Cumulus Linux 3.7 Release Notes
Download all 3.7 release notes as .xls3.7.16 Release Notes
Open Issues in 3.7.16
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 3410952 | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.12.1 |
| 3376798 | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlanMAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5 |
| 3330705 | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.12.1 |
| 3327477 | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3260469 | The cl-ecmpcalc command prints the following error when the egress interface is a bond or SVI:ecmpcalc: will query hardwareTraceback (most recent call last):File “/usr/cumulus/bin/cl-ecmpcalc”, line 986, inisTrunkMbr, port = ecmp.getHdPort(hd_cmd)File “/usr/cumulus/bin/cl-ecmpcalc”, line 618, in getHdPortport = int(str4)ValueError: invalid literal for int() with base 10: ‘0t | 3.7.16-4.3.1 | 4.3.2-4.4.5 |
| 3216921 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-3.7.16, 4.3.0-4.4.5 | |
| 3216759 | With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctlyhal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More ResourcesTo work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-3.7.16, 4.3.0-4.4.5 | |
| 3209699 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.12.1 |
| 3129819 | On the EdgeCore AS4610 switch, the clagd service loses communication after 198 days of uptime. | 3.7.15-3.7.16 | |
| 3128328 | The clagd process uses 100 percent CPU and eventually crashes with an Unable to allocate memory error. | 3.7.16-4.3.0 | 4.3.1-4.4.5 |
| 3120423 | When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it. | 3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.12.1 |
| 3093966 | On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules. | 3.7.15-3.7.16, 4.3.0-4.4.5 | |
| 3073668 | On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap. | 3.7.12-3.7.16, 4.3.0-4.4.5 | |
| 3072674 | In an MLAG configuration, if you put a single connected interface into an admin down state, any dynamic MAC addresses on the peer link are flushed, then added back, which causes momentary traffic disruption. | 3.7.15-5.1.0 | 5.2.0-5.12.1 |
| 3072613 | When you delete a bond interface with NCLU, BGP peer group configuration is removed. | 3.7.15-3.7.16, 4.3.0-4.4.5 | |
| 3066704 | The hostapd service stops working if an 802.1X interface goes up and down many times over a long period of timeTo work around this issue, restart the hostapd service with the systemctl restart hostapd command. | 3.7.15-4.3.0 | 4.3.1-4.4.5 |
| 3053063 | The update-ports.service fails because a blank space in the comment lines of the /etc/cumulus/ports.conf file causes parsing errors. To work around this issue, remove the blank spaces in the commented lines, then restart the update-ports and switchd services. | 3.7.15-4.3.0 | 4.3.1-4.4.5, 4.4.4-4.4.5 |
| 3020254 | When ARP suppression is off, GARPs from neighmgrd for remote neighbors are sent over VXLAN. | 3.7.15-4.3.0, 4.4.0-4.4.3, 5.0.0-5.1.0 | 4.3.1, 4.4.4-4.4.5, 5.2.0-5.12.1 |
| 3017190 | When you power cycle the switch, multiple interfaces came up in a PoE disabled state To work around this issue, run the sudo poectl -a | grep disabled command to find ports with disabled POE. Run the sudo poectl -e swp1-swp48 command to enable POE on affected ports. | 3.7.10-3.7.16 | |
| 3015881 | Traffic flows fail because the remote VTEP IP address is missing in the layer 3 neighbor table in hardware on the switch. This happens when there is a neighbor entry for the same /32 that we have also received a type-5 route for. When the route is learned after the neighbor entry there is a timing condition that can be hit that will cause the neighbor entry to get removed from hardware when the route is installed in hardware This condition has been seen when customers re-use the VTEP IP on an interface inside of a vrf. The neigh entry for the TEP IP is installed when a symmetric route is learned via that VTEP. The Type-5 route for the TEP IP is learned in the VRF if the customer has redistributed it or advertised it within BGP in the VRF. | 3.7.15-3.7.16 | |
| 2993719 | After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed. This is issue is impacting all Cumulus Linux releases. The following attribute: vxlan-purge-remotes yes is intended to fix the issue (this attribute has been available since CL2). It was decided to change ifupdown2’s default behavior to automatically purge BUM entries added by ifup/ifreload. | 3.7.15-5.0.1 | 5.1.0-5.12.1, 5.2.0-5.12.1 |
| 2991514 | Cumulus Linux can take a long time (100 seconds) to sync a large number of VNIs on a bridge. | 3.7.15-4.3.0 | 4.3.1-4.4.5 |
| 2972538 | With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 3.7.15-3.7.16 | |
| 2965759 | On the EdgeCore AS4610-54T switch, the fan speed reports a minimum threshold in the logs. | 3.7.15-3.7.16 | |
| 2959067 | ECMP produces errors indicating No More Resources and switchd crashes even when ECMP utilization is low. | 3.7.14.2-4.2.1 | 4.3.0-4.4.5 |
| 2951110 | The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.12.1 | |
| 2947679 | If the clagd service stops during initDelay, the peerlink flag does not clear from any VNIs that become dual connected during this time. switchd uses the peerlink flag to program MLAG loop prevention. As a result of the overlapping stale flags, traffic destined for the VXLAN might drop. | 3.7.15-3.7.16 | |
| 2934939 | When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usageTo workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:address-family ipv4 unicastAfter: ip route 10.10.0.0/16 Null0This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-3.7.16 | |
| 2910017 | SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces. | 3.7.15-4.4.2, 5.0.0-5.0.1 | 4.4.3-4.4.5, 5.1.0-5.12.1 |
| 2899413 | Broadcom switches return a table full error when creating VXLAN gports, which causes switchd to crash. | 3.7.15-4.3.0 | 4.3.1-4.4.5 |
| 2866084 | When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb deldev command, then add “vxlan-learning”: “off” in the /etc/network/ifupdown2/policy.d/vxlan.json file:$ cat /etc/network/ifupdown2/policy.d/vxlan.jsonReboot the affected switches. | 3.7.12-4.3.0 | 4.3.1-4.4.5 |
| 2866061 | On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic. | 3.7.12-3.7.16 | |
| 2859177 | The cl-route-check –layer3 command fails with a memory error. For example:cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last): | 3.7.15-3.7.16 | |
| 2855908 | Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send To work around this issue, run the vtysh clear ip mroute command. | 3.7.15-4.3.0, 4.4.0-5.0.1 | 4.3.1, 5.1.0-5.12.1 |
| 2853536 | MLAG between Cumulus Linux and Arista devices might result in some links being suspended by the Arista devices with the error LACP partner validation failedThis happens when you use the same LACP port ID for more than one bond member on the Cumulus Linux switch To work around this issue, run the net add bond command on the bond on the Cumulus Linux switch. For proper operation, you need to make the equivalent change on the device on the other side of the link. | 3.7.15-3.7.16 | |
| 2827336 | After bringing up a bridge port, there is a multi second delay before the bridge port is able to learn any MAC addresses or neighbors, which causes a forwarding delay (about six seconds with 300 or more VLANs). | 3.7.15-3.7.16 | |
| 2798979 | Configuring a route map to filter VNIs will cause type-3 routes not to be advertised even for L2VNIs permitted through the route map | 3.7.15-3.7.16 | |
| 2792750 | If you change the clagd-vxlan-anycast-ip setting on both MLAG peers at the same time, both peers use their unique VTEP address indefinitely. | 3.7.15-4.3.0, 4.4.0-4.4.5 | 4.3.1 |
| 2754791 | Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | |
| 2743186 | When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.12.1 |
| 2730225 | When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.2-4.4.5 |
| 2728207 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728206 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728205 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5 |
| 2716822 | The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | 4.3.1-4.4.5 |
| 2713888 | With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctlyhal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More ResourcesTo work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.12.1 |
| 2687332 | When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usageTo workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:address-family ipv4 unicastAfter: ip route 10.10.0.0/16 Null0This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2684452 | When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb deldev command2. Add “vxlan-learning”: “off” under /etc/network/ifupdown2/policy.d/vxlan.json$ cat /etc/network/ifupdown2/policy.d/vxlan.json3. Reboot the affected switch(es) | 3.7.12-3.7.16 | |
| 2669438 | Editing the /etc/frr/frr.conf file to add a new sequence at the beginning of an existing large prefix list changes the subsequent sequence numbers of the next entries in the list and FRR reload might fail with the error message frr.service reload operation timed out. Stopping. To work around this issue, instead of adding the new prefix using an existing sequence number and pushing other sequences forward, use a sequence number that is free; for example, instead of of using 5 -> 10 -> 15, use 5 -> 7 -> 10. | 3.7.11-3.7.16 | |
| 2656291 | The following CVEs affect the linux kernel package: CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 3.7.12-3.7.16 | 4.0.0-4.4.5 |
| 2653400 | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface command, then add back the 802.1x configuration. | 3.7.10-3.7.16 | |
| 2648658 | If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure. | 3.7.15-4.3.3 | 4.4.0-4.4.5 |
| 2638137 | When you delete a static route using NCLU, the configuration is not deleted from the running configuration or from the /etc/frr/frr.conf file. | 3.7.13-3.7.16 | |
| 2633245 | On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle. | 3.7.10-3.7.16 | |
| 2607965 | On the EdgeCore AS7726 switch, when you run the NCLU net show system command, you see the error Command not found. | 3.7.14.2-3.7.16 | |
| 2562347 | When you bring VXLAN interfaces up and down physically or administratively, the MTU for the SVIs changes to 1550 (the default value). | 3.7.14.2-3.7.16 | |
| 2556037 | After you add an interface to the bridge, an OSPF session flap might occur | 3.7.9-4.2.0 | 4.2.1-4.4.5 |
| 2555908 | If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command. | 3.7.12-4.0.1 | 4.1.0-4.4.5 |
| 2555528 | In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer’s ARP policer. To work around this issue, increase the burst value of the ARP policers to 200 or higher. | 3.7.14-4.2.1 | 4.3.0-4.4.5 |
| 2555175 | Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5 |
| 2554785 | After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX=“cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command4. Reboot the switch. | 3.7.11-4.2.1 | 4.3.0-4.4.5 |
| 2554709 | The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM. | 3.7.13-3.7.16, 4.2.1-4.4.5 | |
| 2554617 | OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf. This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper. | 3.7.14-3.7.16, 4.0.0-4.4.5 | |
| 2554588 | If you try to reconfigure a DHCP server after you delete the switch configuration with the net del all command, the dhcpd service fails because a duplicate process is runningTo work around this issue, edit the /usr/lib/python2.7/dist-packages/nclu/plugins/dhcp.py file to change:DHCPD_PID="-pf {0}” to:DHCPD_PID="-pf {1}" | 3.7.13-4.2.1 | 4.3.0-4.4.5 |
| 2554369 | Certain Dell S4048-ON switches show an incorrect vendor name and hang when you issue the reboot command. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2554329 | On the Dell N3248PXE switch, fixed RJ45 interfaces with PoE neighbors can end up in Paused mode after a switchd restart, which blocks traffic on that interface. | 3.7.12-3.7.16 | |
| 2553887 | When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:
To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2553677 | When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:
To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:
Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. | 3.7.13-3.7.16, 4.0.0-4.4.5 | |
| 2553219 | You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2553116 | When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2553050 | SNMP status might incorrectly reflect that a BGP neighbor is down due to an issue between bgpd and SNMP AgentX when the IP-FORWARD-MIB is also polled.To work around this issue, avoid polling IP-FORWARD-MIB objects. | 3.7.12-3.7.16 | |
| 2553015 | If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | |
| 2552939 | RX_DRP on a bond interface increases without any data traffic while the slave port does not increase. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2552869 | On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.To work around this issue, use the ethtool -m command. | 3.7.13-4.2.1 | 4.3.0-4.4.5 |
| 2552742 | On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2552739 | Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | |
| 2552610 | The following vulnerability has been announced: CVE-2019-11360: A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c. | 3.7.13-4.2.0 | 4.2.1-4.4.5 |
| 2552294 | NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2552266 | OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files. The two scenarios where an exploit may be useful to an attacker: -The user is authorized to scp but not ssh (based on the command option in the authorized_keys file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so.-An attacker plants a maliciously named file in a directory tree that someone later uses scp -r to copy over to the target computer.Be aware that restricting users to scp by using the command option in the authorized_keys file is not effective in preventing those users from executing arbitrary commands on the server.If you want to use scp -r to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with tar, zip, or a similar program, then copying the archive over to be extracted on the server avoids having to use scp -r altogether. In addition, OpenSSH provides sftp, which you can use instead of scp to copy files.To disable scp completely, use /bin/chmod 0 /usr/bin/scp . | 3.7.14-3.7.16, 4.0.0-4.4.5 | |
| 2551911 | ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down. | 3.7.12-4.2.0 | 4.2.1-4.4.5 |
| 2551578 | When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2551565 | If you toggle VRRP priority values between VRRP routers, then restart switchd, a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affectedTo work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands. | 3.7.13-3.7.16, 4.2.0-4.4.5 | |
| 2551554 | Customers running security scans on Cumulus Linux 4 may encounter the listing of an incorrect version of u-boot 2014.10+dfsg1-4 with the following vulnerabilities:CVE-2017-3225CVE-2017-3226CVE-2018-18440CVE-2019-11690CVE-2019-13103CVE-2019-14192CVE-2019-14193CVE-2019-14194CVE-2019-14195CVE-2019-14196CVE-2019-14197CVE-2019-14198CVE-2019-14199CVE-2019-14200CVE-2019-14201CVE-2019-14202CVE-2019-14203CVE-2019-14204CVE-2020-10648The u-boot-tools package is not installed on the switch by default, but is available in the repository for optional installation. On Cumulus Linux 4, the version is at least 2019.01+dfsg-7. However, the older versions available for optional installation on Cumulus Linux 3 may be vulnerable According to https://security-tracker.debian.org/tracker/source-package/u-boot , all except the following are fixed in 2019.01+dfsg-7:CVE-2017-3225: https://security-tracker.debian.org/tracker/CVE-2017-3225 says “Negligible security impact” CVE-2017-3226: https://security-tracker.debian.org/tracker/CVE-2017-3226 says “Negligible security impact” CVE-2018-18440: https://security-tracker.debian.org/tracker/CVE-2018-18440 says “No security impact as supported/packaged in Debian”. | 3.7.12-3.7.16 | 4.0.0-4.4.5 |
| 2551305 | The net show configuration command provides the wrong net add command for ACL under the VLAN interface. | 3.7.12-3.7.16, 4.1.0-4.4.5 | |
| 2551288 | When you remove BFD configuration by editing the /etc/frr/frr.conf file and restarting FRR, you see a traceback.To work around this issue, either use NCLU or vtysh commands to remove the BFD configuration, or restart FRR with the new /etc/frr/frr.conf file. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2550974 | On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured. | 3.7.11-3.7.16, 4.1.1-4.4.5 | |
| 2550942 | NCLU tab completion for net show displays the text add help text instead of system Information for the system option. | 3.7.11-4.2.0 | 4.2.1-4.4.5 |
| 2550796 | On a Broadcom switch with the Trident2+ ASIC, ACL rules for VLANs are not applied after a reboot and the counters remain at zero. To work around this issue, either do not set acl.non_atomic_update_mode = TRUE in the /etc/cumulus/switchd.conf file or run the cl-acltool -i command after the reboot to install the ACLs. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2550793 | The NCLU net show bridge spanning-tree command displays the aging timer incorrectly. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550478 | VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches. | 3.7.7-4.2.0 | 4.2.1-4.4.5, 4.3.0-4.4.5 |
| 2550444 | Tab completion for the net show rollback description command returns information about a snapshot instead of context help.To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550443 | The net show rollback description command returns an error even if the string matches a commit description.To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550276 | In LLDP, the snmp subagent loses all subsequent lldpRemSysName (1.0.8802.1.1.2.1.4.1.1.9) entries after an entry with a missing SysName is added.All the information from lldpctl is correct. Only the entries after the entry that is missing a SysName in lldpRemSysName disappear from the snmp subagent. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2550243 | When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service. For example:
| 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550056 | The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:
| 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| 2549925 | When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:
To work around this issue, run the ifreload -a command a second time. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2549872 | If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error. | 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| 2549838 | In vtysh, if you configure, then remove a layer 3 VNI for a VRF, the VNI is removed from zebra even if the VNI interface still exists in the kernel. If you configure a layer 2 VNI as a layer 3 VNI by mistake, removing the layer 3 VNI binding removes it from zebra but EVPN-learned MACs and neighbors are not installed into the kernel. To work around this issue, delete, then re-add the missing VNI. For example:
If you flap the link with the ip link set vni10100 down; ip link set vni10100 up commands, zebra does not re-add the VNI. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2549782 | The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2549731 | When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:
| 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| 2549472 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2549371 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.3 | 4.4.0-4.4.5 |
| 2549307 | The following vulnerabilities affect git, which is available in the repository for optional installation: CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host. CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. | 3.7.12-4.1.1 | 4.2.0-4.4.5 |
| 2548962 | With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table. | 3.7.12-4.1.1 | 4.2.0-4.4.5 |
| 2548930 | On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5 |
| 2548746 | On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2548657 | When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:
You can safely ignore these error messages. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2548490 | A change in a route map prefix list that should remove a route might not be reflected in the ospf6 database or in peers, and the route might not be deleted.To work around this issue, reenter the redistribute <connected|static> route-map statement in the configuration. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2548485 | If you configure the aggregate-addresssummary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:router bgp 1If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,To work around this issue, remove, then re-add the component prefix routes. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2548315 | The following security advisory has been announced for bash: CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.To work around this issue, do not make bash or bash scripts setuid. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2548243 | On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2548155 | The net show bgp neighbor swpX json command shows negative output for the bgpTimerUpMsec timer. | 3.7.10-3.7.16 | 4.0.0-4.4.5 |
| 2548117 | In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2548024 | On the Dell Z9100 switch, 100G-SR4 modules might not link up reliably in certain ports. swp1, 2, 3, 9, 10, 23, 24, 30, 31, and 32 might be affected To work around this issue, move 100G SR4 modules to one of the ports not affected by this issue. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547942 | On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547878 | The following vulnerability has been found in the libgcrypt20 cryptographic library.CVE-2019-13627: there was a ECDSA timing attack. For more information, see https://www.debian.org/lts/security/2020/dla-1931-2.en.html Vulnerable: 1.6.3-2+deb8u7 Fixed: 1.6.3-2+deb8u8 | 3.7.11-3.7.16 | |
| 2547876 | The following vulnerability affects libxml2: CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c has a memory leak related to newDoc->oldNs. This can lead to a denial of service. For more information, see https://www.debian.org/lts/security/2019/dla-2048.en.html . Vulnerable: 2.9.1+dfsg1-5+deb8u7 Fixed: 2.9.1+dfsg1-5+deb8u8 | 3.7.11-3.7.16 | |
| 2547874 | The following vulnerability affects libbsd, a package containing utility functions from BSD systems. CVE-2016-2090: In function fgetwln() an off-by-one error could triggers a heap buffer overflow. For more information, see https://www.debian.org/lts/security/2019/dla-2052.en.html . Vulnerable: 0.7.0-2 Fixed: 0.7.0-2+deb8u1 | 3.7.11-3.7.16 | |
| 2547839 | When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547782 | If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2547706 | When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2547659 | On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547573 | On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU. | 3.7.9-3.7.16 | |
| 2547443 | On the Dell N3248PXE-ON switch, 25G SFP ports do not work in 10G mode. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547381 | The hsflowd service sends an undefined header protocol 0 in the sampled flow sample to the collector, which is not recognized by the sFlow tool. You see errors similar to the following:
| 3.7.11-3.7.16 | 4.0.0-4.4.5 |
| 2547349 | When you change an interface IP address, then change it back, static routes are misprogrammed One of the following actions recovers the routes:- Bounce both layer 3 interfaces- Remove or add static routes in FRR- Restart FRR | 3.7.11-3.7.16 | 4.0.0-4.4.5 |
| 2547123 | On the Broadcom switch with the Trident3 ASC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547120 | After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2547118 | The following security vulnerabilities have been announced in the libtiff5 library on Cumulus Linux 4.0: CVE-2019-14973, CVE-2019-17546: Multiple integer overflows have been discovered in the libtiff library and the included tools. Vulnerable: 4.0.10-4 Fixed: 4.1.0+git191117-2~deb10u1 | 3.7.10-4.0.1 | 4.1.0-4.4.5 |
| 2547100 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547068 | Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off”, change it to GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0”2. Run sudo update-grub3. Reboot the system with sudo rebootTo disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci32. Disable C-states by running the command ./cpupower idle-set -d 2C-states are disabled by default in Cumulus Linux 4.3.0 and later. | 3.7.9-4.2.1 | 4.3.0-4.4.5 |
| 2546991 | The FRR service does not provide a way for automation to know if the configuration applied properly. To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546895 | If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.serviceTo increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter2.Restart the switchd service with the sudo systemctl restart switchd.service commandsystemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546450 | On the EdgeCore AS7326-56X switch, you might see the RPM of certain fans run over the maximum threshold. | 3.7.11-3.7.16 | |
| 2546385 | SNMP ifLastChange reports link transitions when there are none. | 3.7.6-3.7.16 | |
| 2546225 | When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support.
