |
+3.7.11-3.7.16 |
+
+
+| 2536384 |
+The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
+ |
+3.7.0-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2536230 |
+On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
+In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. |
+3.7.3-4.0.1 |
+4.1.0-4.4.5 |
+
+
+| 2536179 |
+On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. |
+3.7.0-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2535986 |
+At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in {{No buffer space available}} error messages on protocol sockets.
+When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a {{switchd}} restart. |
+3.7.0-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2535965 |
+On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
+To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. |
+3.7.0-3.7.16, 4.0.0-4.4.5 |
+ |
+
+
+| 2535209 |
+The {{net show lldp}} command sometimes shows the port description in the {{Remote Port}} field. The {{net show interface}} command shows the correct value in the {{Remote Host}} field.
+To work around this issue, use {{net show interface}} command for LLDP output when connected to Cisco equipment. |
+3.7.5-3.7.10, 4.0.0-4.4.5 |
+3.7.11-3.7.16 |
+
+
+| 2534450 |
+The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs.
+ |
+3.7.0-3.7.10 |
+3.7.11-3.7.16, 4.0.0-4.4.5 |
+
+
+| 2528990 |
+During a link flap test, you might occasionally see a message similar to: {{warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use}}. |
+3.7.6-3.7.10 |
+3.7.11-3.7.16 |
+
+
+
+
+| Issue ID |
+ Description |
+ Affects |
+
+
+| 2548190 |
+A security scanner may detect a version of wpa or hostapd that is not listed as having been fixed for CVE-2019-13377 and/or CVE-2019-16275. Cumulus Linux since 3.7.9 and 4.0.0 has a customized version of wpa and hostapd which includes the fixes for these vulnerabilities. |
+3.7.8 |
+
+
+| 2543546 |
+{{{watchfrr}} calls {{sudo /usr/sbin/service frr restart bgpd}} but restarts all FRR daemons which can cause a large outage. This occurs because {{watchfrr}} uses an old style service command, which causes all daemons to restart when a daemon fails. |
+3.7.7-3.7.8 |
+
+
+| 2543469 |
+When using the UFT lpm-equal profile, IPv6 routes are limited to 16K. |
+3.7.8 |
+
+
+| 2543389 |
+Dynamic route-leaking works as expected until FRR is restarted or the switch is rebooted. After the restart or reboot, the import RT under the VRF where routes are being imported is incorrect. |
+3.7.7-3.7.8 |
+
+
+| 2543329 |
+The following CVEs were announced in Debian Security Advisory DSA-4499-1 and affect the ghostscript package.
+ ---------------------------------------------------------------------------------------
+ Debian Security Advisory DSA-4499-1 security@debian.org
+ https://www.debian.org/security/ Salvatore Bonaccorso
+ August 12, 2019 https://www.debian.org/security/faq
+ ---------------------------------------------------------------------------------------
+ Package: ghostscript
+ CVE ID: CVE-2019-10216
+ Debian Bug: 934638
+ Netanel reported that the .buildfont1 procedure in Ghostscript, the GPL PostScript/PDF interpreter, does not
+ properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox.
+ For the oldstable distribution (stretch), this problem has been fixed in version 9.26a~dfsg-0+deb9u4.
+ For the stable distribution (buster), this problem has been fixed in version 9.27~dfsg-2+deb10u1.
+ We recommend that you upgrade your ghostscript packages.
+ For the detailed security status of ghostscript, refer to its security tracker page at:
+ https://security-tracker.debian.org/tracker/ghostscript |
+ |
+
+
+| 2543311 |
+The following CVEs were announced in Debian Security Advisory DSA-4495 and DSA 4497 and affect the linux kernel package.
+ ---------------------------------------------------------------------------------------------
+ Debian Security Advisory DSA-4495-1 security@debian.org
+ https://www.debian.org/security/ Ben Hutchings
+ August 10, 2019 https://www.debian.org/security/faq
+ ---------------------------------------------------------------------------------------------
+ Package: linux
+ CVE ID: CVE-2018-20836 CVE-2019-1125 CVE-2019-1999 CVE-2019-10207 CVE-2019-10638 CVE-2019-12817
+ CVE-2019-12984 CVE-2019-13233 CVE-2019-13631 CVE-2019-13648 CVE-2019-14283 CVE-2019-14284
+ Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.