To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546203 | When using QinQ with a traditional bridge, if you enable the LLDP dot1 TLV option, you see the following suboptimal behavior: * Both the inner and outer VLAN information is sent as part of VLAN TLVs in the LLDP packet. * If the outer VLAN ID is the same as the inner VLAN ID, only one VLAN TLV is sent with that VLAN ID in the LLDP packet. | 3.7.11-3.7.16 | |
| 2546131 | On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546010 | When hal.bcm.per_vlan_router_mac_lookup is set to TRUE in the /etc/cumulus/switchd.conf file, inter-VLAN traffic is forwarded to the CPU when associated VNI interfaces exist. | 3.7.10-3.7.16 | |
| 2545997 | The NCLU command net show interface produces an error if bonds with no members exist.To work around this issue, remove the empty Bond interfaces from the /etc/network/interfaces file and run sudo ifreload -a. | 3.7.10-3.7.16 | |
| 2545566 | The Dell Z9100-ON switch incorrectly reports many sensors as ABSENT. | 3.7.12-4.0.1 | 4.1.0-4.4.5 |
| 2545446 | If you use NCLU commands to add a non-MLAG bond, then add an MLAG configuration, the net commit command fails. However, a subsequent net commit command succeeds. | 3.7.10-3.7.16 | |
| 2545125 | If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
| 2544978 | If you delete an undefined bond, then add a bond slave, the net commit command fails. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544968 | FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:
should be:
To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544953 | When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
| 2544904 | After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements. To work around this issue, restart FRR after removing the IPv6 numbered configuration. | 3.7.9-4.1.1 | 4.2.0-4.4.5 |
| 2544829 | Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump. | 3.7.8-3.7.16 | |
| 2544671 | Package : sudoCVE ID : CVE-2019-14287Debian Bug : 942322Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID -1 or 4294967295. This could allow a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access Details can be found in the upstream advisory at https://www.sudo.ws/alerts/minus_1_uid.html We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudoVulnerable versions: < 1.8.27-1+deb10u1Fixed versions: >= 1.8.27-1+deb10u1To work around this iisue, disable (comment out) any sudoers entries in /etc/sudoers or files in /etc/sudoers.d that have entries with !root in them. Only root or other users with a uid of 0 that are affected. | 3.7.9-3.7.16 | 4.0.0-4.4.5 |
| 2544556 | If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:
If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5 |
| 2544463 | Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544456 | The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544311 | Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544235 | The following CVEs affect the linux kernel package: CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 3.7.10-3.7.16 | |
| 2544155 | NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544113 | Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link. To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2543900 | On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
| 2543841 | The net show evpn vni detail json command includes an extra empty dictionary at the end of the output. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
| 2543840 | On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file. | 3.7.6-3.7.16 | |
| 2543800 | When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface. | 3.7.8-3.7.16 | 4.0.0-4.4.5 |
| 2543647 | ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:
| 3.7.6-4.2.1 | 4.3.0-4.4.5 |
| 2543646 | In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543627 | Tomahawk 40G DACs cannot disable auto-negotiation. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543270 | The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5 |
| 2543211 | In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2543164 | The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2543096 | When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543058 | The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces. To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543052 | Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as “inactive” in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR. To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:
You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5 |
| 2543044 | Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up. You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2542979 | On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5 |
| 2542945 | On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags. To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:
| 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542310 | hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6. | 3.7.6-3.7.16 | |
| 2542305 | If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542301 | When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2541212 | The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2541165 | On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, poectl reports that four_pair_mode_enabled is true. However, this configuration is not supported on the port so poectl should report that four_pair_mode_enabled is false. | 3.7.6-3.7.16 | |
| 2541029 | On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped. This issue only affects QinQ configurations. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540950 | On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status. | 3.7.3-4.1.1 | 4.2.0-4.4.5 |
| 2540885 | The Dell N3048EP-ON switch does not support 1G Base-T modules in the SFP ports. | 3.7.7-3.7.16 | |
| 2540863 | On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number. | 3.7.3-3.7.16 | |
| 2540753 | If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
| 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540444 | SNMP incorrectly requires engine ID specification. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540352 | When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2540340 | NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays
Tab completion for the net add vrf command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540274 | On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540204 | When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540192 | The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540155 | On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2540042 | When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540041 | On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540040 | Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540031 | NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2539994 | When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539962 | When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2539670 | On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539124 | The net add interface command adds no ptm-enable for that interface in the frr.conf file.Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539081 | When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2538875 | IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file. | 3.7.2-3.7.16 | |
| 2538790 | NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.To restore connectivity, remove the VLAN ID from the bridge. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538590 | When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538562 | On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538302 | portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap. | 3.7.0-3.7.16 | |
| 2538294 | If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2538256 | On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets. | 3.7.2-4.0.1 | 4.1.0-4.4.5 |
| 2537819 | When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2537699 | There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537544 | When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537378 | NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.To work around this issue, stop snmpd, remove the cache file, then restart snmpd. | 3.7.1-3.7.16 | |
| 2537188 | When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network. | 3.7.2-3.7.16 | |
| 2537104 | When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL. | 3.7.1-3.7.16 | 4.0.0-4.4.5 |
| 2537061 | The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent. | 3.7.1-4.0.1 | 4.1.0-4.4.5 |
| 2536608 | Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI. | 3.7.0-3.7.16 | |
| 2536384 | The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2536179 | On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535986 | At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535965 | On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2533691 | If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict.To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2532017 | In FRR, bgp_snmp does not show all BGP peers when peer groups used. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
Fixed Issues in 3.7.16
| Issue ID | Description | Affects |
|---|---|---|
| 3135801 | Zebra rejects MAC IP updates from BGP when the MAC mobility sequence number that BGP sends is lower than the sequence number known to zebra When the MAC mobility sequence that BGP knows legitimately lowers (due to narrow timing conditions during convergence or after rebooting an MLAG pair one VTEP at a time), zebra rejects these updates and maintains a stale state. If the stale information that zebra uses points to the wrong VTEP address, traffic goes to the wrong VTEP and might drop. | 3.7.12-3.7.15 |
| 2973714 | When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds. | 3.7.15, 4.3.0, 4.4.0-4.4.1 |
| 2964279 | When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI. | 3.7.15, 4.4.2-4.4.5, 5.0.0-5.12.1 |
| 2959454 | CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7 | 3.7.0-3.7.15 |
| 2959444 | CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5 | 3.7.0-3.7.15 |
| 2959024 | ACL rules do not always install in hardware after switch reboot To work around this issue, run the sudo cl-acltool -i command to reinstall the ACL rules. | 3.7.14.2-3.7.15 |
| 2957684 | CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4 | 3.7.0-3.7.15 |
| 2949602 | CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. | 3.7.0-3.7.15 |
| 2949586 | CVE-2022-21699: ipython may execute untrusted files in the current working directory Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1 | 3.7.0-3.7.15 |
| 2949585 | CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog. | 3.7.0-3.7.15 |
| 2949584 | CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16 | 3.7.0-3.7.15 |
| 2943442 | Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd, expect a single VNI for a given bridge or VLAN. | 3.7.15, 4.2.1-4.3.0, 4.4.2-5.0.1 |
| 2941560 | CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u | 3.7.0-3.7.15 |
| 2940076 | In a VXLAN fabric with ToR switches configured in a MLAG pair, BUM traffic received on a VXLAN tunnel is decapsulated and forwarded on the peer link bond. The BUM traffic is then encapsulated by the peer switch and sent back to the fabric. The issue has been seen in environments where the following conditions exist at the same time:1) high VNI scale2) switchd is busy processing updates3) clagd is in a transition state, such as Up, then Down, then Up. For example, when clagd restarts, the switch reboots, and so onThe problem is seen on the switch that experiences the clagd state transition. | 3.7.12-3.7.15 |
| 2940063 | Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file. | 3.7.12-3.7.15, 4.1.1-4.3.0 |
| 2940052 | When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN. | 3.7.15, 4.2.1-4.3.0 |
| 2940051 | In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. | 3.7.14.2-3.7.15, 4.3.0-4.4.5 |
| 2934940 | When you change the SVI vlan-id value in the /etc/network/interfaces file, then run ifreload -a, the 802.1Q ID for the SVI in the kernel does not change.This operation is not supported in the kernel without recreating the SVI. To apply the change, run ifdown, then ifup for the SVI to recreate the interface. | 3.7.13-3.7.15, 4.2.1 |
| 2934938 | When the clagd process terminates unexpectedly due to signals such as sig11 or sig6, no core file is generated. | 3.7.15 |
| 2934935 | VXLAN route updates during high frequency might cause switchd to leak memory. | 3.7.14.2-3.7.15 |
| 2923748 | CVE-2021-43818: lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs Vulnerable: <= 3.4.0-1+deb8u4Fixed: 3.4.0-1+deb8u5 | 3.7.15 |
| 2923737 | When switchd restarts, the port watch daemon (portwd) attempts to send requests to switchd before switchd is ready. As a result, portwd goes into a failed state because there is no response from switchd. | 3.7.15 |
| 2910862 | CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file” Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3 | 3.7.0-3.7.15 |
| 2910861 | CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13 | 3.7.0-3.7.15 |
| 2885241 | CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14 | 3.7.0-3.7.15 |
| 2885239 | CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1 | 3.7.0-3.7.15 |
| 2885238 | The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4 | 3.7.0-3.7.15 |
| 2879645 | When you add a new VLAN, the VLAN interface type shows as unknown and cannot be reached. | 3.7.15 |
| 2875279 | In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. | 4.2.1-4.3.0, 4.4.0-5.0.1 |
| 2866111 | CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. | 3.7.0-3.7.15 |
| 2862269 | CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5 | 3.7.0-3.7.15 |
| 2855881 | A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9 | 3.7.0-3.7.15 |
| 2855879 | The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11 | 3.7.0-3.7.15 |
| 2850806 | CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts) Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23 | 3.7.0-3.7.15 |
| 2848219 | On the Dell S3048 switch configured for 802.1x authentication, you might see file descriptor exhaustion with hostapd messages indicating that Cumulus Linux is unable to open /dev/urandom or write out the transient ACL files. To work around this issue, reboot the switch. | 4.3.0 |
| 2845540 | CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9 | 3.7.0-3.7.15 |
| 2841003 | CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3 | 3.7.0-3.7.15 |
| 2835994 | CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16 | 3.7.0-3.7.15 |
| 2823255 | CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode) Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9 | 3.7.0-3.7.15 |
| 2821981 | The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions) CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12 | 3.7.0-3.7.15 |
| 2821970 | When there is a netlink event showing an update to a forwarding database entry from the VXLAN driver, ip monitor reports the remote VTEP address (dst) as ??? . The bridge monitor command correctly shows the value. | 3.7.15 |
| 2820758 | The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22 | 3.7.0-3.7.15 |
| 2817130 | The cl-route-check –layer3 command fails with a memory error. For example:cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last): | 3.7.15 |
| 2815592 | In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence. | 3.7.12-3.7.15, 4.3.0, 4.4.2-5.0.1 |
| 2813826 | Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop” CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’ Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12 | 3.7.0-3.7.15 |
| 2813823 | Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19 | 3.7.0-3.7.15 |
| 2803044 | In an EVPN configuration with IP or MAC mobility, higher MM EVPN routes do not remove the old ARP entries during VIP migration between VTEP racks. | 3.7.14.2-3.7.15 |
| 2801262 | On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart. | 3.7.12-3.7.15, 4.3.0, 4.4.2-4.4.5 |
| 2801126 | CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3 | 3.7.0-3.7.15 |
| 2801125 | OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15 | 3.7.0-3.7.15 |
| 2801124 | GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2 | 3.7.0-3.7.15 |
| 2799742 | On the Edgecore AS4610 switch, the historic CPU usage displayed in /run/sysmonitor/history sometimes shows as a negative value. | 4.2.1-4.3.0 |
| 2798139 | CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4 | 3.7.0-3.7.15 |
| 2794750 | When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF. To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-3.7.15, 4.0.0-4.2.1 |
| 2769687 | CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21 | 3.7.0-3.7.15 |
| 2769633 | CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3 | 3.7.0-3.7.15 |
| 2769632 | CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5 | 3.7.0-3.7.15 |
| 2769631 | CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2 | 3.7.0-3.7.15 |
| 2743132 | CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6 | 3.7.0-3.7.15 |
| 2736265 | After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes. | 3.7.12-3.7.15, 4.2.1-4.3.0 |
| 2736247 | CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u11 | 3.7.0-3.7.15 |
| 2736245 | CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8 | 3.7.0-3.7.15 |
| 2726776 | CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18 | 3.7.0-3.7.15 |
| 2717312 | When you modify a prefix list with NCLU commands, the bgpd service crashes. | 3.7.14.2-3.7.15 |
| 2716841 | CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2 | 3.7.0-3.7.15 |
| 2705169 | CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11 | 3.7.0-3.7.15 |
| 2705168 | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 |
| 2702519 | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 |
| 2700767 | Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 |
| 2690100 | When you run the vtysh show ip bgp vrf command, the bgpd service crashes if you use vrf all. For example:spine01# show ip bgp vrf all statistics vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error! spine01# show bgp vrf all ipv6 unicast statistics To workaround this issue, run the command against each VRF independently. | 3.7.15, 4.0.0-4.3.0 |
| 2684404 | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 |
| 2679950 | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.4.1-cl4.4.0u1Fixed: 4.4.1-cl4.4.0u2 | 3.7.0-3.7.15, 4.0.0-4.3.3 |
| 2677063 | CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 |
| 2677061 | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 |
| 2677060 | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 |
| 2669831 | If you try to remove BFD configuration with systemctl reload frr, the FRR service fails. The reload action results in a TypeError: expected string or bytes-like object errorYou see this issue only if there is default configuration, such as configuration in the /etc/frr/frr.conf file that is suppressed from view in the FRR running configurationTo work around this issue, remove the default configuration lines; for example: username cumulus nopassword | 3.7.14.2-3.7.15 |
| 2668483 | If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent FDB entry for the old MAC address. | 3.7.15, 4.3.0, 4.4.0-4.4.3, 5.0.0-5.0.1 |
| 2668477 | CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5 | 3.7.0-3.7.15 |
| 2660693 | CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20 | 3.7.0-3.7.15 |
| 2660582 | In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure) To recover restart the clagd service with sudo systemctl restart clagd.service | 3.7.8-3.7.15 |
| 2658233 | The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1 | 3.7.0-3.7.15 |
| 2654684 | CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10 | 3.7.0-3.7.15 |
| 2653521 | CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1 | 3.7.0-3.7.15 |
| 2646974 | The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22 | 3.7.0-3.7.15 |
| 2646968 | CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24 | 3.7.0-3.7.15 |
| 2645846 | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface command, then add back the 802.1x configuration. | 3.7.10-3.7.15 |
| 2638400 | When you stop clagd on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the clagd priorities to ensure that you only reboot a switch that is in the MLAG secondary role. | 3.7.15, 4.3.0 |
| 2581473 | When netq-agent is installed on the Dell N3048EP platform, switchd might crash if pluggables are installed in the SFP+ ports. | 3.7.13-3.7.15 |
| 2548044 | When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 |
3.7.15 Release Notes
Open Issues in 3.7.15
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 3410952 | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.12.1 |
| 3376798 | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlanMAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5 |
| 3330705 | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.12.1 |
| 3327477 | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3216921 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-3.7.16, 4.3.0-4.4.5 | |
| 3216759 | With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctlyhal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More ResourcesTo work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-3.7.16, 4.3.0-4.4.5 | |
| 3209699 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.12.1 |
| 3135801 | Zebra rejects MAC IP updates from BGP when the MAC mobility sequence number that BGP sends is lower than the sequence number known to zebra When the MAC mobility sequence that BGP knows legitimately lowers (due to narrow timing conditions during convergence or after rebooting an MLAG pair one VTEP at a time), zebra rejects these updates and maintains a stale state. If the stale information that zebra uses points to the wrong VTEP address, traffic goes to the wrong VTEP and might drop. | 3.7.12-4.3.0 | 4.3.1-4.4.5 |
| 3129819 | On the EdgeCore AS4610 switch, the clagd service loses communication after 198 days of uptime. | 3.7.15-3.7.16 | |
| 3120423 | When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it. | 3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.12.1 |
| 3093966 | On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules. | 3.7.15-3.7.16, 4.3.0-4.4.5 | |
| 3073668 | On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap. | 3.7.12-3.7.16, 4.3.0-4.4.5 | |
| 3072674 | In an MLAG configuration, if you put a single connected interface into an admin down state, any dynamic MAC addresses on the peer link are flushed, then added back, which causes momentary traffic disruption. | 3.7.15-5.1.0 | 5.2.0-5.12.1 |
| 3072613 | When you delete a bond interface with NCLU, BGP peer group configuration is removed. | 3.7.15-3.7.16, 4.3.0-4.4.5 | |
| 3066704 | The hostapd service stops working if an 802.1X interface goes up and down many times over a long period of timeTo work around this issue, restart the hostapd service with the systemctl restart hostapd command. | 3.7.15-4.3.0 | 4.3.1-4.4.5 |
| 3053063 | The update-ports.service fails because a blank space in the comment lines of the /etc/cumulus/ports.conf file causes parsing errors. To work around this issue, remove the blank spaces in the commented lines, then restart the update-ports and switchd services. | 3.7.15-4.3.0 | 4.3.1-4.4.5, 4.4.4-4.4.5 |
| 3020254 | When ARP suppression is off, GARPs from neighmgrd for remote neighbors are sent over VXLAN. | 3.7.15-4.3.0, 4.4.0-4.4.3, 5.0.0-5.1.0 | 4.3.1, 4.4.4-4.4.5, 5.2.0-5.12.1 |
| 3017190 | When you power cycle the switch, multiple interfaces came up in a PoE disabled state To work around this issue, run the sudo poectl -a | grep disabled command to find ports with disabled POE. Run the sudo poectl -e swp1-swp48 command to enable POE on affected ports. | 3.7.10-3.7.16 | |
| 3015881 | Traffic flows fail because the remote VTEP IP address is missing in the layer 3 neighbor table in hardware on the switch. This happens when there is a neighbor entry for the same /32 that we have also received a type-5 route for. When the route is learned after the neighbor entry there is a timing condition that can be hit that will cause the neighbor entry to get removed from hardware when the route is installed in hardware This condition has been seen when customers re-use the VTEP IP on an interface inside of a vrf. The neigh entry for the TEP IP is installed when a symmetric route is learned via that VTEP. The Type-5 route for the TEP IP is learned in the VRF if the customer has redistributed it or advertised it within BGP in the VRF. | 3.7.15-3.7.16 | |
| 2993719 | After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed. This is issue is impacting all Cumulus Linux releases. The following attribute: vxlan-purge-remotes yes is intended to fix the issue (this attribute has been available since CL2). It was decided to change ifupdown2’s default behavior to automatically purge BUM entries added by ifup/ifreload. | 3.7.15-5.0.1 | 5.1.0-5.12.1, 5.2.0-5.12.1 |
| 2991514 | Cumulus Linux can take a long time (100 seconds) to sync a large number of VNIs on a bridge. | 3.7.15-4.3.0 | 4.3.1-4.4.5 |
| 2973714 | When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds. | 3.7.15-4.3.0, 4.4.0-4.4.1 | 4.3.1, 4.4.2-4.4.5, 5.0.0-5.12.1 |
| 2972538 | With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 3.7.15-3.7.16 | |
| 2965759 | On the EdgeCore AS4610-54T switch, the fan speed reports a minimum threshold in the logs. | 3.7.15-3.7.16 | |
| 2964279 | When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI. | 3.7.15, 4.4.2-4.4.5, 5.0.0-5.12.1 | 3.7.16 |
| 2959454 | CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2959444 | CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2959067 | ECMP produces errors indicating No More Resources and switchd crashes even when ECMP utilization is low. | 3.7.14.2-4.2.1 | 4.3.0-4.4.5 |
| 2959024 | ACL rules do not always install in hardware after switch reboot To work around this issue, run the sudo cl-acltool -i command to reinstall the ACL rules. | 3.7.14.2-3.7.15 | 3.7.16 |
| 2957684 | CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2951110 | The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.12.1 | |
| 2949602 | CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. | 3.7.0-3.7.15 | 3.7.16 |
| 2949586 | CVE-2022-21699: ipython may execute untrusted files in the current working directory Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2949585 | CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog. | 3.7.0-3.7.15 | 3.7.16 |
| 2949584 | CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2947679 | If the clagd service stops during initDelay, the peerlink flag does not clear from any VNIs that become dual connected during this time. switchd uses the peerlink flag to program MLAG loop prevention. As a result of the overlapping stale flags, traffic destined for the VXLAN might drop. | 3.7.15-3.7.16 | |
| 2943442 | Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd, expect a single VNI for a given bridge or VLAN. | 3.7.15-4.3.0, 4.4.2-5.0.1 | 4.3.1, 5.1.0-5.12.1 |
| 2941560 | CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u | 3.7.0-3.7.15 | 3.7.16 |
| 2940076 | In a VXLAN fabric with ToR switches configured in a MLAG pair, BUM traffic received on a VXLAN tunnel is decapsulated and forwarded on the peer link bond. The BUM traffic is then encapsulated by the peer switch and sent back to the fabric. The issue has been seen in environments where the following conditions exist at the same time:1) high VNI scale2) switchd is busy processing updates3) clagd is in a transition state, such as Up, then Down, then Up. For example, when clagd restarts, the switch reboots, and so onThe problem is seen on the switch that experiences the clagd state transition. | 3.7.12-3.7.15 | 3.7.16 |
| 2940063 | Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file. | 3.7.12-3.7.15, 4.1.1-4.3.0 | 3.7.16, 4.3.1-4.4.5, 5.0.0-5.12.1 |
| 2940052 | When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN. | 3.7.15-4.3.0 | 4.3.1-4.4.5 |
| 2940051 | In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. | 3.7.14.2-3.7.15, 4.3.0-4.4.5 | 3.7.16, 5.0.0-5.12.1 |
| 2934940 | When you change the SVI vlan-id value in the /etc/network/interfaces file, then run ifreload -a, the 802.1Q ID for the SVI in the kernel does not change.This operation is not supported in the kernel without recreating the SVI. To apply the change, run ifdown, then ifup for the SVI to recreate the interface. | 3.7.13-4.2.1 | 4.3.0-4.4.5 |
| 2934939 | When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usageTo workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:address-family ipv4 unicastAfter: ip route 10.10.0.0/16 Null0This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-3.7.16 | |
| 2934938 | When the clagd process terminates unexpectedly due to signals such as sig11 or sig6, no core file is generated. | 3.7.15-3.7.16 | |
| 2934935 | VXLAN route updates during high frequency might cause switchd to leak memory. | 3.7.14.2-4.3.0 | 4.3.1-4.4.5 |
| 2923748 | CVE-2021-43818: lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs Vulnerable: <= 3.4.0-1+deb8u4Fixed: 3.4.0-1+deb8u5 | 3.7.15 | 3.7.16 |
| 2923737 | When switchd restarts, the port watch daemon (portwd) attempts to send requests to switchd before switchd is ready. As a result, portwd goes into a failed state because there is no response from switchd. | 3.7.15 | 3.7.16, 4.3.1-4.4.5 |
| 2910862 | CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file” Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2910861 | CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13 | 3.7.0-3.7.15 | 3.7.16 |
| 2910017 | SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces. | 3.7.15-4.4.2, 5.0.0-5.0.1 | 4.4.3-4.4.5, 5.1.0-5.12.1 |
| 2899413 | Broadcom switches return a table full error when creating VXLAN gports, which causes switchd to crash. | 3.7.15-4.3.0 | 4.3.1-4.4.5 |
| 2885241 | CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14 | 3.7.0-3.7.15 | 3.7.16 |
| 2885239 | CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2885238 | The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2879645 | When you add a new VLAN, the VLAN interface type shows as unknown and cannot be reached. | 3.7.15 | 3.7.16 |
| 2866111 | CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. | 3.7.0-3.7.15 | 3.7.16 |
| 2866084 | When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb deldev command, then add “vxlan-learning”: “off” in the /etc/network/ifupdown2/policy.d/vxlan.json file:$ cat /etc/network/ifupdown2/policy.d/vxlan.jsonReboot the affected switches. | 3.7.12-4.3.0 | 4.3.1-4.4.5 |
| 2866061 | On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic. | 3.7.12-3.7.16 | |
| 2862269 | CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2859177 | The cl-route-check –layer3 command fails with a memory error. For example:cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last): | 3.7.15-3.7.16 | |
| 2855908 | Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send To work around this issue, run the vtysh clear ip mroute command. | 3.7.15-4.3.0, 4.4.0-5.0.1 | 4.3.1, 5.1.0-5.12.1 |
| 2855881 | A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2855879 | The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2853536 | MLAG between Cumulus Linux and Arista devices might result in some links being suspended by the Arista devices with the error LACP partner validation failedThis happens when you use the same LACP port ID for more than one bond member on the Cumulus Linux switch To work around this issue, run the net add bond command on the bond on the Cumulus Linux switch. For proper operation, you need to make the equivalent change on the device on the other side of the link. | 3.7.15-3.7.16 | |
| 2850806 | CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts) Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23 | 3.7.0-3.7.15 | 3.7.16 |
| 2845540 | CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2841003 | CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2835994 | CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2827336 | After bringing up a bridge port, there is a multi second delay before the bridge port is able to learn any MAC addresses or neighbors, which causes a forwarding delay (about six seconds with 300 or more VLANs). | 3.7.15-3.7.16 | |
| 2823255 | CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode) Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2821981 | The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions) CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2821970 | When there is a netlink event showing an update to a forwarding database entry from the VXLAN driver, ip monitor reports the remote VTEP address (dst) as ??? . The bridge monitor command correctly shows the value. | 3.7.15 | 3.7.16 |
| 2820758 | The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2817130 | The cl-route-check –layer3 command fails with a memory error. For example:cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last): | 3.7.15 | 3.7.16, 5.0.0-5.12.1 |
| 2815592 | In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence. | 3.7.12-3.7.15, 4.3.0, 4.4.2-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.12.1 |
| 2813826 | Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop” CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’ Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2813823 | Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19 | 3.7.0-3.7.15 | 3.7.16 |
| 2803044 | In an EVPN configuration with IP or MAC mobility, higher MM EVPN routes do not remove the old ARP entries during VIP migration between VTEP racks. | 3.7.14.2-3.7.15 | 3.7.16 |
| 2801262 | On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart. | 3.7.12-3.7.15, 4.3.0, 4.4.2-4.4.5 | 3.7.16, 4.3.1, 5.0.0-5.12.1 |
| 2801126 | CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2801125 | OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15 | 3.7.0-3.7.15 | 3.7.16 |
| 2801124 | GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2798979 | Configuring a route map to filter VNIs will cause type-3 routes not to be advertised even for L2VNIs permitted through the route map | 3.7.15-3.7.16 | |
| 2798139 | CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2794750 | When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF. To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2792750 | If you change the clagd-vxlan-anycast-ip setting on both MLAG peers at the same time, both peers use their unique VTEP address indefinitely. | 3.7.15-4.3.0, 4.4.0-4.4.5 | 4.3.1 |
| 2769687 | CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21 | 3.7.0-3.7.15 | 3.7.16 |
| 2769633 | CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2769632 | CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2769631 | CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2754791 | Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | |
| 2743186 | When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.12.1 |
| 2743132 | CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6 | 3.7.0-3.7.15 | 3.7.16 |
| 2736265 | After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2736247 | CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2736245 | CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2730225 | When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.2-4.4.5 |
| 2728207 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728206 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728205 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5 |
| 2726776 | CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18 | 3.7.0-3.7.15 | 3.7.16 |
| 2717312 | When you modify a prefix list with NCLU commands, the bgpd service crashes. | 3.7.14.2-3.7.15 | 3.7.16 |
| 2716841 | CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2716822 | The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | 4.3.1-4.4.5 |
| 2713888 | With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctlyhal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More ResourcesTo work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.12.1 |
| 2705169 | CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2705168 | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2702519 | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2700767 | Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16 |
| 2690100 | When you run the vtysh show ip bgp vrf command, the bgpd service crashes if you use vrf all. For example:spine01# show ip bgp vrf all statistics vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error! spine01# show bgp vrf all ipv6 unicast statistics To workaround this issue, run the command against each VRF independently. | 3.7.15, 4.0.0-4.3.0 | 3.7.16, 4.3.1-4.4.5 |
| 2687332 | When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usageTo workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:address-family ipv4 unicastAfter: ip route 10.10.0.0/16 Null0This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2684452 | When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb deldev command2. Add “vxlan-learning”: “off” under /etc/network/ifupdown2/policy.d/vxlan.json$ cat /etc/network/ifupdown2/policy.d/vxlan.json3. Reboot the affected switch(es) | 3.7.12-3.7.16 | |
| 2684404 | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2679950 | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.4.1-cl4.4.0u1Fixed: 4.4.1-cl4.4.0u2 | 3.7.0-4.3.3 | 4.4.0-4.4.5 |
| 2677063 | CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2677061 | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2677060 | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2669831 | If you try to remove BFD configuration with systemctl reload frr, the FRR service fails. The reload action results in a TypeError: expected string or bytes-like object errorYou see this issue only if there is default configuration, such as configuration in the /etc/frr/frr.conf file that is suppressed from view in the FRR running configurationTo work around this issue, remove the default configuration lines; for example: username cumulus nopassword | 3.7.14.2-3.7.15 | 3.7.16 |
| 2669438 | Editing the /etc/frr/frr.conf file to add a new sequence at the beginning of an existing large prefix list changes the subsequent sequence numbers of the next entries in the list and FRR reload might fail with the error message frr.service reload operation timed out. Stopping. To work around this issue, instead of adding the new prefix using an existing sequence number and pushing other sequences forward, use a sequence number that is free; for example, instead of of using 5 -> 10 -> 15, use 5 -> 7 -> 10. | 3.7.11-3.7.16 | |
| 2668483 | If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent FDB entry for the old MAC address. | 3.7.15-4.3.0, 4.4.0-4.4.3, 5.0.0-5.0.1 | 4.3.1, 4.4.4-4.4.5, 5.1.0-5.12.1 |
| 2668477 | CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2660693 | CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20 | 3.7.0-3.7.15 | 3.7.16 |
| 2660582 | In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure) To recover restart the clagd service with sudo systemctl restart clagd.service | 3.7.8-3.7.15 | 3.7.16 |
| 2658233 | The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2656291 | The following CVEs affect the linux kernel package: CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 3.7.12-3.7.16 | 4.0.0-4.4.5 |
| 2654684 | CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10 | 3.7.0-3.7.15 | 3.7.16 |
| 2653521 | CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2653400 | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface command, then add back the 802.1x configuration. | 3.7.10-3.7.16 | |
| 2648658 | If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure. | 3.7.15-4.3.3 | 4.4.0-4.4.5 |
| 2646974 | The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2646968 | CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24 | 3.7.0-3.7.15 | 3.7.16 |
| 2645846 | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface command, then add back the 802.1x configuration. | 3.7.10-3.7.15 | 3.7.16, 4.3.1-4.4.5 |
| 2638400 | When you stop clagd on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the clagd priorities to ensure that you only reboot a switch that is in the MLAG secondary role. | 3.7.15, 4.3.0 | 3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2638137 | When you delete a static route using NCLU, the configuration is not deleted from the running configuration or from the /etc/frr/frr.conf file. | 3.7.13-3.7.16 | |
| 2633245 | On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle. | 3.7.10-3.7.16 | |
| 2607965 | On the EdgeCore AS7726 switch, when you run the NCLU net show system command, you see the error Command not found. | 3.7.14.2-3.7.16 | |
| 2581473 | When netq-agent is installed on the Dell N3048EP platform, switchd might crash if pluggables are installed in the SFP+ ports. | 3.7.13-3.7.15 | 3.7.16 |
| 2562347 | When you bring VXLAN interfaces up and down physically or administratively, the MTU for the SVIs changes to 1550 (the default value). | 3.7.14.2-3.7.16 | |
| 2556037 | After you add an interface to the bridge, an OSPF session flap might occur | 3.7.9-4.2.0 | 4.2.1-4.4.5 |
| 2555908 | If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command. | 3.7.12-4.0.1 | 4.1.0-4.4.5 |
| 2555528 | In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer’s ARP policer. To work around this issue, increase the burst value of the ARP policers to 200 or higher. | 3.7.14-4.2.1 | 4.3.0-4.4.5 |
| 2555175 | Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5 |
| 2554785 | After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX=“cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command4. Reboot the switch. | 3.7.11-4.2.1 | 4.3.0-4.4.5 |
| 2554709 | The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM. | 3.7.13-3.7.16, 4.2.1-4.4.5 | |
| 2554617 | OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf. This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper. | 3.7.14-3.7.16, 4.0.0-4.4.5 | |
| 2554588 | If you try to reconfigure a DHCP server after you delete the switch configuration with the net del all command, the dhcpd service fails because a duplicate process is runningTo work around this issue, edit the /usr/lib/python2.7/dist-packages/nclu/plugins/dhcp.py file to change:DHCPD_PID="-pf {0}” to:DHCPD_PID="-pf {1}" | 3.7.13-4.2.1 | 4.3.0-4.4.5 |
| 2554369 | Certain Dell S4048-ON switches show an incorrect vendor name and hang when you issue the reboot command. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2554329 | On the Dell N3248PXE switch, fixed RJ45 interfaces with PoE neighbors can end up in Paused mode after a switchd restart, which blocks traffic on that interface. | 3.7.12-3.7.16 | |
| 2553887 | When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:
To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2553677 | When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:
To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:
Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. | 3.7.13-3.7.16, 4.0.0-4.4.5 | |
| 2553219 | You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2553116 | When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2553050 | SNMP status might incorrectly reflect that a BGP neighbor is down due to an issue between bgpd and SNMP AgentX when the IP-FORWARD-MIB is also polled.To work around this issue, avoid polling IP-FORWARD-MIB objects. | 3.7.12-3.7.16 | |
| 2553015 | If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | |
| 2552939 | RX_DRP on a bond interface increases without any data traffic while the slave port does not increase. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2552869 | On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.To work around this issue, use the ethtool -m command. | 3.7.13-4.2.1 | 4.3.0-4.4.5 |
| 2552742 | On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2552739 | Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | |
| 2552610 | The following vulnerability has been announced: CVE-2019-11360: A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c. | 3.7.13-4.2.0 | 4.2.1-4.4.5 |
| 2552294 | NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2552266 | OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files. The two scenarios where an exploit may be useful to an attacker: -The user is authorized to scp but not ssh (based on the command option in the authorized_keys file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so.-An attacker plants a maliciously named file in a directory tree that someone later uses scp -r to copy over to the target computer.Be aware that restricting users to scp by using the command option in the authorized_keys file is not effective in preventing those users from executing arbitrary commands on the server.If you want to use scp -r to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with tar, zip, or a similar program, then copying the archive over to be extracted on the server avoids having to use scp -r altogether. In addition, OpenSSH provides sftp, which you can use instead of scp to copy files.To disable scp completely, use /bin/chmod 0 /usr/bin/scp . | 3.7.14-3.7.16, 4.0.0-4.4.5 | |
| 2551911 | ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down. | 3.7.12-4.2.0 | 4.2.1-4.4.5 |
| 2551578 | When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2551565 | If you toggle VRRP priority values between VRRP routers, then restart switchd, a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affectedTo work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands. | 3.7.13-3.7.16, 4.2.0-4.4.5 | |
| 2551554 | Customers running security scans on Cumulus Linux 4 may encounter the listing of an incorrect version of u-boot 2014.10+dfsg1-4 with the following vulnerabilities:CVE-2017-3225CVE-2017-3226CVE-2018-18440CVE-2019-11690CVE-2019-13103CVE-2019-14192CVE-2019-14193CVE-2019-14194CVE-2019-14195CVE-2019-14196CVE-2019-14197CVE-2019-14198CVE-2019-14199CVE-2019-14200CVE-2019-14201CVE-2019-14202CVE-2019-14203CVE-2019-14204CVE-2020-10648The u-boot-tools package is not installed on the switch by default, but is available in the repository for optional installation. On Cumulus Linux 4, the version is at least 2019.01+dfsg-7. However, the older versions available for optional installation on Cumulus Linux 3 may be vulnerable According to https://security-tracker.debian.org/tracker/source-package/u-boot , all except the following are fixed in 2019.01+dfsg-7:CVE-2017-3225: https://security-tracker.debian.org/tracker/CVE-2017-3225 says “Negligible security impact” CVE-2017-3226: https://security-tracker.debian.org/tracker/CVE-2017-3226 says “Negligible security impact” CVE-2018-18440: https://security-tracker.debian.org/tracker/CVE-2018-18440 says “No security impact as supported/packaged in Debian”. | 3.7.12-3.7.16 | 4.0.0-4.4.5 |
| 2551305 | The net show configuration command provides the wrong net add command for ACL under the VLAN interface. | 3.7.12-3.7.16, 4.1.0-4.4.5 | |
| 2551288 | When you remove BFD configuration by editing the /etc/frr/frr.conf file and restarting FRR, you see a traceback.To work around this issue, either use NCLU or vtysh commands to remove the BFD configuration, or restart FRR with the new /etc/frr/frr.conf file. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2550974 | On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured. | 3.7.11-3.7.16, 4.1.1-4.4.5 | |
| 2550942 | NCLU tab completion for net show displays the text add help text instead of system Information for the system option. | 3.7.11-4.2.0 | 4.2.1-4.4.5 |
| 2550796 | On a Broadcom switch with the Trident2+ ASIC, ACL rules for VLANs are not applied after a reboot and the counters remain at zero. To work around this issue, either do not set acl.non_atomic_update_mode = TRUE in the /etc/cumulus/switchd.conf file or run the cl-acltool -i command after the reboot to install the ACLs. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2550793 | The NCLU net show bridge spanning-tree command displays the aging timer incorrectly. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550478 | VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches. | 3.7.7-4.2.0 | 4.2.1-4.4.5, 4.3.0-4.4.5 |
| 2550444 | Tab completion for the net show rollback description command returns information about a snapshot instead of context help.To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550443 | The net show rollback description command returns an error even if the string matches a commit description.To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550276 | In LLDP, the snmp subagent loses all subsequent lldpRemSysName (1.0.8802.1.1.2.1.4.1.1.9) entries after an entry with a missing SysName is added.All the information from lldpctl is correct. Only the entries after the entry that is missing a SysName in lldpRemSysName disappear from the snmp subagent. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2550243 | When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service. For example:
| 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550056 | The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:
| 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| 2549925 | When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:
To work around this issue, run the ifreload -a command a second time. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2549872 | If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error. | 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| 2549838 | In vtysh, if you configure, then remove a layer 3 VNI for a VRF, the VNI is removed from zebra even if the VNI interface still exists in the kernel. If you configure a layer 2 VNI as a layer 3 VNI by mistake, removing the layer 3 VNI binding removes it from zebra but EVPN-learned MACs and neighbors are not installed into the kernel. To work around this issue, delete, then re-add the missing VNI. For example:
If you flap the link with the ip link set vni10100 down; ip link set vni10100 up commands, zebra does not re-add the VNI. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2549782 | The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2549731 | When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:
| 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| 2549472 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2549371 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.3 | 4.4.0-4.4.5 |
| 2549307 | The following vulnerabilities affect git, which is available in the repository for optional installation: CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host. CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. | 3.7.12-4.1.1 | 4.2.0-4.4.5 |
| 2548962 | With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table. | 3.7.12-4.1.1 | 4.2.0-4.4.5 |
| 2548930 | On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5 |
| 2548746 | On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2548657 | When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:
You can safely ignore these error messages. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2548490 | A change in a route map prefix list that should remove a route might not be reflected in the ospf6 database or in peers, and the route might not be deleted.To work around this issue, reenter the redistribute <connected|static> route-map statement in the configuration. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2548485 | If you configure the aggregate-addresssummary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:router bgp 1If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,To work around this issue, remove, then re-add the component prefix routes. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2548315 | The following security advisory has been announced for bash: CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.To work around this issue, do not make bash or bash scripts setuid. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2548243 | On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2548155 | The net show bgp neighbor swpX json command shows negative output for the bgpTimerUpMsec timer. | 3.7.10-3.7.16 | 4.0.0-4.4.5 |
| 2548117 | In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2548044 | When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16 |
| 2548024 | On the Dell Z9100 switch, 100G-SR4 modules might not link up reliably in certain ports. swp1, 2, 3, 9, 10, 23, 24, 30, 31, and 32 might be affected To work around this issue, move 100G SR4 modules to one of the ports not affected by this issue. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547942 | On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547878 | The following vulnerability has been found in the libgcrypt20 cryptographic library.CVE-2019-13627: there was a ECDSA timing attack. For more information, see https://www.debian.org/lts/security/2020/dla-1931-2.en.html Vulnerable: 1.6.3-2+deb8u7 Fixed: 1.6.3-2+deb8u8 | 3.7.11-3.7.16 | |
| 2547876 | The following vulnerability affects libxml2: CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c has a memory leak related to newDoc->oldNs. This can lead to a denial of service. For more information, see https://www.debian.org/lts/security/2019/dla-2048.en.html . Vulnerable: 2.9.1+dfsg1-5+deb8u7 Fixed: 2.9.1+dfsg1-5+deb8u8 | 3.7.11-3.7.16 | |
| 2547874 | The following vulnerability affects libbsd, a package containing utility functions from BSD systems. CVE-2016-2090: In function fgetwln() an off-by-one error could triggers a heap buffer overflow. For more information, see https://www.debian.org/lts/security/2019/dla-2052.en.html . Vulnerable: 0.7.0-2 Fixed: 0.7.0-2+deb8u1 | 3.7.11-3.7.16 | |
| 2547839 | When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547782 | If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2547706 | When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2547659 | On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547573 | On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU. | 3.7.9-3.7.16 | |
| 2547443 | On the Dell N3248PXE-ON switch, 25G SFP ports do not work in 10G mode. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547381 | The hsflowd service sends an undefined header protocol 0 in the sampled flow sample to the collector, which is not recognized by the sFlow tool. You see errors similar to the following:
| 3.7.11-3.7.16 | 4.0.0-4.4.5 |
| 2547349 | When you change an interface IP address, then change it back, static routes are misprogrammed One of the following actions recovers the routes:- Bounce both layer 3 interfaces- Remove or add static routes in FRR- Restart FRR | 3.7.11-3.7.16 | 4.0.0-4.4.5 |
| 2547123 | On the Broadcom switch with the Trident3 ASC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547120 | After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2547118 | The following security vulnerabilities have been announced in the libtiff5 library on Cumulus Linux 4.0: CVE-2019-14973, CVE-2019-17546: Multiple integer overflows have been discovered in the libtiff library and the included tools. Vulnerable: 4.0.10-4 Fixed: 4.1.0+git191117-2~deb10u1 | 3.7.10-4.0.1 | 4.1.0-4.4.5 |
| 2547100 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547068 | Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off”, change it to GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0”2. Run sudo update-grub3. Reboot the system with sudo rebootTo disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci32. Disable C-states by running the command ./cpupower idle-set -d 2C-states are disabled by default in Cumulus Linux 4.3.0 and later. | 3.7.9-4.2.1 | 4.3.0-4.4.5 |
| 2546991 | The FRR service does not provide a way for automation to know if the configuration applied properly. To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546895 | If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.serviceTo increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter2.Restart the switchd service with the sudo systemctl restart switchd.service commandsystemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546450 | On the EdgeCore AS7326-56X switch, you might see the RPM of certain fans run over the maximum threshold. | 3.7.11-3.7.16 | |
| 2546385 | SNMP ifLastChange reports link transitions when there are none. | 3.7.6-3.7.16 | |
| 2546225 | When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support.