+ CVE-2015-8553
+ Jan Beulich discovered that CVE-2015-2150 was not completely addressed. If a PCI physical function is passed through to a Xen guest, the guest is able to access its memory and I/O regions before enabling decoding of those regions. This could result in a denial-of-service (unexpected NMI) on the host.
+ The fix for this is incompatible with qemu versions before 2.5.
+ (CVE ID not yet assigned)
+ Denis Andzakovic reported a missing type check in the IPv4 multicast routing implementation. A user with the CAP_NET_ADMIN
+ capability (in any user namespace) could use this for denial-of-service (memory corruption or crash) or possibly for privilege escalation.
+ CVE-2018-5995
+ ADLab of VenusTech discovered that the kernel logged the virtual addresses assigned to per-CPU data, which could make it easier to
+ exploit other vulnerabilities.
+ CVE-2018-20836
+ chenxiang reported a race condition in libsas, the kernel subsystem supporting Serial Attached SCSI (SAS) devices, which could lead
+ to a use-after-free. It is not clear how this might be exploited.
+ CVE-2019-1125
+ It was discovered that most x86 processors could speculatively skip a conditional SWAPGS instruction used when entering the kernel
+ from user mode, and/or could speculatively execute it when it should be skipped. This is a subtype of Spectre variant 1, which could
+ allow local users to obtain sensitive information from the kernel or other processes. It has been mitigated by using memory barriers to limit speculative execution. Systems using an i386 kernel are not affected as the kernel does not use SWAPGS.
+ CVE-2019-1999
+ A race condition was discovered in the Android binder driver, which could lead to a use-after-free. If this driver is loaded, a local user might be able to use this for denial-of-service (memory corruption) or for privilege escalation.
+ CVE-2019-1125
+ It was discovered that most x86 processors could speculatively skip a conditional SWAPGS instruction used when entering the kernel
+ from user mode, and/or could speculatively execute it when it should be skipped. This is a subtype of Spectre variant 1, which could
+ allow local users to obtain sensitive information from the kernel or other processes. It has been mitigated by using memory barriers to
+ limit speculative execution. Systems using an i386 kernel are not affected as the kernel does not use SWAPGS.
+ CVE-2019-3882
+ It was found that the vfio implementation did not limit the number of DMA mappings to device memory. A local user granted ownership of
+ a vfio device could use this to cause a denial of service (out-of-memory condition).
+ CVE-2019-3900
+ It was discovered that vhost drivers did not properly control the amount of work done to service requests from guest VMs. A malicious
+ guest could use this to cause a denial-of-service (unbounded CPU usage) on the host.
+ CVE-2019-10207
+ The syzkaller tool found a potential null dereference in various drivers for UART-attached Bluetooth adapters. A local user with access
+ to a pty device or other suitable tty device could use this for denial-of-service (BU G/oops).
+ CVE-2019-10638
+ Amit Klein and Benny Pinkas discovered that the generation of IP packet IDs used a weak hash function, "jhash". This could enable
+ tracking individual computers as they communicate with different remote servers and from different networks. The "siphash" function is
+ now used instead.
+ CVE-2019-10639
+ Amit Klein and Benny Pinkas discovered that the generation of IP packet IDs used a weak hash function that incorporated a kernel
+ virtual address. This hash function is no longer used for IP IDs, although it is still used for other purposes in the network stack.
+ CVE-2019-12817
+ It was discovered that on the PowerPC (ppc64el) architecture, the hash page table (HPT) code did not correctly handle fork() in a
+ process with memory mapped at addresses above 512 TiB. This could lead to a use-after-free in the kernel, or unintended sharing of
+ memory between user processes. A local user could use this for privilege escalation. Systems using the radix MMU, or a custom kernel
+ with a 4 KiB page size, are not affected.
+ CVE-2019-12984
+ It was discovered that the NFC protocol implementation did not properly validate a netlink control message, potentially leading to a null
+ pointer dereference. A local user on a system with an NFC interface could use this for denial-of-service (BUG/oops).
+ CVE-2019-13233
+ Jann Horn discovered a race condition on the x86 architecture, in use of the LDT. This could lead to a use-after-free. A local user could possibly use this for denial-of-service.
+ CVE-2019-13631
+ It was discovered that the gtco driver for USB input tablets could overrun a stack buffer with constant data while parsing the device's
+ descriptor. A physically present user with a specially constructed USB device could use this to cause a denial-of-service (BUG/oops), or possibly for privilege escalation.
+ CVE-2019-13648
+ Praveen Pandey reported that on PowerPC (ppc64el) systems without Transactional Memory (TM), the kernel would still attempt to
+ restore TM state passed to the sigreturn() system call. A local user could use this for denial-of-service (oops).
+ CVE-2019-14283
+ The syzkaller tool found a missing bounds check in the floppy disk driver. A local user with access to a floppy disk device, with a
+ disk present, could use this to read kernel memory beyond the I/O buffer, possibly obtaining sensitive information.
+ CVE-2019-14284
+ The syzkaller tool found a potential division-by-zero in the floppy disk driver. A local user with access to a floppy disk device could
+ use this for denial-of-service (oops).
+ (CVE ID not yet assigned)
+ Denis Andzakovic reported a possible use-after-free in the TCP sockets implementation. A local user could use this for denial-of-service (memory corruption or crash) or possibly for privilege escalation.
+ (CVE ID not yet assigned)
+ The netfilter conntrack subsystem used kernel addresses as user-visible IDs, which could make it easier to exploit other security vulnerabilities.
+ XSA-300
+ Julien Grall reported that Linux does not limit the amount of memory which a domain will attempt to baloon out, nor limits the amount of
+ "foreign / grant map" memory which any individual guest can consume, leading to denial of service conditions (for host or guests).
+ For the oldstable distribution (stretch), these problems have been fixed in version 4.9.168-1+deb9u5.
+ For the stable distribution (buster), these problems have been fixed in version 4.19.37-5+deb10u2.
+ For the oldstable distribution (stretch), these problems will be fixed soon.
+ We recommend that you upgrade your linux packages.
+ For the detailed security status of linux, refer to its security tracker page at:
+ https://security-tracker.debian.org/tracker/linux |
+ |
+
+
+| 2543008 |
+The following CVEs were announced in Debian Security Advisory DSA-4489-1.
+ ---------------------------------------------------------------------------------------
+ Debian Security Advisory DSA-4489-1 security@debian.org
+ https://www.debian.org/security/ Salvatore Bonaccorso
+ July 27, 2019 https://www.debian.org/security/faq
+ ---------------------------------------------------------------------------------------
+ Package: patch
+ CVE ID: CVE-2019-13636 CVE-2019-13638
+ Debian Bug: 932401 933140
+ Imre Rad discovered several vulnerabilities in GNU patch, leading to shell command injection or escape from
+ the working directory and access and overwrite files, if specially crafted patch files are processed.
+ This update includes a bugfix for a regression introduced by the patch to address CVE-2018-1000156 when
+ applying an ed-style patch (#933140).
+ For the oldstable distribution (stretch), these problems have been fixed in version 2.7.5-1+deb9u2.
+ For the stable distribution (buster), these problems have been fixed in version 2.7.6-3+deb10u1.
+ We recommend that you upgrade your patch packages.
+ For the detailed security status of patch please refer to its security tracker page at:
+ https://security-tracker.debian.org/tracker/patch |
+ |
+
+
+| 2543004 |
+Cumulus Linux installer images have a shell script that validates checksum integrity. When you run {{onie-install}}, this check is run but the installer is still staged even if the checksum validation fails.
+ To work around this issue, perform your own checksum validation before staging a new image with {{onie-install}}. |
+3.7.7-3.7.8 |
+
+
+| 2542985 |
+On a Tomahawk switch, the 5m 40G DACs (40G CR4) do not come up when both sides have auto-negotiation enabled. |
+3.7.7-3.7.8 |
+
+
+| 2542965 |
+A port that is used as both a double tag interface and a VXLAN access side interface does not forward correctly; VXLAN decapsulation is does not occur. However, do not configure double tagged interfaces on VXLAN uplink ports as this will cause VXLAN routing issues. |
+ |
+
+
+| 2542938 |
+When MLAG is re-establishing its peering after a member reboot, the VNIs on the peer briefly go into a protodown state. This can cause complete downtime to dually connected hosts as the member coming back up is still in {{initDelay}}. This issue does resolve itself as the VNIs do come back up within ten seconds. |
+3.7.8 |
+
+
+| 2542853 |
+For interfaces configured with RS FEC, when {{switchd}} is restarted, the link goes down but does not automatically come back up. This occurs because the FEC status is not replayed correctly into the kernel.