To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546203 | When using QinQ with a traditional bridge, if you enable the LLDP dot1 TLV option, you see the following suboptimal behavior: * Both the inner and outer VLAN information is sent as part of VLAN TLVs in the LLDP packet. * If the outer VLAN ID is the same as the inner VLAN ID, only one VLAN TLV is sent with that VLAN ID in the LLDP packet. | 3.7.11-3.7.16 | |
| 2546131 | On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546010 | When hal.bcm.per_vlan_router_mac_lookup is set to TRUE in the /etc/cumulus/switchd.conf file, inter-VLAN traffic is forwarded to the CPU when associated VNI interfaces exist. | 3.7.10-3.7.16 | |
| 2545997 | The NCLU command net show interface produces an error if bonds with no members exist.To work around this issue, remove the empty Bond interfaces from the /etc/network/interfaces file and run sudo ifreload -a. | 3.7.10-3.7.16 | |
| 2545566 | The Dell Z9100-ON switch incorrectly reports many sensors as ABSENT. | 3.7.12-4.0.1 | 4.1.0-4.4.5 |
| 2545446 | If you use NCLU commands to add a non-MLAG bond, then add an MLAG configuration, the net commit command fails. However, a subsequent net commit command succeeds. | 3.7.10-3.7.16 | |
| 2545125 | If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
| 2544978 | If you delete an undefined bond, then add a bond slave, the net commit command fails. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544968 | FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:
should be:
To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544953 | When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
| 2544904 | After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements. To work around this issue, restart FRR after removing the IPv6 numbered configuration. | 3.7.9-4.1.1 | 4.2.0-4.4.5 |
| 2544829 | Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump. | 3.7.8-3.7.16 | |
| 2544671 | Package : sudoCVE ID : CVE-2019-14287Debian Bug : 942322Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID -1 or 4294967295. This could allow a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access Details can be found in the upstream advisory at https://www.sudo.ws/alerts/minus_1_uid.html We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudoVulnerable versions: < 1.8.27-1+deb10u1Fixed versions: >= 1.8.27-1+deb10u1To work around this iisue, disable (comment out) any sudoers entries in /etc/sudoers or files in /etc/sudoers.d that have entries with !root in them. Only root or other users with a uid of 0 that are affected. | 3.7.9-3.7.16 | 4.0.0-4.4.5 |
| 2544556 | If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:
If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5 |
| 2544463 | Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544456 | The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544311 | Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544235 | The following CVEs affect the linux kernel package: CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 3.7.10-3.7.16 | |
| 2544155 | NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544113 | Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link. To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2543900 | On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
| 2543841 | The net show evpn vni detail json command includes an extra empty dictionary at the end of the output. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
| 2543840 | On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file. | 3.7.6-3.7.16 | |
| 2543800 | When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface. | 3.7.8-3.7.16 | 4.0.0-4.4.5 |
| 2543647 | ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:
| 3.7.6-4.2.1 | 4.3.0-4.4.5 |
| 2543646 | In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543627 | Tomahawk 40G DACs cannot disable auto-negotiation. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543270 | The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5 |
| 2543211 | In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2543164 | The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2543096 | When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543058 | The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces. To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543052 | Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as “inactive” in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR. To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:
You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5 |
| 2543044 | Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up. You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2542979 | On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5 |
| 2542945 | On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags. To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:
| 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542310 | hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6. | 3.7.6-3.7.16 | |
| 2542305 | If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542301 | When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2541212 | The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2541165 | On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, poectl reports that four_pair_mode_enabled is true. However, this configuration is not supported on the port so poectl should report that four_pair_mode_enabled is false. | 3.7.6-3.7.16 | |
| 2541029 | On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped. This issue only affects QinQ configurations. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540950 | On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status. | 3.7.3-4.1.1 | 4.2.0-4.4.5 |
| 2540885 | The Dell N3048EP-ON switch does not support 1G Base-T modules in the SFP ports. | 3.7.7-3.7.16 | |
| 2540863 | On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number. | 3.7.3-3.7.16 | |
| 2540753 | If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
| 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540444 | SNMP incorrectly requires engine ID specification. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540352 | When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2540340 | NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays
Tab completion for the net add vrf command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540274 | On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540204 | When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540192 | The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540155 | On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2540042 | When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540041 | On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540040 | Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540031 | NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2539994 | When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539962 | When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2539670 | On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539124 | The net add interface command adds no ptm-enable for that interface in the frr.conf file.Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539081 | When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2538875 | IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file. | 3.7.2-3.7.16 | |
| 2538790 | NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.To restore connectivity, remove the VLAN ID from the bridge. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538590 | When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538562 | On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538302 | portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap. | 3.7.0-3.7.16 | |
| 2538294 | If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2538256 | On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets. | 3.7.2-4.0.1 | 4.1.0-4.4.5 |
| 2537819 | When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2537699 | There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537544 | When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537378 | NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.To work around this issue, stop snmpd, remove the cache file, then restart snmpd. | 3.7.1-3.7.16 | |
| 2537188 | When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network. | 3.7.2-3.7.16 | |
| 2537104 | When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL. | 3.7.1-3.7.16 | 4.0.0-4.4.5 |
| 2537061 | The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent. | 3.7.1-4.0.1 | 4.1.0-4.4.5 |
| 2536608 | Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI. | 3.7.0-3.7.16 | |
| 2536384 | The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2536179 | On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535986 | At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535965 | On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2533691 | If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict.To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2532017 | In FRR, bgp_snmp does not show all BGP peers when peer groups used. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
Fixed Issues in 3.7.15
| Issue ID | Description | Affects |
|---|---|---|
| 2635951 | The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 |
| 2628515 | CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service (“CallStranger”) Vulnerable: <= 2.8.0-cl4.3.1u1Fixed: wpa / hostapd removed from Cumulus Linux 5.0.0If your Cumulus Linux 5.0.0 switch was upgraded by apt from Cumulus Linux 4.3.0 or earlier, a vulnerable hostapd package may be present but unused. To remove it, use “sudo dpkg -r hostapd”. | 3.7.14-3.7.14.2, 4.3.0-4.3.3 |
| 2617009 | CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 |
| 2617008 | CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 |
| 2617007 | CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 |
| 2617006 | CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4 | 3.7.0-3.7.14.2 |
| 2617005 | CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 CVE-2020-25687: several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server that could result in denial of service, cache poisoning or the execution of arbitrary code Vulnerable: <= 2.72-3+deb8u5Fixed: 2.72-3+deb8u6 | 3.7.14-3.7.14.2 |
| 2617002 | CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23 | 3.7.0-3.7.14.2 |
| 2599607 | In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-3.7.14.2 |
| 2595889 | In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface. | 3.7.10-3.7.14.2, 4.0.0-4.2.1 |
| 2595816 | Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 |
| 2589747 | If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 |
| 2589570 | The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3 | 3.7.0-3.7.14.2 |
| 2589567 | The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 |
| 2574294 | CVE-2021-3410: A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context Vulnerable: <= 0.99.beta19-2+deb8u1Fixed: 0.99.beta19-2+deb8u2 | 3.7.14-3.7.14.2 |
| 2566880 | CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-3.7.14.2, 4.0.0-4.3.3 |
| 2562511 | hostapd does not fail over to secondary RADIUS servers for 802.1x authentication when the primary radius is reachable but not responding to Access-RequestsIf the primary RADIUS server is having a problem servicing requests, you can remove it from the configuration temporarily to force requests to be sent to alternate servers. | 3.7.10-3.7.14.2 |
| 2562396 | CVE-2020-27824: Global buffer overflow on irreversible conversion when too many decomposition levels are specified. CVE-2020-27841: Crafted input to be processed by the openjpeg encoder could cause an out-of-bounds read. CVE-2020-27845: Crafted input can cause out-of-bounds-read. Vulnerable: <= 2.1.0-2+deb8u11 Fixed: 2.1.0-2+deb8u12 | 3.7.14-3.7.14.2 |
| 2562301 | CVE-2021-26937: encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence. Vulnerable: <= 4.2.1-3+deb8u1 Fixed: 4.2.1-3+deb8u2 | 3.7.14-3.7.14.2 |
| 2556815 | When ARP suppression is enabled, RARP packets sometimes get dropped and are not flooded by the local VTEP. To work around this issue, disable ARP suppression. | 3.7.14-3.7.14.2, 4.3.0 |
| 2556782 | CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution. Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 | 3.7.14-3.7.14.2, 4.0.0-4.3.3 |
| 2556780 | CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets. Vulnerable: <= 2.4.40+dfsg-1+deb8u9 Fixed: 2.4.40+dfsg-1+deb8u10 | 3.7.14-3.7.14.2 |
| 2556779 | CVE-2020-8625: Buffer overflow attack in the bind9 DNS server caused by an issue in the GSSAPI (“Generic Security Services”) security policy negotiation. Vulnerable: <= 9.9.5.dfsg-9+deb8u20 Fixed: 9.9.5.dfsg-9+deb8u21 | 3.7.14-3.7.14.2 |
| 2556763 | In a configuration with both traditional and VLAN-aware bridges, the VLAN membership check on a VLAN-aware bridge does not drop PVST BPBUs that come from a traditional bridge. | 3.7.14-3.7.14.2, 4.0.0-4.3.0 |
| 2556743 | CVE-2019-20367: An issue has been found in libbsd, a library with utility functions from BSD systems. A non-NUL terminated symbol name in the string table might result in an out-of-bounds read. Vulnerable: <= 0.7.0-2+deb8u1 Fixed: 0.7.0-2+deb8u2 | 3.7.14-3.7.14.2 |
| 2556742 | The following vulnerabilities have been announced in the openssl package: CVE-2021-23840: an issue where “Digital EnVeloPe” EVP-related calls could cause applications to behave incorrectly or even crash. CVE-2021-23841: an issue in the X509 certificate parsing caused by the lack of error handling while ingesting the “issuer” field. Vulnerable: <= 1.0.1t-1+deb8u13 Fixed: 1.0.1t-1+deb8u14 | 3.7.14-3.7.14.2 |
| 2556689 | CVE-2020-15469 A MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference. CVE-2020-15859 QEMU has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data’s address set to the e1000e’s MMIO address. CVE-2020-25084 QEMU has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked. CVE-2020-28916 hw/net/e1000e_core.c has an infinite loop via an RX descriptor with a NULL buffer address. CVE-2020-29130 slirp.c has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. CVE-2020-29443 ide_atapi_cmd_reply_end in hw/ide/atapi.c allows out-of-bounds read access because a buffer index is not validated. CVE-2021-20181 9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU privilege escalation vulnerability. CVE-2021-20221 aarch64: GIC: out-of-bound heap buffer access via an interrupt ID field. Vulnerable: <= 2.1+dfsg-12+deb8u18 Fixed: 2.1+dfsg-12+deb8u19 | 3.7.14-3.7.14.2 |
| 2556612 | CVE-2021-27135: xterm through Patch #365 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted UTF-8 character sequence. Vulnerable: 312-2 Fixed: 312-2+deb8u1. | 3.7.14-3.7.14.2 |
| 2556585 | CVE-2021-26926: A heap buffer overflow vulnerability was discovered in JasPer, through jp2_dec.c in the jp2_decode() function. CVE-2021-26927: A null pointer access was discovered in JasPer, through jp2_dec.c in the jp2_decode() function. Vulnerable: <= 1.900.1-debian1-2.4+deb8u8 Fixed: 1.900.1-debian1-2.4+deb8u9 | 3.7.14-3.7.14.2 |
| 2556530 | CVE-2020-0256: In LoadPartitionTable of gpt.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. CVE-2021-0308: In ReadLogicalParts of basicmbr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. Vulnerable: 0.8.10-2 Fixed: 0.8.10-2+deb8u1 | 3.7.14-3.7.14.2 |
| 2556525 | CVE-2020-27351: Various memory and file descriptor leaks were discovered in the Python interface to the APT package management runtime library, which could result in denial of service. Vulnerable: <= 0.9.3.13 Fixed: 0.9.3.14 | 3.7.14-3.7.14.2 |
| 2556504 | CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230: Several vulnerabilities were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash, infinite loops) via specially crafted packets. Vulnerable: <= 2.4.40+dfsg-1+deb8u8 Fixed: 2.4.40+dfsg-1+deb8u9 | 3.7.14-3.7.14.2 |
| 2556473 | CVE-2021-3272: jp2_decode in jp2/jp2_dec.c in libjasper in JasPer has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components. Vulnerable: <= 1.900.1-debian1-2.4+deb8u6 Fixed: 1.900.1-debian1-2.4+deb8u7 | 3.7.14-3.7.14.2 |
| 2556364 | CVE-2020-35512: An issue has been found in dbus, a simple interprocess messaging system. On a system having multiple usernames sharing the same UID a use-after-free might happen, that could result in a denial of service or undefined behaviour, possibly including incorrect authorization decisions. Vulnerable: <= 1.8.22-0+deb8u3 Fixed: 1.8.22-0+deb8u4 | 3.7.14-3.7.14.2 |
| 2556287 | CVE-2021-3156: A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the bug. Vulnerable: <= 1.8.10p4-cl3.7.14u1 Fixed: 1.8.10p4-cl3.7.15u1 Note: security scanners may not recognize 1.8.10p4-cl3.7.15u1 as fixed and therefore incorrectly list it as vulnerable. | 3.7.14 |
| 2556233 | Some ECMP next-hops might fail installation into hardware at high ECMP group and route scale. The following log message will be observed when this condition occurs:WARN xx routes reverted to non-ECMP due to NH table capacity | 3.7.9-3.7.14.2 |
| 2556218 | The following vulnerability affects lldpd: CVE-2020-27827: A packet that contains multiple instances of certain TLVs will cause lldpd to continually allocate memory and leak the old memory. As an example, multiple instances of system name TLV will cause old values to be dropped by the decoding routine. Fixed: 1.0.4-0-cl4.3.0u2 | 3.7.14-3.7.14.2, 4.0.0-4.2.1 |
| 2556031 | Several security vulnerabilities were found in ImageMagick, a suite of image manipulation programs. An attacker could cause denial of service and execution of arbitrary code when a crafted image file is processed. CVE-2020-19667 Stack-based buffer overflow and unconditional jump in ReadXPMImage in coders/xpm.c CVE-2020-25665 The PALM image coder at coders/palm.c makes an improper call to AcquireQuantumMemory() in routine WritePALMImage() because it needs to be offset by 256. This can cause a out-of-bounds read later on in the routine. This could cause impact to reliability. CVE-2020-25674 WriteOnePNGImage() from coders/png.c (the PNG coder) has a for loop with an improper exit condition that can allow an out-of-bounds READ via heap-buffer-overflow. This occurs because it is possible for the colormap to have less than 256 valid values but the loop condition will loop 256 times, attempting to pass invalid colormap data to the event logger. CVE-2020-27560 ImageMagick allows Division by Zero in OptimizeLayerFrames in MagickCore/layer.c, which may cause a denial of service. CVE-2020-27750 A flaw was found in MagickCore/colorspace-private.h and MagickCore/quantum.h. An attacker who submits a crafted file that is processedcould trigger undefined behavior in the form of values outside the range of type unsigned char and math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. CVE-2020-27760 In GammaImage() of /MagickCore/enhance.c, depending on the gamma value, it’s possible to trigger a divide-by-zero condition when a crafted input file is processed by ImageMagick. This could lead to an impact to application availability. CVE-2020-27763 A flaw was found in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. CVE-2020-27765 A flaw was found in MagickCore/segment.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. CVE-2020-27773 A flaw was found in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char or division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. CVE-2020-29599 ImageMagick mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c. Vulnerable: <= 6.8.9.9-5+deb8u21 Fixed: 6.8.9.9-5+deb8u22 | 3.7.14-3.7.14.2 |
| 2556030 | The following vulnerability was announced in the apt packages: CVE-2020-27350: Missing input validation in the ar/tar implementations of APT, the high level package manager, could cause out-of-bounds reads or infinite loops, resulting in denial of service when processing malformed deb files. Vulnerable: <= 1.0.9.8.6 Fixed: 1.0.9.8.7 | 3.7.14-3.7.14.2 |
| 2556023 | After upgrading Cumulus Linux with the apt-upgrade command, then rebooting an MLAG pair, if there are no bonds configured with a clag-id, the clagd service has difficulty peering, and holds all MLAG interfaces and VNIs in a proto down stateTo work around this issue, after upgrading both switches, restart the clagd service with the sudo systemctl restart clagd command on each MLAG pair. | 3.7.14-3.7.14.2 |
| 2556011 | On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14, 4.0.0-4.2.1 |
| 2555691 | The NET-SNMP-EXTEND-MIB, disabled in Cumulus Linux 4.2.1 and 3.7.14 to prevent security vulnerability CVE-2020-15862, is re-enabled read-only. | 3.7.14-3.7.14.2, 4.2.1 |
| 2555654 | The following vulnerability has been announced in the libflac8 package: CVE-2020-0499: In FLAC__bitreader_read_rice_signed_block of bitreader.c, there is a possible out-of-bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. However, user interaction is needed for exploitation. Vulnerable: 1.3.0-3 Fixed: 1.3.0-3+deb8u1 | 3.7.14-3.7.14.2 |
| 2555627 | The following vulnerabilities have been announced in curl: CVE-2020-8284: Vulnerability to malicious FTP server with PASV response with different IP address. CVE-2020-8285: Wildcard matching is vulnerable to denial of service by running out of stack space. Vulnerable: <= 7.38.0-4+deb8u18 Fixed: 7.38.0-4+deb8u19 | 3.7.14 |
| 2555553 | It was discovered that the clean_html() function of lxml, a Python library for HTML and XML processing, performed insufficient sanitisation for embedded Javascript code. This might lead to cross-site scripting or possibly the execution of arbitrary code. Vulnerable: <= 3.4.0-1+deb8u2 Fixed: 3.4.0-1+deb8u3 | 3.7.14-3.7.14.2 |
| 2555532 | QinQ (802.1Q) packets routed to a layer 3 subinterface are still double tagged with the VLAN of the subinterface and the original inner VLAN when they leave the subinterface. | 4.2.0-4.2.1 |
| 2555507 | CVE-2018-0734: A minor timing side channel attack was found in the OpenSSL DSA signature algorithm. The fix for that introduced a more severe regression that could also be exploited as a timing side channel attack. This update fixes both the original problem and the subsequent issue. CVE-2020-1971: A flaw in the GENERAL_NAME_cmp() function could cause a NULL dereference, resulting in denial of service. Vulnerable: <= 1.0.1t-1+deb8u12 Fixed: 1.0.1t-1+deb8u13 | 3.7.14 |
| 2555435 | CVE-2018-19139: Fix memory leaks by registering jpc_unk_destroyparms. CVE-2020-27828: Avoid maxrlvls more than upper bound to cause heap-buffer-overflow. CVE-2018-19543 and CVE-2017-9782: There is a heap-based buffer over-read of size 8 in the function jp2_decode in libjasper/jp2/jp2_dec.c. Vulnerable: <= 1.900.1-debian1-2.4+deb8u6 Fixed: 1.900.1-debian1-2.4+deb8u7 | 3.7.14-3.7.14.2 |
| 2555401 | On the Edgecore AS7312 switch, eth0 and swp use the same MAC address. | 3.7.14-3.7.14.2, 4.0.0-4.2.1 |
| 2555314 | CVE-2020-25709, CVE-2020-25710: Vulnerabilities in the certificate list syntax verification and in the handling of CSN normalization were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash) via specially crafted packets. Vulnerable: <= 2.4.40+dfsg-1+deb8u7 Fixed: 2.4.40+dfsg-1+deb8u8 | 3.7.14 |
| 2555278 | When you change the anycast address for the MLAG pair (clagd-vxlan-anycast-ip), high peak traffic occurs on the peer link interface of all MLAG switches. | 3.7.13-3.7.14.2 |
| 2555196 | CVE-2018-19787, CVE-2020-27783: The clean_html() function of lxml, a Python library for HTML and XML processing, performed insufficient sanitisation for embedded Javascript code. This could lead to cross-site scripting or possibly the execution of arbitrary code. Vulnerable: <= 3.4.0-1+deb8u1 Fixed: 3.4.0-1+deb8u2 | 3.7.14-3.7.14.2 |
| 2555177 | On Mellanox switches, the ASIC temperature sensor reading reports zeros. As a result, the fan speed is higher than normal. You can see the temperature reading in the output of the sensors command. | 3.7.14 |
| 2555147 | Some issues have been found in qemu, a fast processor emulator. CVE-2020-25085 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723 CVE-2020-27617: All issues are related to assertion failures, out-of-bounds access failures or bad handling of return codes. Vulnerable: <= 2.1+dfsg-12+deb8u17 Fixed: 2.1+dfsg-12+deb8u18 | 3.7.14-3.7.14.2 |
| 2554991 | When running traditional mode bridges at scale (for example, when you have more than 200 bridges and a large number of MAC addresses), MLAG bonds flap intermittently from dual to single connected, then back to dual connected, which causes a layer 2 loop and STP state changes. To work around this issue, either shut down one side of the MLAG bond or prune out VLANS over the bond. | 3.7.13-3.7.14.2, 4.0.0-4.2.1 |
| 2554804 | On Mellanox SN2010 and SN2100 switches, the maximum fan speed is exceeded by fifteen percent. | 3.7.14-3.7.14.2 |
| 2554719 | A slow memory leak is observed (1% per 14 hours) in kmalloc-256. To work around this issue, reboot the switch. | 3.7.12-3.7.14.2 |
| 2553748 | On switches with the Spectrum ASIC, the IPv6 default route is present in the kernel but missing in hardware. | 3.7.11-3.7.14.2, 4.2.1 |
| 2552213 | The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14, 4.1.1-4.3.0 |
| 2550600 | The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged. | 3.7.8-3.7.14.2, 4.0.0-4.3.0 |
| 2549226 | You might see the following gport error messages in switchd.log:
These messages are harmless and can be ignored. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 |
3.7.14.2 Release Notes
Open Issues in 3.7.14.2
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 3410952 | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.12.1 |
| 3376798 | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlanMAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5 |
| 3330705 | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.12.1 |
| 3327477 | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3216921 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-3.7.16, 4.3.0-4.4.5 | |
| 3209699 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.12.1 |
| 3135801 | Zebra rejects MAC IP updates from BGP when the MAC mobility sequence number that BGP sends is lower than the sequence number known to zebra When the MAC mobility sequence that BGP knows legitimately lowers (due to narrow timing conditions during convergence or after rebooting an MLAG pair one VTEP at a time), zebra rejects these updates and maintains a stale state. If the stale information that zebra uses points to the wrong VTEP address, traffic goes to the wrong VTEP and might drop. | 3.7.12-4.3.0 | 4.3.1-4.4.5 |
| 3073668 | On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap. | 3.7.12-3.7.16, 4.3.0-4.4.5 | |
| 3017190 | When you power cycle the switch, multiple interfaces came up in a PoE disabled state To work around this issue, run the sudo poectl -a | grep disabled command to find ports with disabled POE. Run the sudo poectl -e swp1-swp48 command to enable POE on affected ports. | 3.7.10-3.7.16 | |
| 2959454 | CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2959444 | CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2959067 | ECMP produces errors indicating No More Resources and switchd crashes even when ECMP utilization is low. | 3.7.14.2-4.2.1 | 4.3.0-4.4.5 |
| 2959024 | ACL rules do not always install in hardware after switch reboot To work around this issue, run the sudo cl-acltool -i command to reinstall the ACL rules. | 3.7.14.2-3.7.15 | 3.7.16 |
| 2957684 | CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2949602 | CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. | 3.7.0-3.7.15 | 3.7.16 |
| 2949586 | CVE-2022-21699: ipython may execute untrusted files in the current working directory Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2949585 | CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog. | 3.7.0-3.7.15 | 3.7.16 |
| 2949584 | CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2941560 | CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u | 3.7.0-3.7.15 | 3.7.16 |
| 2940076 | In a VXLAN fabric with ToR switches configured in a MLAG pair, BUM traffic received on a VXLAN tunnel is decapsulated and forwarded on the peer link bond. The BUM traffic is then encapsulated by the peer switch and sent back to the fabric. The issue has been seen in environments where the following conditions exist at the same time:1) high VNI scale2) switchd is busy processing updates3) clagd is in a transition state, such as Up, then Down, then Up. For example, when clagd restarts, the switch reboots, and so onThe problem is seen on the switch that experiences the clagd state transition. | 3.7.12-3.7.15 | 3.7.16 |
| 2940063 | Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file. | 3.7.12-3.7.15, 4.1.1-4.3.0 | 3.7.16, 4.3.1-4.4.5, 5.0.0-5.12.1 |
| 2940051 | In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. | 3.7.14.2-3.7.15, 4.3.0-4.4.5 | 3.7.16, 5.0.0-5.12.1 |
| 2934940 | When you change the SVI vlan-id value in the /etc/network/interfaces file, then run ifreload -a, the 802.1Q ID for the SVI in the kernel does not change.This operation is not supported in the kernel without recreating the SVI. To apply the change, run ifdown, then ifup for the SVI to recreate the interface. | 3.7.13-4.2.1 | 4.3.0-4.4.5 |
| 2934939 | When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usageTo workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:address-family ipv4 unicastAfter: ip route 10.10.0.0/16 Null0This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-3.7.16 | |
| 2934935 | VXLAN route updates during high frequency might cause switchd to leak memory. | 3.7.14.2-4.3.0 | 4.3.1-4.4.5 |
| 2910862 | CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file” Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2910861 | CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13 | 3.7.0-3.7.15 | 3.7.16 |
| 2885241 | CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14 | 3.7.0-3.7.15 | 3.7.16 |
| 2885239 | CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2885238 | The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2866111 | CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. | 3.7.0-3.7.15 | 3.7.16 |
| 2866084 | When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb deldev command, then add “vxlan-learning”: “off” in the /etc/network/ifupdown2/policy.d/vxlan.json file:$ cat /etc/network/ifupdown2/policy.d/vxlan.jsonReboot the affected switches. | 3.7.12-4.3.0 | 4.3.1-4.4.5 |
| 2866061 | On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic. | 3.7.12-3.7.16 | |