+ To work around this issue, run the {{ifreload -a}} command to bring up the interface after {{switchd}} is restarted. |
+3.7.6-3.7.8 |
+
+
+| 2542837 |
+On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule. |
+3.7.6-3.7.8, 4.0.0-4.4.5 |
+
+
+| 2542819 |
+On the Trident3 platform, you can only add 50 percent of the total ECMP next hops. A log message indicates that the table is full. |
+3.7.7-3.7.8 |
+
+
+| 2542774 |
+When moving an IP address from the address line to {{inet dhcp}}, then issuing the {{ifreload -a}} command, the old address is not removed from the interface. NCLU still reports the old address only and reports it as a DHCP address. |
+3.7.6-3.7.8 |
+
+
+| 2542726 |
+After configuring {{switchd hal.bcm.per_vlan_router_mac_lookup}} to TRUE on a Broadcom switch, layer 2 traffic works over VXLAN but the host is not able to ping the locally connected gateway and loses routing ability to other IPs and subnets. |
+3.7.5-3.7.8 |
+
+
+| 2542711 |
+BGP update packets are sometimes missing the mandatory {{nexthop}} attribute, which causes connections to reset. For example, this issue is seen when using VRF route leaking with a mix of BGP unnumbered and BGP numbered peers. |
+3.7.6-3.7.8 |
+
+
+| 2542480 |
+When BGP {{remove-private-AS replace-AS}} is configured under the BGP IPv4 or IPv6 address family between a pair of switches configured as BGP peers, a BGP route update might cause the BGP session to flap.
+ To work around this issue, do not configure {{remove-private-AS replace-AS}} in the BGP IPv4 or IPv6 address family. |
+3.7.6-3.7.8 |
+
+
+| 2542472 |
+On Broadcom-based VXLAN routing capable platforms, VXLAN traffic received at the egress VTEP might drop because the hardware is mis-programming. This issue is related to timing and is not easily reproduced.
+ This issue might occur after a VXLAN interface (VNI) state transition (the peerlink goes down and puts VNI into a protodown state, then the peerlink comes back and the VNI returns to UP) and is related to how the next-hop information is programmed in hardware. Sometimes the host routes corresponding to this VXLAN segment are mis-programmed with the wrong next hop information.
+ To work around this issue, restart the {{switchd}} service with the {{sudo systemctl restart switchd.service}} command. |
+ |
+
+
+| 2542423 |
+The following CVEs were announced in Debian Security Advisory DSA-4472-1 and affect the expat (libexpat1) package.
+ -------------------------------------------------------------------------------------
+ Debian Security Advisory DSA-4472-1 security@debian.org
+ https://www.debian.org/security/ Salvatore Bonaccorso
+ June 28, 2019 https://www.debian.org/security/faq
+ -------------------------------------------------------------------------------------
+ Package: expat
+ CVE ID: CVE-2018-20843
+ Debian Bug: 931031
+ It was discovered that Expat, an XML parsing C library, did not properly handled XML input including XML names
+ that contain a large number of colons, potentially resulting in denial of service.
+ For the stable distribution (stretch), this problem has been fixed in version 2.2.0-2+deb9u2.
+ We recommend that you upgrade your expat packages.
+ For the detailed security status of expat, refer to its security tracker page at:
+ https://security-tracker.debian.org/tracker/expat |
+ |
+
+
+| 2542365 |
+The {{snmpd}} service frequently crashes due to {{double free or corruption}}. |
+3.7.6-3.7.8 |
+
+
+| 2542341 |
+The IP neighbor entry for a link-local next hop (169.254.x.x) is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.
+ To work around this issue, flap the peering to the peer router (which can be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. |
+3.7.7-3.7.8 |
+
+
+| 2542336 |
+On the Mellanox SN2410 switch, {{switchd}} does not start. |
+3.7.2-3.7.8 |
+
+
+| 2542297 |
+When you run the NCLU {{net del all}} command, the {{exec-timeout}} setting changes in the {{/etc/frr.frr.conf}} file. |
+3.7.6-3.7.8 |
+
+
+| 2542193 |
+When you configure the {{link-down yes}} attribute to a physical SVI, the VRR (-v0) interface is not brought down, and the locally-connected subnet can still be redistributed into routing protocols and advertised to neighbors despite the physical SVI being administratively down.
+ To work around this issue, manually bring down the VRR (-v0) interface with the {{ip link set dev}} command. For example:
+
+ cumulus@switch:~$ sudo ip link set dev vlan1755-v0 down
+ |
+3.7.6-3.7.8 |
+
+
+| 2542160 |
+The following CVEs were announced in Debian Security Advisory DSA-4465-1 and affect the linux kernel.