| 2862269 | CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2855881 | A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2855879 | The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2850806 | CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts) Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23 | 3.7.0-3.7.15 | 3.7.16 |
| 2845540 | CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2841003 | CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2835994 | CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2823255 | CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode) Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2821981 | The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions) CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2820758 | The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2815592 | In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence. | 3.7.12-3.7.15, 4.3.0, 4.4.2-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.12.1 |
| 2813826 | Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop” CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’ Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2813823 | Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19 | 3.7.0-3.7.15 | 3.7.16 |
| 2803044 | In an EVPN configuration with IP or MAC mobility, higher MM EVPN routes do not remove the old ARP entries during VIP migration between VTEP racks. | 3.7.14.2-3.7.15 | 3.7.16 |
| 2801262 | On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart. | 3.7.12-3.7.15, 4.3.0, 4.4.2-4.4.5 | 3.7.16, 4.3.1, 5.0.0-5.12.1 |
| 2801126 | CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2801125 | OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15 | 3.7.0-3.7.15 | 3.7.16 |
| 2801124 | GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2798139 | CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2794750 | When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF. To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2769687 | CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21 | 3.7.0-3.7.15 | 3.7.16 |
| 2769633 | CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2769632 | CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2769631 | CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2754791 | Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | |
| 2743132 | CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6 | 3.7.0-3.7.15 | 3.7.16 |
| 2736265 | After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2736247 | CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2736245 | CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2730225 | When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.2-4.4.5 |
| 2728207 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728206 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728205 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5 |
| 2726776 | CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18 | 3.7.0-3.7.15 | 3.7.16 |
| 2717312 | When you modify a prefix list with NCLU commands, the bgpd service crashes. | 3.7.14.2-3.7.15 | 3.7.16 |
| 2716841 | CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2705169 | CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2705168 | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2702519 | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2700767 | Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16 |
| 2687332 | When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usageTo workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:address-family ipv4 unicastAfter: ip route 10.10.0.0/16 Null0This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2684452 | When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb deldev command2. Add “vxlan-learning”: “off” under /etc/network/ifupdown2/policy.d/vxlan.json$ cat /etc/network/ifupdown2/policy.d/vxlan.json3. Reboot the affected switch(es) | 3.7.12-3.7.16 | |
| 2684404 | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2679950 | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.4.1-cl4.4.0u1Fixed: 4.4.1-cl4.4.0u2 | 3.7.0-4.3.3 | 4.4.0-4.4.5 |
| 2677063 | CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2677061 | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2677060 | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2669831 | If you try to remove BFD configuration with systemctl reload frr, the FRR service fails. The reload action results in a TypeError: expected string or bytes-like object errorYou see this issue only if there is default configuration, such as configuration in the /etc/frr/frr.conf file that is suppressed from view in the FRR running configurationTo work around this issue, remove the default configuration lines; for example: username cumulus nopassword | 3.7.14.2-3.7.15 | 3.7.16 |
| 2669438 | Editing the /etc/frr/frr.conf file to add a new sequence at the beginning of an existing large prefix list changes the subsequent sequence numbers of the next entries in the list and FRR reload might fail with the error message frr.service reload operation timed out. Stopping. To work around this issue, instead of adding the new prefix using an existing sequence number and pushing other sequences forward, use a sequence number that is free; for example, instead of of using 5 -> 10 -> 15, use 5 -> 7 -> 10. | 3.7.11-3.7.16 | |
| 2668477 | CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2660693 | CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20 | 3.7.0-3.7.15 | 3.7.16 |
| 2660582 | In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure) To recover restart the clagd service with sudo systemctl restart clagd.service | 3.7.8-3.7.15 | 3.7.16 |
| 2658233 | The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2656291 | The following CVEs affect the linux kernel package: CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 3.7.12-3.7.16 | 4.0.0-4.4.5 |
| 2654684 | CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10 | 3.7.0-3.7.15 | 3.7.16 |
| 2653521 | CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2653400 | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface command, then add back the 802.1x configuration. | 3.7.10-3.7.16 | |
| 2646974 | The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2646968 | CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24 | 3.7.0-3.7.15 | 3.7.16 |
| 2645846 | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface command, then add back the 802.1x configuration. | 3.7.10-3.7.15 | 3.7.16, 4.3.1-4.4.5 |
| 2638137 | When you delete a static route using NCLU, the configuration is not deleted from the running configuration or from the /etc/frr/frr.conf file. | 3.7.13-3.7.16 | |
| 2635951 | The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2633245 | On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle. | 3.7.10-3.7.16 | |
| 2628515 | CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service (“CallStranger”) Vulnerable: <= 2.8.0-cl4.3.1u1Fixed: wpa / hostapd removed from Cumulus Linux 5.0.0If your Cumulus Linux 5.0.0 switch was upgraded by apt from Cumulus Linux 4.3.0 or earlier, a vulnerable hostapd package may be present but unused. To remove it, use “sudo dpkg -r hostapd”. | 3.7.14-4.3.3 | 4.4.0-4.4.5 |
| 2617009 | CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617008 | CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617007 | CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617006 | CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617005 | CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 CVE-2020-25687: several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server that could result in denial of service, cache poisoning or the execution of arbitrary code Vulnerable: <= 2.72-3+deb8u5Fixed: 2.72-3+deb8u6 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2617002 | CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2607965 | On the EdgeCore AS7726 switch, when you run the NCLU net show system command, you see the error Command not found. | 3.7.14.2-3.7.16 | |
| 2599607 | In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.4-4.4.5, 5.0.0-5.12.1 |
| 2595889 | In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface. | 3.7.10-4.2.1 | 4.3.0-4.4.5 |
| 2595816 | Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2589747 | If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2589570 | The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589567 | The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2581473 | When netq-agent is installed on the Dell N3048EP platform, switchd might crash if pluggables are installed in the SFP+ ports. | 3.7.13-3.7.15 | 3.7.16 |
| 2574294 | CVE-2021-3410: A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context Vulnerable: <= 0.99.beta19-2+deb8u1Fixed: 0.99.beta19-2+deb8u2 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2566880 | CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-4.3.3 | 4.4.0-4.4.5 |
| 2562511 | hostapd does not fail over to secondary RADIUS servers for 802.1x authentication when the primary radius is reachable but not responding to Access-RequestsIf the primary RADIUS server is having a problem servicing requests, you can remove it from the configuration temporarily to force requests to be sent to alternate servers. | 3.7.10-3.7.14.2 | 3.7.15-3.7.16 |
| 2562396 | CVE-2020-27824: Global buffer overflow on irreversible conversion when too many decomposition levels are specified. CVE-2020-27841: Crafted input to be processed by the openjpeg encoder could cause an out-of-bounds read. CVE-2020-27845: Crafted input can cause out-of-bounds-read. Vulnerable: <= 2.1.0-2+deb8u11 Fixed: 2.1.0-2+deb8u12 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2562347 | When you bring VXLAN interfaces up and down physically or administratively, the MTU for the SVIs changes to 1550 (the default value). | 3.7.14.2-3.7.16 | |
| 2562301 | CVE-2021-26937: encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence. Vulnerable: <= 4.2.1-3+deb8u1 Fixed: 4.2.1-3+deb8u2 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556815 | When ARP suppression is enabled, RARP packets sometimes get dropped and are not flooded by the local VTEP. To work around this issue, disable ARP suppression. | 3.7.14-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2556782 | CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution. Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 | 3.7.14-4.3.3 | 4.4.0-4.4.5 |
| 2556780 | CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets. Vulnerable: <= 2.4.40+dfsg-1+deb8u9 Fixed: 2.4.40+dfsg-1+deb8u10 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556779 | CVE-2020-8625: Buffer overflow attack in the bind9 DNS server caused by an issue in the GSSAPI (“Generic Security Services”) security policy negotiation. Vulnerable: <= 9.9.5.dfsg-9+deb8u20 Fixed: 9.9.5.dfsg-9+deb8u21 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556763 | In a configuration with both traditional and VLAN-aware bridges, the VLAN membership check on a VLAN-aware bridge does not drop PVST BPBUs that come from a traditional bridge. | 3.7.14-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2556743 | CVE-2019-20367: An issue has been found in libbsd, a library with utility functions from BSD systems. A non-NUL terminated symbol name in the string table might result in an out-of-bounds read. Vulnerable: <= 0.7.0-2+deb8u1 Fixed: 0.7.0-2+deb8u2 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556742 | The following vulnerabilities have been announced in the openssl package: CVE-2021-23840: an issue where “Digital EnVeloPe” EVP-related calls could cause applications to behave incorrectly or even crash. CVE-2021-23841: an issue in the X509 certificate parsing caused by the lack of error handling while ingesting the “issuer” field. Vulnerable: <= 1.0.1t-1+deb8u13 Fixed: 1.0.1t-1+deb8u14 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556689 | CVE-2020-15469 A MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference. CVE-2020-15859 QEMU has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data’s address set to the e1000e’s MMIO address. CVE-2020-25084 QEMU has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked. CVE-2020-28916 hw/net/e1000e_core.c has an infinite loop via an RX descriptor with a NULL buffer address. CVE-2020-29130 slirp.c has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. CVE-2020-29443 ide_atapi_cmd_reply_end in hw/ide/atapi.c allows out-of-bounds read access because a buffer index is not validated. CVE-2021-20181 9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU privilege escalation vulnerability. CVE-2021-20221 aarch64: GIC: out-of-bound heap buffer access via an interrupt ID field. Vulnerable: <= 2.1+dfsg-12+deb8u18 Fixed: 2.1+dfsg-12+deb8u19 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556612 | CVE-2021-27135: xterm through Patch #365 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted UTF-8 character sequence. Vulnerable: 312-2 Fixed: 312-2+deb8u1. | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556585 | CVE-2021-26926: A heap buffer overflow vulnerability was discovered in JasPer, through jp2_dec.c in the jp2_decode() function. CVE-2021-26927: A null pointer access was discovered in JasPer, through jp2_dec.c in the jp2_decode() function. Vulnerable: <= 1.900.1-debian1-2.4+deb8u8 Fixed: 1.900.1-debian1-2.4+deb8u9 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556530 | CVE-2020-0256: In LoadPartitionTable of gpt.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. CVE-2021-0308: In ReadLogicalParts of basicmbr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. Vulnerable: 0.8.10-2 Fixed: 0.8.10-2+deb8u1 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556525 | CVE-2020-27351: Various memory and file descriptor leaks were discovered in the Python interface to the APT package management runtime library, which could result in denial of service. Vulnerable: <= 0.9.3.13 Fixed: 0.9.3.14 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556504 | CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230: Several vulnerabilities were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash, infinite loops) via specially crafted packets. Vulnerable: <= 2.4.40+dfsg-1+deb8u8 Fixed: 2.4.40+dfsg-1+deb8u9 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556473 | CVE-2021-3272: jp2_decode in jp2/jp2_dec.c in libjasper in JasPer has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components. Vulnerable: <= 1.900.1-debian1-2.4+deb8u6 Fixed: 1.900.1-debian1-2.4+deb8u7 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556364 | CVE-2020-35512: An issue has been found in dbus, a simple interprocess messaging system. On a system having multiple usernames sharing the same UID a use-after-free might happen, that could result in a denial of service or undefined behaviour, possibly including incorrect authorization decisions. Vulnerable: <= 1.8.22-0+deb8u3 Fixed: 1.8.22-0+deb8u4 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556233 | Some ECMP next-hops might fail installation into hardware at high ECMP group and route scale. The following log message will be observed when this condition occurs:WARN xx routes reverted to non-ECMP due to NH table capacity | 3.7.9-3.7.14.2 | 3.7.15-3.7.16 |
| 2556218 | The following vulnerability affects lldpd: CVE-2020-27827: A packet that contains multiple instances of certain TLVs will cause lldpd to continually allocate memory and leak the old memory. As an example, multiple instances of system name TLV will cause old values to be dropped by the decoding routine. Fixed: 1.0.4-0-cl4.3.0u2 | 3.7.14-4.2.1 | 4.3.0-4.4.5 |
| 2556037 | After you add an interface to the bridge, an OSPF session flap might occur | 3.7.9-4.2.0 | 4.2.1-4.4.5 |
| 2556031 | Several security vulnerabilities were found in ImageMagick, a suite of image manipulation programs. An attacker could cause denial of service and execution of arbitrary code when a crafted image file is processed. CVE-2020-19667 Stack-based buffer overflow and unconditional jump in ReadXPMImage in coders/xpm.c CVE-2020-25665 The PALM image coder at coders/palm.c makes an improper call to AcquireQuantumMemory() in routine WritePALMImage() because it needs to be offset by 256. This can cause a out-of-bounds read later on in the routine. This could cause impact to reliability. CVE-2020-25674 WriteOnePNGImage() from coders/png.c (the PNG coder) has a for loop with an improper exit condition that can allow an out-of-bounds READ via heap-buffer-overflow. This occurs because it is possible for the colormap to have less than 256 valid values but the loop condition will loop 256 times, attempting to pass invalid colormap data to the event logger. CVE-2020-27560 ImageMagick allows Division by Zero in OptimizeLayerFrames in MagickCore/layer.c, which may cause a denial of service. CVE-2020-27750 A flaw was found in MagickCore/colorspace-private.h and MagickCore/quantum.h. An attacker who submits a crafted file that is processedcould trigger undefined behavior in the form of values outside the range of type unsigned char and math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. CVE-2020-27760 In GammaImage() of /MagickCore/enhance.c, depending on the gamma value, it’s possible to trigger a divide-by-zero condition when a crafted input file is processed by ImageMagick. This could lead to an impact to application availability. CVE-2020-27763 A flaw was found in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. CVE-2020-27765 A flaw was found in MagickCore/segment.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. CVE-2020-27773 A flaw was found in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char or division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. CVE-2020-29599 ImageMagick mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c. Vulnerable: <= 6.8.9.9-5+deb8u21 Fixed: 6.8.9.9-5+deb8u22 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556030 | The following vulnerability was announced in the apt packages: CVE-2020-27350: Missing input validation in the ar/tar implementations of APT, the high level package manager, could cause out-of-bounds reads or infinite loops, resulting in denial of service when processing malformed deb files. Vulnerable: <= 1.0.9.8.6 Fixed: 1.0.9.8.7 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556023 | After upgrading Cumulus Linux with the apt-upgrade command, then rebooting an MLAG pair, if there are no bonds configured with a clag-id, the clagd service has difficulty peering, and holds all MLAG interfaces and VNIs in a proto down stateTo work around this issue, after upgrading both switches, restart the clagd service with the sudo systemctl restart clagd command on each MLAG pair. | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2555908 | If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command. | 3.7.12-4.0.1 | 4.1.0-4.4.5 |
| 2555691 | The NET-SNMP-EXTEND-MIB, disabled in Cumulus Linux 4.2.1 and 3.7.14 to prevent security vulnerability CVE-2020-15862, is re-enabled read-only. | 3.7.14-4.2.1 | 4.3.0-4.4.5 |
| 2555654 | The following vulnerability has been announced in the libflac8 package: CVE-2020-0499: In FLAC__bitreader_read_rice_signed_block of bitreader.c, there is a possible out-of-bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. However, user interaction is needed for exploitation. Vulnerable: 1.3.0-3 Fixed: 1.3.0-3+deb8u1 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2555553 | It was discovered that the clean_html() function of lxml, a Python library for HTML and XML processing, performed insufficient sanitisation for embedded Javascript code. This might lead to cross-site scripting or possibly the execution of arbitrary code. Vulnerable: <= 3.4.0-1+deb8u2 Fixed: 3.4.0-1+deb8u3 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2555528 | In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer’s ARP policer. To work around this issue, increase the burst value of the ARP policers to 200 or higher. | 3.7.14-4.2.1 | 4.3.0-4.4.5 |
| 2555435 | CVE-2018-19139: Fix memory leaks by registering jpc_unk_destroyparms. CVE-2020-27828: Avoid maxrlvls more than upper bound to cause heap-buffer-overflow. CVE-2018-19543 and CVE-2017-9782: There is a heap-based buffer over-read of size 8 in the function jp2_decode in libjasper/jp2/jp2_dec.c. Vulnerable: <= 1.900.1-debian1-2.4+deb8u6 Fixed: 1.900.1-debian1-2.4+deb8u7 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2555401 | On the Edgecore AS7312 switch, eth0 and swp use the same MAC address. | 3.7.14-4.2.1 | 4.3.0-4.4.5 |
| 2555278 | When you change the anycast address for the MLAG pair (clagd-vxlan-anycast-ip), high peak traffic occurs on the peer link interface of all MLAG switches. | 3.7.13-3.7.16 | 4.0.0-4.4.5 |
| 2555196 | CVE-2018-19787, CVE-2020-27783: The clean_html() function of lxml, a Python library for HTML and XML processing, performed insufficient sanitisation for embedded Javascript code. This could lead to cross-site scripting or possibly the execution of arbitrary code. Vulnerable: <= 3.4.0-1+deb8u1 Fixed: 3.4.0-1+deb8u2 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2555147 | Some issues have been found in qemu, a fast processor emulator. CVE-2020-25085 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723 CVE-2020-27617: All issues are related to assertion failures, out-of-bounds access failures or bad handling of return codes. Vulnerable: <= 2.1+dfsg-12+deb8u17 Fixed: 2.1+dfsg-12+deb8u18 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2554991 | When running traditional mode bridges at scale (for example, when you have more than 200 bridges and a large number of MAC addresses), MLAG bonds flap intermittently from dual to single connected, then back to dual connected, which causes a layer 2 loop and STP state changes. To work around this issue, either shut down one side of the MLAG bond or prune out VLANS over the bond. | 3.7.13-4.2.1 | 4.3.0-4.4.5 |
| 2554804 | On Mellanox SN2010 and SN2100 switches, the maximum fan speed is exceeded by fifteen percent. | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2554785 | After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX=“cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command4. Reboot the switch. | 3.7.11-4.2.1 | 4.3.0-4.4.5 |
| 2554719 | A slow memory leak is observed (1% per 14 hours) in kmalloc-256. To work around this issue, reboot the switch. | 3.7.12-3.7.14.2 | 3.7.15-3.7.16 |
| 2554709 | The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM. | 3.7.13-3.7.16, 4.2.1-4.4.5 | |
| 2554617 | OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf. This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper. | 3.7.14-3.7.16, 4.0.0-4.4.5 | |
| 2554588 | If you try to reconfigure a DHCP server after you delete the switch configuration with the net del all command, the dhcpd service fails because a duplicate process is runningTo work around this issue, edit the /usr/lib/python2.7/dist-packages/nclu/plugins/dhcp.py file to change:DHCPD_PID="-pf {0}” to:DHCPD_PID="-pf {1}" | 3.7.13-4.2.1 | 4.3.0-4.4.5 |
| 2554369 | Certain Dell S4048-ON switches show an incorrect vendor name and hang when you issue the reboot command. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2554329 | On the Dell N3248PXE switch, fixed RJ45 interfaces with PoE neighbors can end up in Paused mode after a switchd restart, which blocks traffic on that interface. | 3.7.12-3.7.16 | |
| 2553887 | When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:
To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2553748 | On switches with the Spectrum ASIC, the IPv6 default route is present in the kernel but missing in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5 |
| 2553677 | When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:
To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:
Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. | 3.7.13-3.7.16, 4.0.0-4.4.5 | |
| 2553219 | You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2553116 | When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2553050 | SNMP status might incorrectly reflect that a BGP neighbor is down due to an issue between bgpd and SNMP AgentX when the IP-FORWARD-MIB is also polled.To work around this issue, avoid polling IP-FORWARD-MIB objects. | 3.7.12-3.7.16 | |
| 2553015 | If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | |
| 2552939 | RX_DRP on a bond interface increases without any data traffic while the slave port does not increase. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2552869 | On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.To work around this issue, use the ethtool -m command. | 3.7.13-4.2.1 | 4.3.0-4.4.5 |
| 2552742 | On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2552739 | Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | |
| 2552610 | The following vulnerability has been announced: CVE-2019-11360: A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c. | 3.7.13-4.2.0 | 4.2.1-4.4.5 |
| 2552294 | NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2552266 | OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files. The two scenarios where an exploit may be useful to an attacker: -The user is authorized to scp but not ssh (based on the command option in the authorized_keys file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so.-An attacker plants a maliciously named file in a directory tree that someone later uses scp -r to copy over to the target computer.Be aware that restricting users to scp by using the command option in the authorized_keys file is not effective in preventing those users from executing arbitrary commands on the server.If you want to use scp -r to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with tar, zip, or a similar program, then copying the archive over to be extracted on the server avoids having to use scp -r altogether. In addition, OpenSSH provides sftp, which you can use instead of scp to copy files.To disable scp completely, use /bin/chmod 0 /usr/bin/scp . | 3.7.14-3.7.16, 4.0.0-4.4.5 | |
| 2551911 | ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down. | 3.7.12-4.2.0 | 4.2.1-4.4.5 |
| 2551578 | When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2551565 | If you toggle VRRP priority values between VRRP routers, then restart switchd, a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affectedTo work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands. | 3.7.13-3.7.16, 4.2.0-4.4.5 | |
| 2551554 | Customers running security scans on Cumulus Linux 4 may encounter the listing of an incorrect version of u-boot 2014.10+dfsg1-4 with the following vulnerabilities:CVE-2017-3225CVE-2017-3226CVE-2018-18440CVE-2019-11690CVE-2019-13103CVE-2019-14192CVE-2019-14193CVE-2019-14194CVE-2019-14195CVE-2019-14196CVE-2019-14197CVE-2019-14198CVE-2019-14199CVE-2019-14200CVE-2019-14201CVE-2019-14202CVE-2019-14203CVE-2019-14204CVE-2020-10648The u-boot-tools package is not installed on the switch by default, but is available in the repository for optional installation. On Cumulus Linux 4, the version is at least 2019.01+dfsg-7. However, the older versions available for optional installation on Cumulus Linux 3 may be vulnerable According to https://security-tracker.debian.org/tracker/source-package/u-boot , all except the following are fixed in 2019.01+dfsg-7:CVE-2017-3225: https://security-tracker.debian.org/tracker/CVE-2017-3225 says “Negligible security impact” CVE-2017-3226: https://security-tracker.debian.org/tracker/CVE-2017-3226 says “Negligible security impact” CVE-2018-18440: https://security-tracker.debian.org/tracker/CVE-2018-18440 says “No security impact as supported/packaged in Debian”. | 3.7.12-3.7.16 | 4.0.0-4.4.5 |
| 2551305 | The net show configuration command provides the wrong net add command for ACL under the VLAN interface. | 3.7.12-3.7.16, 4.1.0-4.4.5 | |
| 2551288 | When you remove BFD configuration by editing the /etc/frr/frr.conf file and restarting FRR, you see a traceback.To work around this issue, either use NCLU or vtysh commands to remove the BFD configuration, or restart FRR with the new /etc/frr/frr.conf file. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2550974 | On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured. | 3.7.11-3.7.16, 4.1.1-4.4.5 | |
| 2550942 | NCLU tab completion for net show displays the text add help text instead of system Information for the system option. | 3.7.11-4.2.0 | 4.2.1-4.4.5 |
| 2550796 | On a Broadcom switch with the Trident2+ ASIC, ACL rules for VLANs are not applied after a reboot and the counters remain at zero. To work around this issue, either do not set acl.non_atomic_update_mode = TRUE in the /etc/cumulus/switchd.conf file or run the cl-acltool -i command after the reboot to install the ACLs. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2550793 | The NCLU net show bridge spanning-tree command displays the aging timer incorrectly. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550600 | The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged. | 3.7.8-3.7.14.2, 4.0.0-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2550478 | VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches. | 3.7.7-4.2.0 | 4.2.1-4.4.5, 4.3.0-4.4.5 |
| 2550444 | Tab completion for the net show rollback description command returns information about a snapshot instead of context help.To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550443 | The net show rollback description command returns an error even if the string matches a commit description.To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550276 | In LLDP, the snmp subagent loses all subsequent lldpRemSysName (1.0.8802.1.1.2.1.4.1.1.9) entries after an entry with a missing SysName is added.All the information from lldpctl is correct. Only the entries after the entry that is missing a SysName in lldpRemSysName disappear from the snmp subagent. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2550243 | When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service. For example:
| 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550056 | The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:
| 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| 2549925 | When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:
To work around this issue, run the ifreload -a command a second time. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2549872 | If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error. | 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| 2549838 | In vtysh, if you configure, then remove a layer 3 VNI for a VRF, the VNI is removed from zebra even if the VNI interface still exists in the kernel. If you configure a layer 2 VNI as a layer 3 VNI by mistake, removing the layer 3 VNI binding removes it from zebra but EVPN-learned MACs and neighbors are not installed into the kernel. To work around this issue, delete, then re-add the missing VNI. For example:
If you flap the link with the ip link set vni10100 down; ip link set vni10100 up commands, zebra does not re-add the VNI. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2549782 | The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2549731 | When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:
| 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| 2549472 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2549371 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.3 | 4.4.0-4.4.5 |
| 2549307 | The following vulnerabilities affect git, which is available in the repository for optional installation: CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host. CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. | 3.7.12-4.1.1 | 4.2.0-4.4.5 |
| 2549226 | You might see the following gport error messages in switchd.log:
These messages are harmless and can be ignored. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2548962 | With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table. | 3.7.12-4.1.1 | 4.2.0-4.4.5 |
| 2548930 | On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5 |
| 2548746 | On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2548657 | When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:
You can safely ignore these error messages. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2548490 | A change in a route map prefix list that should remove a route might not be reflected in the ospf6 database or in peers, and the route might not be deleted.To work around this issue, reenter the redistribute <connected|static> route-map statement in the configuration. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2548485 | If you configure the aggregate-addresssummary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:router bgp 1If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,To work around this issue, remove, then re-add the component prefix routes. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2548315 | The following security advisory has been announced for bash: CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.To work around this issue, do not make bash or bash scripts setuid. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2548243 | On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2548155 | The net show bgp neighbor swpX json command shows negative output for the bgpTimerUpMsec timer. | 3.7.10-3.7.16 | 4.0.0-4.4.5 |
| 2548117 | In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2548044 | When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16 |
| 2548024 | On the Dell Z9100 switch, 100G-SR4 modules might not link up reliably in certain ports. swp1, 2, 3, 9, 10, 23, 24, 30, 31, and 32 might be affected To work around this issue, move 100G SR4 modules to one of the ports not affected by this issue. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547942 | On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547878 | The following vulnerability has been found in the libgcrypt20 cryptographic library.CVE-2019-13627: there was a ECDSA timing attack. For more information, see https://www.debian.org/lts/security/2020/dla-1931-2.en.html Vulnerable: 1.6.3-2+deb8u7 Fixed: 1.6.3-2+deb8u8 | 3.7.11-3.7.16 | |
| 2547876 | The following vulnerability affects libxml2: CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c has a memory leak related to newDoc->oldNs. This can lead to a denial of service. For more information, see https://www.debian.org/lts/security/2019/dla-2048.en.html . Vulnerable: 2.9.1+dfsg1-5+deb8u7 Fixed: 2.9.1+dfsg1-5+deb8u8 | 3.7.11-3.7.16 | |
| 2547874 | The following vulnerability affects libbsd, a package containing utility functions from BSD systems. CVE-2016-2090: In function fgetwln() an off-by-one error could triggers a heap buffer overflow. For more information, see https://www.debian.org/lts/security/2019/dla-2052.en.html . Vulnerable: 0.7.0-2 Fixed: 0.7.0-2+deb8u1 | 3.7.11-3.7.16 | |
| 2547839 | When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547782 | If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2547706 | When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2547659 | On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547573 | On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU. | 3.7.9-3.7.16 | |
| 2547443 | On the Dell N3248PXE-ON switch, 25G SFP ports do not work in 10G mode. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547381 | The hsflowd service sends an undefined header protocol 0 in the sampled flow sample to the collector, which is not recognized by the sFlow tool. You see errors similar to the following:
| 3.7.11-3.7.16 | 4.0.0-4.4.5 |
| 2547349 | When you change an interface IP address, then change it back, static routes are misprogrammed One of the following actions recovers the routes:- Bounce both layer 3 interfaces- Remove or add static routes in FRR- Restart FRR | 3.7.11-3.7.16 | 4.0.0-4.4.5 |
| 2547123 | On the Broadcom switch with the Trident3 ASC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547120 | After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2547118 | The following security vulnerabilities have been announced in the libtiff5 library on Cumulus Linux 4.0: CVE-2019-14973, CVE-2019-17546: Multiple integer overflows have been discovered in the libtiff library and the included tools. Vulnerable: 4.0.10-4 Fixed: 4.1.0+git191117-2~deb10u1 | 3.7.10-4.0.1 | 4.1.0-4.4.5 |
| 2547100 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547068 | Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off”, change it to GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0”2. Run sudo update-grub3. Reboot the system with sudo rebootTo disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci32. Disable C-states by running the command ./cpupower idle-set -d 2C-states are disabled by default in Cumulus Linux 4.3.0 and later. | 3.7.9-4.2.1 | 4.3.0-4.4.5 |
| 2546991 | The FRR service does not provide a way for automation to know if the configuration applied properly. To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546895 | If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.serviceTo increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter2.Restart the switchd service with the sudo systemctl restart switchd.service commandsystemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546450 | On the EdgeCore AS7326-56X switch, you might see the RPM of certain fans run over the maximum threshold. | 3.7.11-3.7.16 | |
| 2546385 | SNMP ifLastChange reports link transitions when there are none. | 3.7.6-3.7.16 | |
| 2546225 | When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support.
To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546203 | When using QinQ with a traditional bridge, if you enable the LLDP dot1 TLV option, you see the following suboptimal behavior: * Both the inner and outer VLAN information is sent as part of VLAN TLVs in the LLDP packet. * If the outer VLAN ID is the same as the inner VLAN ID, only one VLAN TLV is sent with that VLAN ID in the LLDP packet. | 3.7.11-3.7.16 | |
| 2546131 | On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546010 | When hal.bcm.per_vlan_router_mac_lookup is set to TRUE in the /etc/cumulus/switchd.conf file, inter-VLAN traffic is forwarded to the CPU when associated VNI interfaces exist. | 3.7.10-3.7.16 | |
| 2545997 | The NCLU command net show interface produces an error if bonds with no members exist.To work around this issue, remove the empty Bond interfaces from the /etc/network/interfaces file and run sudo ifreload -a. | 3.7.10-3.7.16 | |
| 2545566 | The Dell Z9100-ON switch incorrectly reports many sensors as ABSENT. | 3.7.12-4.0.1 | 4.1.0-4.4.5 |
| 2545446 | If you use NCLU commands to add a non-MLAG bond, then add an MLAG configuration, the net commit command fails. However, a subsequent net commit command succeeds. | 3.7.10-3.7.16 | |
| 2545125 | If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
| 2544978 | If you delete an undefined bond, then add a bond slave, the net commit command fails. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544968 | FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:
should be:
To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544953 | When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
| 2544904 | After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements. To work around this issue, restart FRR after removing the IPv6 numbered configuration. | 3.7.9-4.1.1 | 4.2.0-4.4.5 |
| 2544829 | Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump. | 3.7.8-3.7.16 | |
| 2544671 | Package : sudoCVE ID : CVE-2019-14287Debian Bug : 942322Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID -1 or 4294967295. This could allow a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access Details can be found in the upstream advisory at https://www.sudo.ws/alerts/minus_1_uid.html We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudoVulnerable versions: < 1.8.27-1+deb10u1Fixed versions: >= 1.8.27-1+deb10u1To work around this iisue, disable (comment out) any sudoers entries in /etc/sudoers or files in /etc/sudoers.d that have entries with !root in them. Only root or other users with a uid of 0 that are affected. | 3.7.9-3.7.16 | 4.0.0-4.4.5 |
| 2544556 | If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:
If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5 |
| 2544463 | Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544456 | The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544311 | Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544235 | The following CVEs affect the linux kernel package: CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 3.7.10-3.7.16 | |
| 2544155 | NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544113 | Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link. To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2543900 | On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
| 2543841 | The net show evpn vni detail json command includes an extra empty dictionary at the end of the output. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
| 2543840 | On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file. | 3.7.6-3.7.16 | |
| 2543800 | When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface. | 3.7.8-3.7.16 | 4.0.0-4.4.5 |
| 2543647 | ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:
| 3.7.6-4.2.1 | 4.3.0-4.4.5 |
| 2543646 | In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543627 | Tomahawk 40G DACs cannot disable auto-negotiation. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543270 | The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5 |
| 2543211 | In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2543164 | The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2543096 | When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543058 | The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces. To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543052 | Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as “inactive” in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR. To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:
You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5 |
| 2543044 | Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up. You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2542979 | On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5 |
| 2542945 | On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags. To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:
| 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542310 | hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6. | 3.7.6-3.7.16 | |
| 2542305 | If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542301 | When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2541212 | The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2541165 | On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, poectl reports that four_pair_mode_enabled is true. However, this configuration is not supported on the port so poectl should report that four_pair_mode_enabled is false. | 3.7.6-3.7.16 | |
| 2541029 | On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped. This issue only affects QinQ configurations. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540950 | On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status. | 3.7.3-4.1.1 | 4.2.0-4.4.5 |
| 2540885 | The Dell N3048EP-ON switch does not support 1G Base-T modules in the SFP ports. | 3.7.7-3.7.16 | |
| 2540863 | On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number. | 3.7.3-3.7.16 | |
| 2540753 | If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
| 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540444 | SNMP incorrectly requires engine ID specification. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540352 | When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2540340 | NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays
Tab completion for the net add vrf command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540274 | On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540204 | When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540192 | The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540155 | On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2540042 | When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540041 | On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540040 | Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540031 | NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2539994 | When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539962 | When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2539670 | On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539124 | The net add interface command adds no ptm-enable for that interface in the frr.conf file.Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539081 | When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2538875 | IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file. | 3.7.2-3.7.16 | |
| 2538790 | NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.To restore connectivity, remove the VLAN ID from the bridge. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538590 | When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538562 | On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538302 | portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap. | 3.7.0-3.7.16 | |
| 2538294 | If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2538256 | On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets. | 3.7.2-4.0.1 | 4.1.0-4.4.5 |
| 2537819 | When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2537699 | There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537544 | When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537378 | NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.To work around this issue, stop snmpd, remove the cache file, then restart snmpd. | 3.7.1-3.7.16 | |
| 2537188 | When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network. | 3.7.2-3.7.16 | |
| 2537104 | When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL. | 3.7.1-3.7.16 | 4.0.0-4.4.5 |
| 2537061 | The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent. | 3.7.1-4.0.1 | 4.1.0-4.4.5 |
| 2536608 | Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI. | 3.7.0-3.7.16 | |
| 2536384 | The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2536179 | On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535986 | At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535965 | On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2533691 | If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict.To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2532017 | In FRR, bgp_snmp does not show all BGP peers when peer groups used. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
Fixed Issues in 3.7.14.2
| Issue ID | Description | Affects |
|---|---|---|
| 2556288 | CVE-2021-3156: A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the bug. Vulnerable: <= 1.8.10p4-cl3.7.14u1 Fixed: 1.8.10p4-cl3.7.15u1 Note: security scanners may not recognize 1.8.10p4-cl3.7.15u1 as fixed and therefore incorrectly list it as vulnerable. | 3.7.14 |
| 2556012 | On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14, 4.0.0-4.2.1 |
| 2555628 | The following vulnerabilities have been announced in curl: CVE-2020-8284: Vulnerability to malicious FTP server with PASV response with different IP address. CVE-2020-8285: Wildcard matching is vulnerable to denial of service by running out of stack space. Vulnerable: <= 7.38.0-4+deb8u18 Fixed: 7.38.0-4+deb8u19 | 3.7.14 |
| 2555508 | CVE-2018-0734: A minor timing side channel attack was found in the OpenSSL DSA signature algorithm. The fix for that introduced a more severe regression that could also be exploited as a timing side channel attack. This update fixes both the original problem and the subsequent issue. CVE-2020-1971: A flaw in the GENERAL_NAME_cmp() function could cause a NULL dereference, resulting in denial of service. Vulnerable: <= 1.0.1t-1+deb8u12 Fixed: 1.0.1t-1+deb8u13 | 3.7.14 |
| 2555494 | On Broadcom switches, when WARN level switchd log messages are generated, switchd might crash resulting in a core file generated on the system. | 4.2.0-4.2.1 |
| 2555315 | CVE-2020-25709, CVE-2020-25710: Vulnerabilities in the certificate list syntax verification and in the handling of CSN normalization were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash) via specially crafted packets. Vulnerable: <= 2.4.40+dfsg-1+deb8u7 Fixed: 2.4.40+dfsg-1+deb8u8 | 3.7.14 |
| 2555178 | On Mellanox switches, the ASIC temperature sensor reading reports zeros. As a result, the fan speed is higher than normal. You can see the temperature reading in the output of the sensors command. | 3.7.14 |
| 2552214 | The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14, 4.1.1-4.3.0 |
3.7.14 Release Notes
Open Issues in 3.7.14
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 3410952 | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.12.1 |
| 3376798 | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlanMAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5 |
| 3330705 | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.12.1 |
| 3327477 | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3216921 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-3.7.16, 4.3.0-4.4.5 | |
| 3209699 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.12.1 |
| 3135801 | Zebra rejects MAC IP updates from BGP when the MAC mobility sequence number that BGP sends is lower than the sequence number known to zebra When the MAC mobility sequence that BGP knows legitimately lowers (due to narrow timing conditions during convergence or after rebooting an MLAG pair one VTEP at a time), zebra rejects these updates and maintains a stale state. If the stale information that zebra uses points to the wrong VTEP address, traffic goes to the wrong VTEP and might drop. | 3.7.12-4.3.0 | 4.3.1-4.4.5 |
| 3073668 | On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap. | 3.7.12-3.7.16, 4.3.0-4.4.5 | |
| 3017190 | When you power cycle the switch, multiple interfaces came up in a PoE disabled state To work around this issue, run the sudo poectl -a | grep disabled command to find ports with disabled POE. Run the sudo poectl -e swp1-swp48 command to enable POE on affected ports. | 3.7.10-3.7.16 | |
| 2959454 | CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2959444 | CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2957684 | CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2949602 | CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. | 3.7.0-3.7.15 | 3.7.16 |
| 2949586 | CVE-2022-21699: ipython may execute untrusted files in the current working directory Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2949585 | CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog. | 3.7.0-3.7.15 | 3.7.16 |
| 2949584 | CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2941560 | CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u | 3.7.0-3.7.15 | 3.7.16 |
| 2940076 | In a VXLAN fabric with ToR switches configured in a MLAG pair, BUM traffic received on a VXLAN tunnel is decapsulated and forwarded on the peer link bond. The BUM traffic is then encapsulated by the peer switch and sent back to the fabric. The issue has been seen in environments where the following conditions exist at the same time:1) high VNI scale2) switchd is busy processing updates3) clagd is in a transition state, such as Up, then Down, then Up. For example, when clagd restarts, the switch reboots, and so onThe problem is seen on the switch that experiences the clagd state transition. | 3.7.12-3.7.15 | 3.7.16 |
| 2940063 | Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file. | 3.7.12-3.7.15, 4.1.1-4.3.0 | 3.7.16, 4.3.1-4.4.5, 5.0.0-5.12.1 |
| 2934940 | When you change the SVI vlan-id value in the /etc/network/interfaces file, then run ifreload -a, the 802.1Q ID for the SVI in the kernel does not change.This operation is not supported in the kernel without recreating the SVI. To apply the change, run ifdown, then ifup for the SVI to recreate the interface. | 3.7.13-4.2.1 | 4.3.0-4.4.5 |
| 2934939 | When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usageTo workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:address-family ipv4 unicastAfter: ip route 10.10.0.0/16 Null0This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-3.7.16 | |
| 2910862 | CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file” Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2910861 | CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13 | 3.7.0-3.7.15 | 3.7.16 |
| 2885241 | CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14 | 3.7.0-3.7.15 | 3.7.16 |
| 2885239 | CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2885238 | The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2866111 | CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. | 3.7.0-3.7.15 | 3.7.16 |
| 2866084 | When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb deldev command, then add “vxlan-learning”: “off” in the /etc/network/ifupdown2/policy.d/vxlan.json file:$ cat /etc/network/ifupdown2/policy.d/vxlan.jsonReboot the affected switches. | 3.7.12-4.3.0 | 4.3.1-4.4.5 |
| 2866061 | On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic. | 3.7.12-3.7.16 | |
| 2862269 | CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2855881 | A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2855879 | The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2850806 | CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts) Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23 | 3.7.0-3.7.15 | 3.7.16 |
| 2845540 | CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2841003 | CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2835994 | CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2823255 | CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode) Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2821981 | The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions) CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2820758 | The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2815592 | In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence. | 3.7.12-3.7.15, 4.3.0, 4.4.2-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.12.1 |
| 2813826 | Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop” CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’ Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2813823 | Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19 | 3.7.0-3.7.15 | 3.7.16 |
| 2801262 | On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart. | 3.7.12-3.7.15, 4.3.0, 4.4.2-4.4.5 | 3.7.16, 4.3.1, 5.0.0-5.12.1 |
| 2801126 | CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2801125 | OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15 | 3.7.0-3.7.15 | 3.7.16 |
| 2801124 | GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2798139 | CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2794750 | When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF. To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2769687 | CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21 | 3.7.0-3.7.15 | 3.7.16 |
| 2769633 | CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2769632 | CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2769631 | CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2743132 | CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6 | 3.7.0-3.7.15 | 3.7.16 |
| 2736265 | After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2736247 | CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2736245 | CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2730225 | When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.2-4.4.5 |
| 2728207 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728206 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728205 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5 |
| 2726776 | CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18 | 3.7.0-3.7.15 | 3.7.16 |
| 2716841 | CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2705169 | CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2705168 | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2702519 | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2700767 | Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16 |
| 2687332 | When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usageTo workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:address-family ipv4 unicastAfter: ip route 10.10.0.0/16 Null0This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2684452 | When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb deldev command2. Add “vxlan-learning”: “off” under /etc/network/ifupdown2/policy.d/vxlan.json$ cat /etc/network/ifupdown2/policy.d/vxlan.json3. Reboot the affected switch(es) | 3.7.12-3.7.16 | |
| 2684404 | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2679950 | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.4.1-cl4.4.0u1Fixed: 4.4.1-cl4.4.0u2 | 3.7.0-4.3.3 | 4.4.0-4.4.5 |
| 2677063 | CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2677061 | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2677060 | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2669438 | Editing the /etc/frr/frr.conf file to add a new sequence at the beginning of an existing large prefix list changes the subsequent sequence numbers of the next entries in the list and FRR reload might fail with the error message frr.service reload operation timed out. Stopping. To work around this issue, instead of adding the new prefix using an existing sequence number and pushing other sequences forward, use a sequence number that is free; for example, instead of of using 5 -> 10 -> 15, use 5 -> 7 -> 10. | 3.7.11-3.7.16 | |
| 2668477 | CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2660693 | CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20 | 3.7.0-3.7.15 | 3.7.16 |
| 2660582 | In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure) To recover restart the clagd service with sudo systemctl restart clagd.service | 3.7.8-3.7.15 | 3.7.16 |
| 2658233 | The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2656291 | The following CVEs affect the linux kernel package: CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 3.7.12-3.7.16 | 4.0.0-4.4.5 |
| 2654684 | CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10 | 3.7.0-3.7.15 | 3.7.16 |
| 2653521 | CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2653400 | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface command, then add back the 802.1x configuration. | 3.7.10-3.7.16 | |
| 2646974 | The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2646968 | CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24 | 3.7.0-3.7.15 | 3.7.16 |
| 2645846 | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface command, then add back the 802.1x configuration. | 3.7.10-3.7.15 | 3.7.16, 4.3.1-4.4.5 |
| 2638137 | When you delete a static route using NCLU, the configuration is not deleted from the running configuration or from the /etc/frr/frr.conf file. | 3.7.13-3.7.16 | |
| 2635951 | The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2633245 | On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle. | 3.7.10-3.7.16 | |
| 2628515 | CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service (“CallStranger”) Vulnerable: <= 2.8.0-cl4.3.1u1Fixed: wpa / hostapd removed from Cumulus Linux 5.0.0If your Cumulus Linux 5.0.0 switch was upgraded by apt from Cumulus Linux 4.3.0 or earlier, a vulnerable hostapd package may be present but unused. To remove it, use “sudo dpkg -r hostapd”. | 3.7.14-4.3.3 | 4.4.0-4.4.5 |
| 2617009 | CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617008 | CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617007 | CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617006 | CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617005 | CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 CVE-2020-25687: several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server that could result in denial of service, cache poisoning or the execution of arbitrary code Vulnerable: <= 2.72-3+deb8u5Fixed: 2.72-3+deb8u6 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2617002 | CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2599607 | In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.4-4.4.5, 5.0.0-5.12.1 |
| 2595889 | In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface. | 3.7.10-4.2.1 | 4.3.0-4.4.5 |
| 2595816 | Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2589747 | If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2589570 | The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589567 | The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2581473 | When netq-agent is installed on the Dell N3048EP platform, switchd might crash if pluggables are installed in the SFP+ ports. | 3.7.13-3.7.15 | 3.7.16 |
| 2574294 | CVE-2021-3410: A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context Vulnerable: <= 0.99.beta19-2+deb8u1Fixed: 0.99.beta19-2+deb8u2 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2566880 | CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-4.3.3 | 4.4.0-4.4.5 |