+ -------------------------------------------------------------------------------------------
+ Debian Security Advisory DSA-4465-1 security@debian.org
+ https://www.debian.org/security/ Salvatore Bonaccorso
+ June 17, 2019 https://www.debian.org/security/faq
+ -------------------------------------------------------------------------------------------
+ Package: linux
+ CVE ID: CVE-2019-3846 CVE-2019-5489 CVE-2019-9500 CVE-2019-9503 CVE-2019-10126 CVE-2019-11477
+ CVE-2019-11478 CVE-2019-11479 CVE-2019-11486 CVE-2019-11599 CVE-2019-11815 CVE-2019-11833 CVE-2019-11884
+ Debian Bug: 928989
+ Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or
+ information leaks.
+ CVE-2019-3846, CVE-2019-10126
+ huangwen reported multiple buffer overflows in the Marvell wifi (mwifiex) driver, which a local user could use to cause denial of
+ service or the execution of arbitrary code.
+ CVE-2019-5489
+ Daniel Gruss, Erik Kraft, Trishita Tiwari, Michael Schwarz, Ari Trachtenberg, Jason Hennessey, Alex Ionescu, and Anders Fogh
+ discovered that local users could use the mincore() system call to obtain sensitive information from other processes that access
+ the same memory-mapped file.
+ CVE-2019-9500, CVE-2019-9503
+ Hugues Anguelkov discovered a buffer overflow and missing access validation in the Broadcom FullMAC wifi driver (brcmfmac),
+ which a attacker on the same wifi network could use to cause denial of service or the execution of arbitrary code.
+ CVE-2019-11477
+ Jonathan Looney reported that a specially crafted sequence of TCP selective acknowledgements (SACKs) allows a remotely
+ triggerable kernel panic.
+ CVE-2019-11478
+ Jonathan Looney reported that a specially crafted sequence of TCP selective acknowledgements (SACKs) will fragment the TCP
+ retransmission queue, allowing an attacker to cause excessive resource usage.
+ CVE-2019-11479
+ Jonathan Looney reported that an attacker could force the Linux kernel to segment its responses into multiple TCP segments,
+ each of which contains only 8 bytes of data, drastically increasing the bandwidth required to deliver the same amount of data.
+ This update introduces a new sysctl value to control the minimal MSS (net.ipv4.tcp_min_snd_mss), which by default uses the
+ formerly hard-coded value of 48. We recommend raising this to 536 unless you know that your network requires a lower value.
+ CVE-2019-11486
+ Jann Horn of Google reported numerous race conditions in the Siemens R3964 line discipline. A local user could use these to
+ cause unspecified security impact. This module has therefore been disabled.
+ CVE-2019-11599
+ Jann Horn of Google reported a race condition in the core dump implementation which could lead to a use-after-free. A local
+ user could use this to read sensitive information, to cause a denial of service (memory corruption), or for privilege escalation.
+ CVE-2019-11815
+ It was discovered that a use-after-free in the Reliable Datagram Sockets protocol could result in denial of service and potentially
+ privilege escalation. This protocol module (rds) is not auto-loaded on Debian systems, so this issue only affects systems where
+ it is explicitly loaded.
+ CVE-2019-11833
+ It was discovered that the ext4 filesystem implementation writes uninitialised data from kernel memory to new extent blocks.
+ A local user able to write to an ext4 filesystem and then read the filesystem image, for example using a removable drive, might be
+ able to use this to obtain sensitive information.
+ CVE-2019-11884
+ It was discovered that the Bluetooth HIDP implementation did not ensure that new connection names were null-terminated.
+ A local user with CAP_NET_ADMIN capability might be able to use this to obtain sensitive information from the kernel stack.
+ For the stable distribution (stretch), these problems have been fixed in version 4.9.168-1+deb9u3.
+ We recommend that you upgrade your linux packages.
+ For the detailed security status of linux, refer to its security tracker page at:
+ https://security-tracker.debian.org/tracker/linux |
+3.7.6-3.7.8 |
+
+
+| 2542058 |
+The {{ifquery}} command should return a non-zero value if there is a syntax error. However, it currently returns zero. This issue affects automation scripts that validate a file before copying it into place. |
+3.7.6-3.7.8 |
+
+
+| 2542031 |
+If you configure a {{sys-mac}} with a single digit, {{ifreload -a}} does not indicate that the MAC address is invalid for the MLAG sys-mac and the {{clagd}} process fails silently. |
+3.7.6-3.7.8 |
+
+
+| 2541924 |
+If the {{address-virtual}} MAC address is missing a leading zero in the last octet, the interface bounces. |
+3.7.6-3.7.8 |
+
+
+| 2541604 |
+The {{snmpd}} service exits with a message similar to the following:
+
+ Error in '/usr/sbin/snmpd': double free or corruption (fasttop): 0x00000000018a4e50 ***
+
+ This problem might occur during or after network convergence events. For example, when {{bgpd}} needs to process a high number of updates and the CPU cannot keep up, {{bgpd}} is disconnected and {{agentx}} generates a core dump in {{snmpd}} due to a memory allocation problem.
+ To work around this issue, disable {{agentx}} by commenting out the following lines in the {{/etc/snmp/snmpd.conf}} file. Then, restart the {{snmpd}} service with the {{systemctl restart snmpd}} command.
+
+ agentxperms 777 777 snmp snmp
+ agentxsocket /var/agentx/master
+
+ If you still want to poll the BGP4-MIB information, re-enable the {{bgp pass persist}} script by adding the following line in the {{/etc/snmp/snmpd.conf}} file:
+
+ pass_persist 1.3.6.1.2.1.15 /usr/share/snmp/bgp4_pp.py
+ |
+3.7.2-3.7.8 |
+
+
+| 2541346 |
+The following CVEs were announced in Debian Security Advisory DSA-4440-1.
+ ---------------------------------------------------------------------------------------
+ Debian Security Advisory DSA-4440-1 security@debian.org
+ https://www.debian.org/security/ Moritz Muehlenhoff
+ May 09, 2019 https://www.debian.org/security/faq
+ ---------------------------------------------------------------------------------------
+ Package: bind9
+ CVE ID: CVE-2018-5743 CVE-2018-5745 CVE-2019-6465
+ Multiple vulnerabilities were found in the BIND DNS server:
+ CVE-2018-5743
+ Connection limits were incorrectly enforced.
+ CVE-2018-5745
+ The "managed-keys" feature was susceptible to denial of service by triggering an assert.
+ CVE-2019-6465
+ ACLs for zone transfers were incorrectly enforced for dynamically loadable zones (DLZs).
+ For the stable distribution (stretch), these problems have been fixed in version 1:9.10.3.dfsg.P4-12.3+deb9u5.
+ We recommend that you upgrade your bind9 packages.
+ For the detailed security status of bind9 please refer to its security tracker page at:
+ https://security-tracker.debian.org/tracker/bind9 |
+ |
+
+
+| 2541003 |
+NCLU is unable to delete a BGP neighbor configuration if there is a VRF VNI mapping in the {{/etc/frr/frr.conf}} file. For example, the following NCLU command produces an error:
+
+ cumulus@leaf01$ net del bgp neighbor swp5 interface peer-group spine
+ 'router bgp 65001' configuration does not have 'neighbor swp5 interface peer-group spine'
+ |
+3.7.7-3.7.8 |
+
+
+| 2540684 |
+On a Dell S5248F (Trident3) switch, packets from switch ports are forwarded to the CPU and are sometimes corrupted. The corruption might result in BGP peerings being down, which can lead to all VXLAN traffic to and from a node to be lost, causing an outage to dually connected hosts in a rack.
+To work around this issue, restart {{switchd}}. |
+3.7.3-3.7.8 |
+
+
+| 2540600 |
+If the {{clagd-vxlan-anycast-ip}} is removed from the {{/etc/network/interfaces}} file (either with the NCLU command or by editing the file manually), MLAG still believes it is present until clagd restarts. |
+3.7.3-3.7.8 |
+
+
+| 2540359 |
+{{bgpd}} creates a core dump at zclient_send_interface_radv_req. This is an issue with how FRRouting checks next hops and has been pushed upstream to FRRouting. |
+3.7.6-3.7.8 |
+
+
+| 2538741 |
+The NCLU command {{net show bridge spanning-tree}} does not show the MLAG peer link as part of the STP forwarding instance.
+To work around this issue, use the {{mstpctl}} command to confirm the STP status of the port. |
+3.7.2-3.7.8 |
+
+
+| 2538710 |
+The following CVEs were announced in Debian Security Advisory DSA-4436-1 and affect the imagemagick packages.