| 2562511 | hostapd does not fail over to secondary RADIUS servers for 802.1x authentication when the primary radius is reachable but not responding to Access-RequestsIf the primary RADIUS server is having a problem servicing requests, you can remove it from the configuration temporarily to force requests to be sent to alternate servers. | 3.7.10-3.7.14.2 | 3.7.15-3.7.16 |
| 2562396 | CVE-2020-27824: Global buffer overflow on irreversible conversion when too many decomposition levels are specified. CVE-2020-27841: Crafted input to be processed by the openjpeg encoder could cause an out-of-bounds read. CVE-2020-27845: Crafted input can cause out-of-bounds-read. Vulnerable: <= 2.1.0-2+deb8u11 Fixed: 2.1.0-2+deb8u12 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2562301 | CVE-2021-26937: encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence. Vulnerable: <= 4.2.1-3+deb8u1 Fixed: 4.2.1-3+deb8u2 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556815 | When ARP suppression is enabled, RARP packets sometimes get dropped and are not flooded by the local VTEP. To work around this issue, disable ARP suppression. | 3.7.14-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2556782 | CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution. Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 | 3.7.14-4.3.3 | 4.4.0-4.4.5 |
| 2556780 | CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets. Vulnerable: <= 2.4.40+dfsg-1+deb8u9 Fixed: 2.4.40+dfsg-1+deb8u10 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556779 | CVE-2020-8625: Buffer overflow attack in the bind9 DNS server caused by an issue in the GSSAPI (“Generic Security Services”) security policy negotiation. Vulnerable: <= 9.9.5.dfsg-9+deb8u20 Fixed: 9.9.5.dfsg-9+deb8u21 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556763 | In a configuration with both traditional and VLAN-aware bridges, the VLAN membership check on a VLAN-aware bridge does not drop PVST BPBUs that come from a traditional bridge. | 3.7.14-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2556743 | CVE-2019-20367: An issue has been found in libbsd, a library with utility functions from BSD systems. A non-NUL terminated symbol name in the string table might result in an out-of-bounds read. Vulnerable: <= 0.7.0-2+deb8u1 Fixed: 0.7.0-2+deb8u2 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556742 | The following vulnerabilities have been announced in the openssl package: CVE-2021-23840: an issue where “Digital EnVeloPe” EVP-related calls could cause applications to behave incorrectly or even crash. CVE-2021-23841: an issue in the X509 certificate parsing caused by the lack of error handling while ingesting the “issuer” field. Vulnerable: <= 1.0.1t-1+deb8u13 Fixed: 1.0.1t-1+deb8u14 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556689 | CVE-2020-15469 A MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference. CVE-2020-15859 QEMU has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data’s address set to the e1000e’s MMIO address. CVE-2020-25084 QEMU has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked. CVE-2020-28916 hw/net/e1000e_core.c has an infinite loop via an RX descriptor with a NULL buffer address. CVE-2020-29130 slirp.c has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. CVE-2020-29443 ide_atapi_cmd_reply_end in hw/ide/atapi.c allows out-of-bounds read access because a buffer index is not validated. CVE-2021-20181 9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU privilege escalation vulnerability. CVE-2021-20221 aarch64: GIC: out-of-bound heap buffer access via an interrupt ID field. Vulnerable: <= 2.1+dfsg-12+deb8u18 Fixed: 2.1+dfsg-12+deb8u19 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556612 | CVE-2021-27135: xterm through Patch #365 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted UTF-8 character sequence. Vulnerable: 312-2 Fixed: 312-2+deb8u1. | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556585 | CVE-2021-26926: A heap buffer overflow vulnerability was discovered in JasPer, through jp2_dec.c in the jp2_decode() function. CVE-2021-26927: A null pointer access was discovered in JasPer, through jp2_dec.c in the jp2_decode() function. Vulnerable: <= 1.900.1-debian1-2.4+deb8u8 Fixed: 1.900.1-debian1-2.4+deb8u9 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556530 | CVE-2020-0256: In LoadPartitionTable of gpt.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. CVE-2021-0308: In ReadLogicalParts of basicmbr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. Vulnerable: 0.8.10-2 Fixed: 0.8.10-2+deb8u1 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556525 | CVE-2020-27351: Various memory and file descriptor leaks were discovered in the Python interface to the APT package management runtime library, which could result in denial of service. Vulnerable: <= 0.9.3.13 Fixed: 0.9.3.14 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556504 | CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230: Several vulnerabilities were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash, infinite loops) via specially crafted packets. Vulnerable: <= 2.4.40+dfsg-1+deb8u8 Fixed: 2.4.40+dfsg-1+deb8u9 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556473 | CVE-2021-3272: jp2_decode in jp2/jp2_dec.c in libjasper in JasPer has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components. Vulnerable: <= 1.900.1-debian1-2.4+deb8u6 Fixed: 1.900.1-debian1-2.4+deb8u7 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556364 | CVE-2020-35512: An issue has been found in dbus, a simple interprocess messaging system. On a system having multiple usernames sharing the same UID a use-after-free might happen, that could result in a denial of service or undefined behaviour, possibly including incorrect authorization decisions. Vulnerable: <= 1.8.22-0+deb8u3 Fixed: 1.8.22-0+deb8u4 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556288 | CVE-2021-3156: A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the bug. Vulnerable: <= 1.8.10p4-cl3.7.14u1 Fixed: 1.8.10p4-cl3.7.15u1 Note: security scanners may not recognize 1.8.10p4-cl3.7.15u1 as fixed and therefore incorrectly list it as vulnerable. | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556233 | Some ECMP next-hops might fail installation into hardware at high ECMP group and route scale. The following log message will be observed when this condition occurs:WARN xx routes reverted to non-ECMP due to NH table capacity | 3.7.9-3.7.14.2 | 3.7.15-3.7.16 |
| 2556218 | The following vulnerability affects lldpd: CVE-2020-27827: A packet that contains multiple instances of certain TLVs will cause lldpd to continually allocate memory and leak the old memory. As an example, multiple instances of system name TLV will cause old values to be dropped by the decoding routine. Fixed: 1.0.4-0-cl4.3.0u2 | 3.7.14-4.2.1 | 4.3.0-4.4.5 |
| 2556037 | After you add an interface to the bridge, an OSPF session flap might occur | 3.7.9-4.2.0 | 4.2.1-4.4.5 |
| 2556031 | Several security vulnerabilities were found in ImageMagick, a suite of image manipulation programs. An attacker could cause denial of service and execution of arbitrary code when a crafted image file is processed. CVE-2020-19667 Stack-based buffer overflow and unconditional jump in ReadXPMImage in coders/xpm.c CVE-2020-25665 The PALM image coder at coders/palm.c makes an improper call to AcquireQuantumMemory() in routine WritePALMImage() because it needs to be offset by 256. This can cause a out-of-bounds read later on in the routine. This could cause impact to reliability. CVE-2020-25674 WriteOnePNGImage() from coders/png.c (the PNG coder) has a for loop with an improper exit condition that can allow an out-of-bounds READ via heap-buffer-overflow. This occurs because it is possible for the colormap to have less than 256 valid values but the loop condition will loop 256 times, attempting to pass invalid colormap data to the event logger. CVE-2020-27560 ImageMagick allows Division by Zero in OptimizeLayerFrames in MagickCore/layer.c, which may cause a denial of service. CVE-2020-27750 A flaw was found in MagickCore/colorspace-private.h and MagickCore/quantum.h. An attacker who submits a crafted file that is processedcould trigger undefined behavior in the form of values outside the range of type unsigned char and math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. CVE-2020-27760 In GammaImage() of /MagickCore/enhance.c, depending on the gamma value, it’s possible to trigger a divide-by-zero condition when a crafted input file is processed by ImageMagick. This could lead to an impact to application availability. CVE-2020-27763 A flaw was found in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. CVE-2020-27765 A flaw was found in MagickCore/segment.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. CVE-2020-27773 A flaw was found in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char or division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. CVE-2020-29599 ImageMagick mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c. Vulnerable: <= 6.8.9.9-5+deb8u21 Fixed: 6.8.9.9-5+deb8u22 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556030 | The following vulnerability was announced in the apt packages: CVE-2020-27350: Missing input validation in the ar/tar implementations of APT, the high level package manager, could cause out-of-bounds reads or infinite loops, resulting in denial of service when processing malformed deb files. Vulnerable: <= 1.0.9.8.6 Fixed: 1.0.9.8.7 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556023 | After upgrading Cumulus Linux with the apt-upgrade command, then rebooting an MLAG pair, if there are no bonds configured with a clag-id, the clagd service has difficulty peering, and holds all MLAG interfaces and VNIs in a proto down stateTo work around this issue, after upgrading both switches, restart the clagd service with the sudo systemctl restart clagd command on each MLAG pair. | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2556012 | On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5 |
| 2555908 | If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command. | 3.7.12-4.0.1 | 4.1.0-4.4.5 |
| 2555691 | The NET-SNMP-EXTEND-MIB, disabled in Cumulus Linux 4.2.1 and 3.7.14 to prevent security vulnerability CVE-2020-15862, is re-enabled read-only. | 3.7.14-4.2.1 | 4.3.0-4.4.5 |
| 2555654 | The following vulnerability has been announced in the libflac8 package: CVE-2020-0499: In FLAC__bitreader_read_rice_signed_block of bitreader.c, there is a possible out-of-bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. However, user interaction is needed for exploitation. Vulnerable: 1.3.0-3 Fixed: 1.3.0-3+deb8u1 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2555628 | The following vulnerabilities have been announced in curl: CVE-2020-8284: Vulnerability to malicious FTP server with PASV response with different IP address. CVE-2020-8285: Wildcard matching is vulnerable to denial of service by running out of stack space. Vulnerable: <= 7.38.0-4+deb8u18 Fixed: 7.38.0-4+deb8u19 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2555553 | It was discovered that the clean_html() function of lxml, a Python library for HTML and XML processing, performed insufficient sanitisation for embedded Javascript code. This might lead to cross-site scripting or possibly the execution of arbitrary code. Vulnerable: <= 3.4.0-1+deb8u2 Fixed: 3.4.0-1+deb8u3 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2555528 | In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer’s ARP policer. To work around this issue, increase the burst value of the ARP policers to 200 or higher. | 3.7.14-4.2.1 | 4.3.0-4.4.5 |
| 2555508 | CVE-2018-0734: A minor timing side channel attack was found in the OpenSSL DSA signature algorithm. The fix for that introduced a more severe regression that could also be exploited as a timing side channel attack. This update fixes both the original problem and the subsequent issue. CVE-2020-1971: A flaw in the GENERAL_NAME_cmp() function could cause a NULL dereference, resulting in denial of service. Vulnerable: <= 1.0.1t-1+deb8u12 Fixed: 1.0.1t-1+deb8u13 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2555435 | CVE-2018-19139: Fix memory leaks by registering jpc_unk_destroyparms. CVE-2020-27828: Avoid maxrlvls more than upper bound to cause heap-buffer-overflow. CVE-2018-19543 and CVE-2017-9782: There is a heap-based buffer over-read of size 8 in the function jp2_decode in libjasper/jp2/jp2_dec.c. Vulnerable: <= 1.900.1-debian1-2.4+deb8u6 Fixed: 1.900.1-debian1-2.4+deb8u7 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2555401 | On the Edgecore AS7312 switch, eth0 and swp use the same MAC address. | 3.7.14-4.2.1 | 4.3.0-4.4.5 |
| 2555315 | CVE-2020-25709, CVE-2020-25710: Vulnerabilities in the certificate list syntax verification and in the handling of CSN normalization were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash) via specially crafted packets. Vulnerable: <= 2.4.40+dfsg-1+deb8u7 Fixed: 2.4.40+dfsg-1+deb8u8 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2555278 | When you change the anycast address for the MLAG pair (clagd-vxlan-anycast-ip), high peak traffic occurs on the peer link interface of all MLAG switches. | 3.7.13-3.7.16 | 4.0.0-4.4.5 |
| 2555196 | CVE-2018-19787, CVE-2020-27783: The clean_html() function of lxml, a Python library for HTML and XML processing, performed insufficient sanitisation for embedded Javascript code. This could lead to cross-site scripting or possibly the execution of arbitrary code. Vulnerable: <= 3.4.0-1+deb8u1 Fixed: 3.4.0-1+deb8u2 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2555178 | On Mellanox switches, the ASIC temperature sensor reading reports zeros. As a result, the fan speed is higher than normal. You can see the temperature reading in the output of the sensors command. | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2555147 | Some issues have been found in qemu, a fast processor emulator. CVE-2020-25085 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723 CVE-2020-27617: All issues are related to assertion failures, out-of-bounds access failures or bad handling of return codes. Vulnerable: <= 2.1+dfsg-12+deb8u17 Fixed: 2.1+dfsg-12+deb8u18 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2554991 | When running traditional mode bridges at scale (for example, when you have more than 200 bridges and a large number of MAC addresses), MLAG bonds flap intermittently from dual to single connected, then back to dual connected, which causes a layer 2 loop and STP state changes. To work around this issue, either shut down one side of the MLAG bond or prune out VLANS over the bond. | 3.7.13-4.2.1 | 4.3.0-4.4.5 |
| 2554804 | On Mellanox SN2010 and SN2100 switches, the maximum fan speed is exceeded by fifteen percent. | 3.7.14-3.7.14.2 | 3.7.15-3.7.16 |
| 2554785 | After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX=“cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command4. Reboot the switch. | 3.7.11-4.2.1 | 4.3.0-4.4.5 |
| 2554719 | A slow memory leak is observed (1% per 14 hours) in kmalloc-256. To work around this issue, reboot the switch. | 3.7.12-3.7.14.2 | 3.7.15-3.7.16 |
| 2554709 | The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM. | 3.7.13-3.7.16, 4.2.1-4.4.5 | |
| 2554617 | OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf. This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper. | 3.7.14-3.7.16, 4.0.0-4.4.5 | |
| 2554588 | If you try to reconfigure a DHCP server after you delete the switch configuration with the net del all command, the dhcpd service fails because a duplicate process is runningTo work around this issue, edit the /usr/lib/python2.7/dist-packages/nclu/plugins/dhcp.py file to change:DHCPD_PID="-pf {0}” to:DHCPD_PID="-pf {1}" | 3.7.13-4.2.1 | 4.3.0-4.4.5 |
| 2554369 | Certain Dell S4048-ON switches show an incorrect vendor name and hang when you issue the reboot command. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2554329 | On the Dell N3248PXE switch, fixed RJ45 interfaces with PoE neighbors can end up in Paused mode after a switchd restart, which blocks traffic on that interface. | 3.7.12-3.7.16 | |
| 2553887 | When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:
To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2553748 | On switches with the Spectrum ASIC, the IPv6 default route is present in the kernel but missing in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5 |
| 2553677 | When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:
To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:
Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. | 3.7.13-3.7.16, 4.0.0-4.4.5 | |
| 2553219 | You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2553116 | When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2553050 | SNMP status might incorrectly reflect that a BGP neighbor is down due to an issue between bgpd and SNMP AgentX when the IP-FORWARD-MIB is also polled.To work around this issue, avoid polling IP-FORWARD-MIB objects. | 3.7.12-3.7.16 | |
| 2553015 | If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | |
| 2552939 | RX_DRP on a bond interface increases without any data traffic while the slave port does not increase. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2552869 | On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.To work around this issue, use the ethtool -m command. | 3.7.13-4.2.1 | 4.3.0-4.4.5 |
| 2552742 | On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2552739 | Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | |
| 2552610 | The following vulnerability has been announced: CVE-2019-11360: A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c. | 3.7.13-4.2.0 | 4.2.1-4.4.5 |
| 2552294 | NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2552266 | OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files. The two scenarios where an exploit may be useful to an attacker: -The user is authorized to scp but not ssh (based on the command option in the authorized_keys file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so.-An attacker plants a maliciously named file in a directory tree that someone later uses scp -r to copy over to the target computer.Be aware that restricting users to scp by using the command option in the authorized_keys file is not effective in preventing those users from executing arbitrary commands on the server.If you want to use scp -r to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with tar, zip, or a similar program, then copying the archive over to be extracted on the server avoids having to use scp -r altogether. In addition, OpenSSH provides sftp, which you can use instead of scp to copy files.To disable scp completely, use /bin/chmod 0 /usr/bin/scp . | 3.7.14-3.7.16, 4.0.0-4.4.5 | |
| 2552214 | The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14.2, 4.1.1-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2551911 | ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down. | 3.7.12-4.2.0 | 4.2.1-4.4.5 |
| 2551578 | When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2551565 | If you toggle VRRP priority values between VRRP routers, then restart switchd, a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affectedTo work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands. | 3.7.13-3.7.16, 4.2.0-4.4.5 | |
| 2551554 | Customers running security scans on Cumulus Linux 4 may encounter the listing of an incorrect version of u-boot 2014.10+dfsg1-4 with the following vulnerabilities:CVE-2017-3225CVE-2017-3226CVE-2018-18440CVE-2019-11690CVE-2019-13103CVE-2019-14192CVE-2019-14193CVE-2019-14194CVE-2019-14195CVE-2019-14196CVE-2019-14197CVE-2019-14198CVE-2019-14199CVE-2019-14200CVE-2019-14201CVE-2019-14202CVE-2019-14203CVE-2019-14204CVE-2020-10648The u-boot-tools package is not installed on the switch by default, but is available in the repository for optional installation. On Cumulus Linux 4, the version is at least 2019.01+dfsg-7. However, the older versions available for optional installation on Cumulus Linux 3 may be vulnerable According to https://security-tracker.debian.org/tracker/source-package/u-boot , all except the following are fixed in 2019.01+dfsg-7:CVE-2017-3225: https://security-tracker.debian.org/tracker/CVE-2017-3225 says “Negligible security impact” CVE-2017-3226: https://security-tracker.debian.org/tracker/CVE-2017-3226 says “Negligible security impact” CVE-2018-18440: https://security-tracker.debian.org/tracker/CVE-2018-18440 says “No security impact as supported/packaged in Debian”. | 3.7.12-3.7.16 | 4.0.0-4.4.5 |
| 2551305 | The net show configuration command provides the wrong net add command for ACL under the VLAN interface. | 3.7.12-3.7.16, 4.1.0-4.4.5 | |
| 2551288 | When you remove BFD configuration by editing the /etc/frr/frr.conf file and restarting FRR, you see a traceback.To work around this issue, either use NCLU or vtysh commands to remove the BFD configuration, or restart FRR with the new /etc/frr/frr.conf file. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2550974 | On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured. | 3.7.11-3.7.16, 4.1.1-4.4.5 | |
| 2550942 | NCLU tab completion for net show displays the text add help text instead of system Information for the system option. | 3.7.11-4.2.0 | 4.2.1-4.4.5 |
| 2550796 | On a Broadcom switch with the Trident2+ ASIC, ACL rules for VLANs are not applied after a reboot and the counters remain at zero. To work around this issue, either do not set acl.non_atomic_update_mode = TRUE in the /etc/cumulus/switchd.conf file or run the cl-acltool -i command after the reboot to install the ACLs. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2550793 | The NCLU net show bridge spanning-tree command displays the aging timer incorrectly. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550600 | The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged. | 3.7.8-3.7.14.2, 4.0.0-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2550478 | VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches. | 3.7.7-4.2.0 | 4.2.1-4.4.5, 4.3.0-4.4.5 |
| 2550444 | Tab completion for the net show rollback description command returns information about a snapshot instead of context help.To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550443 | The net show rollback description command returns an error even if the string matches a commit description.To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550276 | In LLDP, the snmp subagent loses all subsequent lldpRemSysName (1.0.8802.1.1.2.1.4.1.1.9) entries after an entry with a missing SysName is added.All the information from lldpctl is correct. Only the entries after the entry that is missing a SysName in lldpRemSysName disappear from the snmp subagent. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2550243 | When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service. For example:
| 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550056 | The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:
| 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| 2549925 | When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:
To work around this issue, run the ifreload -a command a second time. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2549872 | If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error. | 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| 2549838 | In vtysh, if you configure, then remove a layer 3 VNI for a VRF, the VNI is removed from zebra even if the VNI interface still exists in the kernel. If you configure a layer 2 VNI as a layer 3 VNI by mistake, removing the layer 3 VNI binding removes it from zebra but EVPN-learned MACs and neighbors are not installed into the kernel. To work around this issue, delete, then re-add the missing VNI. For example:
If you flap the link with the ip link set vni10100 down; ip link set vni10100 up commands, zebra does not re-add the VNI. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2549782 | The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2549731 | When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:
| 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| 2549472 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2549371 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.3 | 4.4.0-4.4.5 |
| 2549307 | The following vulnerabilities affect git, which is available in the repository for optional installation: CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host. CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. | 3.7.12-4.1.1 | 4.2.0-4.4.5 |
| 2549226 | You might see the following gport error messages in switchd.log:
These messages are harmless and can be ignored. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2548962 | With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table. | 3.7.12-4.1.1 | 4.2.0-4.4.5 |
| 2548930 | On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5 |
| 2548746 | On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2548657 | When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:
You can safely ignore these error messages. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2548490 | A change in a route map prefix list that should remove a route might not be reflected in the ospf6 database or in peers, and the route might not be deleted.To work around this issue, reenter the redistribute <connected|static> route-map statement in the configuration. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2548485 | If you configure the aggregate-addresssummary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:router bgp 1If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,To work around this issue, remove, then re-add the component prefix routes. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2548315 | The following security advisory has been announced for bash: CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.To work around this issue, do not make bash or bash scripts setuid. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2548243 | On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2548155 | The net show bgp neighbor swpX json command shows negative output for the bgpTimerUpMsec timer. | 3.7.10-3.7.16 | 4.0.0-4.4.5 |
| 2548117 | In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2548044 | When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16 |
| 2548024 | On the Dell Z9100 switch, 100G-SR4 modules might not link up reliably in certain ports. swp1, 2, 3, 9, 10, 23, 24, 30, 31, and 32 might be affected To work around this issue, move 100G SR4 modules to one of the ports not affected by this issue. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547942 | On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547878 | The following vulnerability has been found in the libgcrypt20 cryptographic library.CVE-2019-13627: there was a ECDSA timing attack. For more information, see https://www.debian.org/lts/security/2020/dla-1931-2.en.html Vulnerable: 1.6.3-2+deb8u7 Fixed: 1.6.3-2+deb8u8 | 3.7.11-3.7.16 | |
| 2547876 | The following vulnerability affects libxml2: CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c has a memory leak related to newDoc->oldNs. This can lead to a denial of service. For more information, see https://www.debian.org/lts/security/2019/dla-2048.en.html . Vulnerable: 2.9.1+dfsg1-5+deb8u7 Fixed: 2.9.1+dfsg1-5+deb8u8 | 3.7.11-3.7.16 | |
| 2547874 | The following vulnerability affects libbsd, a package containing utility functions from BSD systems. CVE-2016-2090: In function fgetwln() an off-by-one error could triggers a heap buffer overflow. For more information, see https://www.debian.org/lts/security/2019/dla-2052.en.html . Vulnerable: 0.7.0-2 Fixed: 0.7.0-2+deb8u1 | 3.7.11-3.7.16 | |
| 2547839 | When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547782 | If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2547706 | When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2547659 | On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547573 | On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU. | 3.7.9-3.7.16 | |
| 2547443 | On the Dell N3248PXE-ON switch, 25G SFP ports do not work in 10G mode. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547381 | The hsflowd service sends an undefined header protocol 0 in the sampled flow sample to the collector, which is not recognized by the sFlow tool. You see errors similar to the following:
| 3.7.11-3.7.16 | 4.0.0-4.4.5 |
| 2547349 | When you change an interface IP address, then change it back, static routes are misprogrammed One of the following actions recovers the routes:- Bounce both layer 3 interfaces- Remove or add static routes in FRR- Restart FRR | 3.7.11-3.7.16 | 4.0.0-4.4.5 |
| 2547123 | On the Broadcom switch with the Trident3 ASC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547120 | After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2547118 | The following security vulnerabilities have been announced in the libtiff5 library on Cumulus Linux 4.0: CVE-2019-14973, CVE-2019-17546: Multiple integer overflows have been discovered in the libtiff library and the included tools. Vulnerable: 4.0.10-4 Fixed: 4.1.0+git191117-2~deb10u1 | 3.7.10-4.0.1 | 4.1.0-4.4.5 |
| 2547100 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547068 | Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off”, change it to GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0”2. Run sudo update-grub3. Reboot the system with sudo rebootTo disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci32. Disable C-states by running the command ./cpupower idle-set -d 2C-states are disabled by default in Cumulus Linux 4.3.0 and later. | 3.7.9-4.2.1 | 4.3.0-4.4.5 |
| 2546991 | The FRR service does not provide a way for automation to know if the configuration applied properly. To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546895 | If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.serviceTo increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter2.Restart the switchd service with the sudo systemctl restart switchd.service commandsystemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546450 | On the EdgeCore AS7326-56X switch, you might see the RPM of certain fans run over the maximum threshold. | 3.7.11-3.7.16 | |
| 2546385 | SNMP ifLastChange reports link transitions when there are none. | 3.7.6-3.7.16 | |
| 2546225 | When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support.