+ -------------------------------------------------------------------------------------------
+ Debian Security Advisory DSA-4371-1 security@debian.org
+ https://www.debian.org/security/ Yves-Alexis Perez
+ January 22, 2019 https://www.debian.org/security/faq
+ -------------------------------------------------------------------------------------------
+ Max Justicz discovered a vulnerability in APT, the high level package manager.
+ The code handling HTTP redirects in the HTTP transport method doesn't properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicous content in the HTTP connection. This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine. Since the vulnerability is present in the package manager itself, it is recommended to disable redirects in order to prevent exploitation during this upgrade only, using:
+ apt -o Acquire::http::AllowRedirect=false update
+ apt -o Acquire::http::AllowRedirect=false upgrade
+ The code handling HTTP redirects in the HTTP transport method doesn't properly sanitize fields transmitted over the wire.
+ This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicous content in the HTTP connection. This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine. Since the vulnerability is present in the package manager itself, it is recommended to disable redirects in order to prevent exploitation during this upgrade only, using:
+ apt -o Acquire::http::AllowRedirect=false update
+ apt -o Acquire::http::AllowRedirect=false upgrade
+ This is known to break some proxies when used against security.debian.org. If that happens, people can switch their security APT source to use deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main
+ For the stable distribution (stretch), this problem has been fixed in version 1.4.9. |
+ |
+
+
+| 2538480 |
+Modifying the {{/etc/netd.conf}} file to set {{show_linux_command = True}} does not take effect. |
+3.7.2-3.7.8 |
+
+
+| 2538321 |
+On the Trident3 switch, the input chain ACLs drop action forwards packets if the traffic is destined to the CPU on an SVI. |
+ |
+
+
+| 2538022 |
+When you remove an interface from a bridge and add it to a VRF in the same commit/ifreload, the IPv6 link-local address is not created automatically.
+ To work around this issue, do the change in two separate commits. First, remove the interface from the bridge, which causes it to be a layer 2 interface. Then, enslave the interface to the VRF. |
+3.7.2-3.7.8 |
+
+
+| 2537799 |
+The following CVEs were announced in Debian Security Advisory DSA-4347-1.
+ --------------------------------------------------------------------------------------------------
+ Debian Security Advisory DSA-4347-1 security@debian.org
+ https://www.debian.org/security/ Salvatore Bonaccorso
+ November 29, 2018 https://www.debian.org/security/faq
+ --------------------------------------------------------------------------------------------------
+ Package: perl
+ CVE ID: CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314
+ Multiple vulnerabilities were discovered in the implementation of the Perl programming language.
+ The Common Vulnerabilities and Exposures project identifies the following problems:
+ CVE-2018-18311
+ Jayakrishna Menon and Christophe Hauser discovered an integer overflow vulnerability in Perl_my_setenv leading to a
+ heap-basedbuffer overflow with attacker-controlled input.
+ CVE-2018-18312
+ Eiichi Tsukata discovered that a crafted regular expression could cause a heap-based buffer overflow write during
+ compilation, potentially allowing arbitrary code execution.
+ CVE-2018-18313
+ Eiichi Tsukata discovered that a crafted regular expression could cause a heap-based buffer overflow read during compilation which leads to information leak.
+ CVE-2018-18314
+ Jakub Wilk discovered that a specially crafted regular expression could lead to a heap-based buffer overflow.
+ For the stable distribution (stretch), these problems have been fixed in version 5.24.1-3+deb9u5.
+ We recommend that you upgrade your perl packages.
+ For the detailed security status of perl please refer to its security tracker page at:
+ https://security-tracker.debian.org/tracker/perl |
+ |
+
+
+| 2537753 |
+The following CVEs were announced in Debian Security Advisory DSA-4372-1.
+ --------------------------------------------------------------------------------------------------
+ Debian Security Advisory DSA-4346-1 security@debian.org
+ https://www.debian.org/security/ Salvatore Bonaccorso
+ November 27, 2018 https://www.debian.org/security/faq
+ --------------------------------------------------------------------------------------------------
+ Package: ghostscript
+ CVE ID: CVE-2018-19409 CVE-2018-19475 CVE-2018-19476 CVE-2018-19477
+ Several vulnerabilities were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may
+ result in denial of service or the execution of arbitrary code if a malformed Postscript file is processed
+ (despite the -dSAFER sandbox being enabled).
+ This update rebases ghostscript for stretch to the upstream version 9.26 which includes additional changes.
+ For the stable distribution (stretch), these problems have been fixed in version 9.26~dfsg-0+deb9u1.
+ We recommend that you upgrade your ghostscript packages.
+ For the detailed security status of ghostscript please refer to its security tracker page at:
+ https://security-tracker.debian.org/tracker/ghostscript |
+ |
+
+
+| 2537153 |
+In rare cases, certain IPv6 BGP peers fail to reestablish after {{switchd}} restarts. |
+3.7.2-3.7.8 |
+
+
+| 2536650 |
+Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters).
+While this issue is fixed for switches with the Spectrum ASIC, this is a [known limitation|https://docs.cumulusnetworks.com/cumulus-linux/Monitoring-and-Troubleshooting/Network-Troubleshooting/Monitoring-System-Statistics-and-Network-Traffic-with-sFlow/#caveats-and-errata] on this Helix4 platform. |
+3.7.0-3.7.8 |
+
+
+| 2536154 |
+By default, the nginx server used for the HTTP API on port 8080 is enabled, but does not listen to external requests. However, it appears to be listening and answering external requests. |
+ |
+
+
+| 2535445 |
+If a VNI is configured before the bridge in {{/etc/network/interfaces}}, the switch does not send IGMP queries.
+ To work around this issue, edit the {{/etc/network/interfaces}} file to define the bridge before the VNI. For example:
+
+ # The primary network interface
+ auto eth0
+ iface eth0 inet dhcp
+
+ auto lo
+ iface lo inet loopback
+ address 10.26.10.11/32
+
+ auto swp9
+ iface swp9
+ bridge-access 100
+
+ auto swp10
+ iface swp10
+ bridge-access 100
+
+ auto bridge
+ iface bridge
+ bridge-ports swp9 swp10 vni-10
+ bridge-vids 100
+ bridge-vlan-aware yes
+ bridge-mcquerier 1
+
+ auto vni-10
+ iface vni-10
+ vxlan-id 10
+ vxlan-local-tunnelip 10.0.0.11
+ bridge-access 100
+
+ auto bridge.100
+ vlan bridge.100
+ bridge-igmp-querier-src 123.1.1.1
+
+ auto vlan100
+ iface vlan100
+ address 10.26.100.2/24
+ vlan-id 100
+ vlan-raw-device bridge
+
+ . |
+ |
+
+
+| 2534887 |
+The NCLU {{net show lldp}} and {{net show interface}} commands do not show LLDP information for swp* (eth is unaffected). |
+ |
+
+
+| 2534730 |
+The following CVEs were announced in a Debian Security Advisory.
+ --------------------------------------------------------------------------------------------------
+ It was discovered that Ghostscript incorrectly handled certain PostScript files. An attacker could possibly use this to
+ cause a denial of server. (CVE-2016-10317)
+ It was discovered that Ghostscript incorrectly handled certain PDF files. An attacker could possibly use this to cause
+ a denial of service. (CVE-2018-10194)
+ Debian CVE links: https://security-tracker.debian.org/tracker/CVE-2016-10317 and https://security-tracker.debian.org/tracker/CVE-2018-10194 |
+ |
+
+
+| 2533865 |
+The following CVEs were announced in Debian Security Advisory DSA-4131.
+ -------------------------------------------------------------------------------------------
+ Debian Security Advisory DSA-4131-1 security@debian.org
+ https://www.debian.org/security/ Moritz Muehlenhoff
+ March 04, 2018 https://www.debian.org/security/faq
+ ------------------------------------------------------------------------------------------
+ Package: xen
+ CVE ID: CVE-2018-7540 CVE-2018-7541 CVE-2018-7542
+ Multiple vulnerabilities have been discovered in the Xen hypervisor:
+ CVE-2018-7540
+ Jann Horn discovered that missing checks in page table freeing may result in denial of service.
+ CVE-2018-7541
+ Jan Beulich discovered that incorrect error handling in grant table checks may result in guest-to-host
+ denial of service and potentially privilege escalation.
+ CVE-2018-7542
+ Ian Jackson discovered that insufficient handling of x86 PVH guests without local APICs may result in
+ guest-to-host denial of service.
+ For the stable distribution (stretch), these problems have been fixed in version
+ 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5.
+ We recommend that you upgrade your xen packages.
+ For the detailed security status of xen please refer to its security tracker page at:
+ https://security-tracker.debian.org/tracker/xen |
+ |
+
+
+| 2532395 |
+Drops due to congestion do not appear to be counted on a Mellanox switch.
+To work around this issue, run the {{sudo ethtool -S swp1}} command to collect interface traffic statistics. |
+ |
+
+