To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546203 | When using QinQ with a traditional bridge, if you enable the LLDP dot1 TLV option, you see the following suboptimal behavior: * Both the inner and outer VLAN information is sent as part of VLAN TLVs in the LLDP packet. * If the outer VLAN ID is the same as the inner VLAN ID, only one VLAN TLV is sent with that VLAN ID in the LLDP packet. | 3.7.11-3.7.16 | |
| 2546131 | On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546010 | When hal.bcm.per_vlan_router_mac_lookup is set to TRUE in the /etc/cumulus/switchd.conf file, inter-VLAN traffic is forwarded to the CPU when associated VNI interfaces exist. | 3.7.10-3.7.16 | |
| 2545997 | The NCLU command net show interface produces an error if bonds with no members exist.To work around this issue, remove the empty Bond interfaces from the /etc/network/interfaces file and run sudo ifreload -a. | 3.7.10-3.7.16 | |
| 2545566 | The Dell Z9100-ON switch incorrectly reports many sensors as ABSENT. | 3.7.12-4.0.1 | 4.1.0-4.4.5 |
| 2545446 | If you use NCLU commands to add a non-MLAG bond, then add an MLAG configuration, the net commit command fails. However, a subsequent net commit command succeeds. | 3.7.10-3.7.16 | |
| 2545125 | If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
| 2544978 | If you delete an undefined bond, then add a bond slave, the net commit command fails. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544968 | FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:
should be:
To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544953 | When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
| 2544904 | After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements. To work around this issue, restart FRR after removing the IPv6 numbered configuration. | 3.7.9-4.1.1 | 4.2.0-4.4.5 |
| 2544829 | Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump. | 3.7.8-3.7.16 | |
| 2544671 | Package : sudoCVE ID : CVE-2019-14287Debian Bug : 942322Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID -1 or 4294967295. This could allow a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access Details can be found in the upstream advisory at https://www.sudo.ws/alerts/minus_1_uid.html We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudoVulnerable versions: < 1.8.27-1+deb10u1Fixed versions: >= 1.8.27-1+deb10u1To work around this iisue, disable (comment out) any sudoers entries in /etc/sudoers or files in /etc/sudoers.d that have entries with !root in them. Only root or other users with a uid of 0 that are affected. | 3.7.9-3.7.16 | 4.0.0-4.4.5 |
| 2544556 | If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:
If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5 |
| 2544463 | Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544456 | The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544311 | Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544235 | The following CVEs affect the linux kernel package: CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 3.7.10-3.7.16 | |
| 2544155 | NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544113 | Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link. To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2543900 | On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
| 2543841 | The net show evpn vni detail json command includes an extra empty dictionary at the end of the output. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
| 2543840 | On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file. | 3.7.6-3.7.16 | |
| 2543800 | When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface. | 3.7.8-3.7.16 | 4.0.0-4.4.5 |
| 2543647 | ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:
| 3.7.6-4.2.1 | 4.3.0-4.4.5 |
| 2543646 | In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543627 | Tomahawk 40G DACs cannot disable auto-negotiation. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543270 | The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5 |
| 2543211 | In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2543164 | The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2543096 | When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543058 | The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces. To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543052 | Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as “inactive” in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR. To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:
You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5 |
| 2543044 | Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up. You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2542979 | On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5 |
| 2542945 | On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags. To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:
| 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542310 | hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6. | 3.7.6-3.7.16 | |
| 2542305 | If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542301 | When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2541212 | The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2541165 | On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, poectl reports that four_pair_mode_enabled is true. However, this configuration is not supported on the port so poectl should report that four_pair_mode_enabled is false. | 3.7.6-3.7.16 | |
| 2541029 | On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped. This issue only affects QinQ configurations. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540950 | On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status. | 3.7.3-4.1.1 | 4.2.0-4.4.5 |
| 2540885 | The Dell N3048EP-ON switch does not support 1G Base-T modules in the SFP ports. | 3.7.7-3.7.16 | |
| 2540863 | On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number. | 3.7.3-3.7.16 | |
| 2540753 | If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
| 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540444 | SNMP incorrectly requires engine ID specification. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540352 | When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2540340 | NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays
Tab completion for the net add vrf command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540274 | On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540204 | When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540192 | The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540155 | On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2540042 | When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540041 | On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540040 | Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540031 | NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2539994 | When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539962 | When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2539670 | On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539124 | The net add interface command adds no ptm-enable for that interface in the frr.conf file.Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539081 | When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2538875 | IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file. | 3.7.2-3.7.16 | |
| 2538790 | NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.To restore connectivity, remove the VLAN ID from the bridge. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538590 | When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538562 | On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538302 | portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap. | 3.7.0-3.7.16 | |
| 2538294 | If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2538256 | On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets. | 3.7.2-4.0.1 | 4.1.0-4.4.5 |
| 2537819 | When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2537699 | There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537544 | When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537378 | NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.To work around this issue, stop snmpd, remove the cache file, then restart snmpd. | 3.7.1-3.7.16 | |
| 2537188 | When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network. | 3.7.2-3.7.16 | |
| 2537104 | When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL. | 3.7.1-3.7.16 | 4.0.0-4.4.5 |
| 2537061 | The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent. | 3.7.1-4.0.1 | 4.1.0-4.4.5 |
| 2536608 | Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI. | 3.7.0-3.7.16 | |
| 2536384 | The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2536179 | On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535986 | At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535965 | On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2533691 | If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict.To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2532017 | In FRR, bgp_snmp does not show all BGP peers when peer groups used. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
Fixed Issues in 3.7.14
| Issue ID | Description | Affects |
|---|---|---|
| 2556019 | After you add an interface to a bridge using the NCLU net add bridge bridge ports command, the bridge can go down and its MAC address changesTo work around this issue, use Linux commands to add an interface to a bridge. | 3.7.9-3.7.13 |
| 2554687 | CVE-2020-28196: There is a denial of service vulnerability in the MIT Kerberos network authentication system, krb5. The lack of a limit in the “ASN.1” decoder could lead to infinite recursion and allow an attacker to overrun the stack and cause the process to crash. Vulnerable: <= 1.12.1+dfsg-19+deb8u5 Fixed: 1.12.1+dfsg-19+deb8u6 | 3.7.13 |
| 2554454 | The following vulnerability has been announced in the freetype / libfreetype6 packages: CVE-2020-15999: heap-based buffer overflow vulnerability in the handling of embedded PNG bitmaps in FreeType. Opening malformed fonts may result in denial of service or the execution of arbitrary code. Vulnerable: <= 2.5.2-3+deb8u4 Fixed: 2.5.2-3+deb8u5 | 3.7.13 |
| 2554332 | In an EVPN active/active environment, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of the ARP messages might be dropped by the ARP policer of the MLAG peer. To work around this issue, increase the burst value of the ARP policers to 200 or higher. | |
| 2554232 | VXLAN encapsulated traffic is not routed to the next hop because the destination VTEP IP address is mis-programmed on the switch, which decapsulates the traffic unexpectedly. To work around this issue, restart switchd. | 3.7.12-3.7.13 |
| 2553876 | The following vulnerability has been announced in the ruby2.1 packages: CVE-2020-25613: WEBrick (bundled along with ruby2.1) was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to “smuggle” a request. Vulnerable: <= 2.1.5-2+deb8u10 Fixed: 2.1.5-2+deb8u11. | 3.7.13 |
| 2553847 | The following vulnerabilities have been announced in the python3.4 packages: CVE-2019-20907: Avoid infinite loop with crafted tar file by improving header validation. CVE-2020-26116: Avoid injection of HTTP headers via the HTTP method without rejecting newline characters. Vulnerable: <= 3.4.2-1+deb8u8 Fixed: 3.4.2-1+deb8u9 | 3.7.13 |
| 2553738 | The following vulnerability has been announced in curl: CVE-2020-8231: In rare circumstances, when using the multi API of curl in combination with CURLOPT_CONNECT_ONLY, the wrong connection might be used when transfering data later. Vulnerable: <= 7.38.0-4+deb8u17 Fixed: 7.38.0-4+deb8u18 | 3.7.13 |
| 2553732 | A ping via a dual-connected bond fails, and the audio stream is not routed or encapsulated through the layer 3 VNI. | 3.7.12-3.7.13, 4.0.0-4.2.1 |
| 2553588 | Multicast traffic on a VPN is sent to remote VTEPs that are not part of the VPN and the remote VTEPs receive multicast traffic encapsulated in a VXLAN ID that doesn’t exist. To work around this issue, disable IGMP snooping on the switch. | 3.7.12-3.7.13, 4.0.0-4.2.1 |
| 2553530 | In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated. To work around this issue, restart FRR with the sudo systemctl restart frr.service command. | 3.7.10-3.7.13, 4.1.1-4.2.1 |
| 2553450 | On the the Dell N3248-PXE switch, when you insert two PSUs at different times, the newly inserted PSU is detected as OK but the fan and temp sensors are ABSENT. To work around this issue, remove power to both PSUs at the same time, then reinsert power simultaneously. | 3.7.12-3.7.13, 4.2.1 |
| 2553229 | On the Dell N3248PXE switch, RJ45 fixed copper ports that auto-negotiate with a 100M or 10M neighbor incorrectly negotiate a half-duplex link that generates errors. Half duplex modes are not supported on this platform. | 3.7.12-3.7.13, 4.2.1 |
| 2553190 | The following vulnerabilities have been announced in libxml2: CVE-2017-8872: Global buffer-overflow in the htmlParseTryOrFinish function. CVE-2019-20388: A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service. CVE-2020-24977: Out-of-bounds read restricted to xmllint –htmlout. CVE-2020-7595: Infinite loop in xmlStringLenDecodeEntities can cause a denial of service. Vulnerable: <= 2.9.1+dfsg1-5+deb8u8 Fixed: 2.9.1+dfsg1-5+deb8u9 | 3.7.13 |
| 2553151 | The following security vulnerabilities have been announced in imagemagick:CVE-2017-12806: A memory exhaustion vulnerability was found in the function format8BIM, which allows attackers to cause a denial of service CVE-2019-13308, CVE-2019-13391: Heap-based buffer overflow in MagickCore/fourier.c in ComplexImages may cause a denial-of-service or other unspecified results Vulnerable: <= 6.8.9.9-5+deb8u20Fixed: 6.8.9.9-5+deb8u21 | 3.7.13 |
| 2553049 | The following vulnerability has been announced in the libx11 libraries: CVE-2020-14363: Integer overflow in the init_om function of libX11, the X11 client-side library, which could lead to a double free. Vulnerable: <= 1.6.2-3+deb8u3 Fixed: 1.6.2-3+deb8u4 | 3.7.13 |
| 2553001 | When the following conditions exist, clagd might fail to establish a TCP control session across the subinterface (such as, peerlink.4094):* clagd uses an IPv6 link-local address (LLA) to establish the TCP connection (the clagd-peer-ip linklocal command configures an IPv6 LLA connection)* Subsequent VLAN changes are made to VLAN sub-interfaces or adding or removing SVIs This issue occurs because the hardware stores one entry per VRF to represent the IPv6 LLA. The hardware entry for the LLA is removed when another interface is changed because the software interfaces are represented by a single entity in hardware. As a result, packets destined to the local IPv6 LLA address are received on the port but do not get forwarded to CPU for further processing. To workaround this issue, use IPv4 addresses under peerlink.4094 and configure clagd to peer on IPv4 addresses. | 3.7.12-3.7.13 |
| 2552953 | The following vulnerability has been announced in the bind9 packages: CVE-2020-8622: Crafted responses to TSIG-signed requests could lead to an assertion failure, causing named, a Domain Name Server, to exit. This could be done by malicious server operators or guessing attackers. Vulnerable: <= 9.9.5.dfsg-9+deb8u19 Fixed: 9.9.5.dfsg-9+deb8u20 | 3.7.13 |
| 2552952 | The following vulnerability has been announced in the nss / libnss3 packages: CVE-2020-12403: The ChaCha20 symmetric key cipher algorithm did not correctly enforce the tag length which may have led to an out-of-bounds read and a lack of confidentiality. Vulnerable: <= 3.26-1+debu8u12 Fixed: 3.26-1+debu8u13 | 3.7.13 |
| 2552925 | On the EdgeCore AS-6712-32X, AS5812-54X and AS5812-54T switch models, the temp sensors (DIMM temp sensor) show ABSENT. The amber diagnostic light on the front of the switch might also be turned on due to this issue. These messages and the light are cosmetic issues only and do not otherwise impact the function of the switch. | 3.7.12-3.7.13 |
| 2552881 | IPv6 TCP or UDP connections (sourcing from an ephemeral port in the range 34048 to 35071) are not forwarded if the switch has more than one layer 2 VNI defined. The traffic might be locally switched on the bridge and dropped. To work around this issue, disable ARP/ND suppression to remove the internal ACL rule that affects the ports. | 3.7.13, 4.2.1 |
| 2552859 | Mellanox switches with the Spectrum ASIC fail to read PSU Fan/Temp sensors and report them as Absent. The following messages are observed in syslog:
| 3.7.13 |
| 2552756 | An issue has been found in python2.7, an interactive high-level object-oriented language. CVE-2019-20907: Opening a crafted tar file could result in an infinite loop due to missing header validation. Vulnerable: <= 2.7.9-2-ds1+deb8u5 Fixed: 2.7.9-2-ds1+deb8u6 | 3.7.13 |
| 2552647 | When you add a member to a bond that has a subinterface configured (such as peerlink.4094), the new member is assigned only the VLAN of the subinterface for forwarding. To work around this issue, bounce the bond or shutdown the new interface and use the remaining members over the bond. | 3.7.10-3.7.13, 4.2.0 |
| 2552608 | The following vulnerability has been announced: CVE-2019-20892: net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request. Fixed: 5.8.0-cl4.2.1u1, 5.8.0-cl3.7.14u1 | 3.7.13, 4.0.0-4.2.0 |
| 2552528 | Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated. | 3.7.7-3.7.13, 4.0.0-4.2.1 |
| 2552506 | Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports. To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-3.7.13, 4.0.0-4.2.0 |
| 2552352 | The following security vulnerabilities have been announced in the nss / libnss3 packages: CVE-2020-6829: Side channel attack on ECDSA signature generation CVE-2020-12400: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function CVE-2020-12401: ECDSA timing attack mitigation bypass Vulnerable: <= 3.26-1+debu8u11 Fixed: 3.26-1+debu8u12 | 3.7.0-3.7.13 |
| 2552351 | The following vulnerability has been announced in the libx11 packages: CVE-2020-14344: The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method. Vulnerable: <= 1.6.2-3+deb8u2 Fixed: 1.6.2-3+deb8u3 | 3.7.0-3.7.13 |
| 2552301 | On a Mellanox switch with the Spectrum ASIC, you see LPC I2C driver errors similar to the following during boot:
| 3.7.13 |
| 2552298 | The following vulnerability has been announced in net-snmp: CVE-2020-15862: A privilege escalation involving the NET-SNMP-EXTEND-MIB support (which is enabled by default at compile-time). The fixed versions disable NET-SNMP-EXTEND-MIB support. Vulnerable: <= 5.8.0-cl3u11, <= 5.8.0-cl4u4 Fixed: 5.8.0-cl3.7.14u3, 5.8.0-cl4.2.1u1 | 3.7.13, 4.0.0-4.2.0 |
| 2552250 | A vulnerability was found in curl, a command line tool for transferring data with URL syntax. curl is installed by default on Cumulus Linux.CVE-2020-8177: When using when using -J (–remote-header-name) and -i (–include) in the same command line, a malicious server could force curl to overwrite the contents of local files with incoming HTTP headers. Vulnerable: <= 7.38.0-4+deb8u16 Fixed: 7.38.0-4+deb8u17 | |
| 2552249 | An issue has been found in luajit, a just in time compiler for Lua. CVE-2020-15890: An out-of-bounds read could happen because __gc handler frame traversal is mishandled. Vulnerable: 2.0.3+dfsg-3 Fixed: 2.0.3+dfsg-3+deb8u1 | |
| 2552205 | If the MAC address of an SVI changes, clagd does not update its permanent neighbor entry for the local interface, and it does not report the change to its MLAG peer. This leaves the MLAG peer in a state where its permanent neighbor for the MLAG peer’s SVI IP address continues to use the old MAC address, which causes routed traffic over this SVI to be dropped.To work around this issue, ifdown/ifup the SVI when a MAC address changes. | 3.7.12-3.7.13, 4.0.0-4.2.0 |
| 2551748 | In OVSDB high availability mode, deleting > 200 VLAN bindings might cause ovs-vtepd to crash. Limit the deletion to 200 or fewer VLAN bindings. | 3.7.12-3.7.13, 4.0.0-4.2.1 |
| 2551731 | When the OVSDB VTEP scale increases, the CPU utilization increases and eventually the switch (ptmd) fails to respond to the BFD, causing the BFD session to go down. As a result OVSDB cannot read the BFD socket status and outputs a warning in the ovs-vtepd debugs: PTM socket error: Bad file descriptor. | 3.7.12-3.7.13, 4.0.0-4.2.0 |
| 2551728 | In OVSDB high availability mode, if you create, then delete a binding, the FDB entry is not replaced and you see an error. | 3.7.12-3.7.13, 4.0.0-4.2.0 |
| 2551714 | There is a change to the default OVSDB bootstrapping process, where the script created now defaults to VLAN-aware bridge mode. If you want to use traditional bride mode, you need to force it by editing the ovs-vtep-ctl script generated by the bootstrap process. | 3.7.12-3.7.13, 4.0.0-4.2.0 |
| 2551693 | A host migrated to an 802.1X MAB port within the same broadcast domain fails to have the correct FDB entry installed if a dynamic FDB entry for that MAC address exists from previous connectivity in the broadcast domain. To work around this issue, manually delete the dynamic FDB entry that is associated with the uplink trunk port. | 3.7.12-3.7.13, 4.1.1-4.2.0 |
| 2551675 | When you restart clagd, the edge port setting on the peer link changes. | 3.7.2-3.7.13, 4.0.0-4.2.0 |
| 2551651 | The net show dot1x interface summary command output shows a MAC address with all zeros associated with a port. | 3.7.12-3.7.13, 4.0.0-4.2.0 |
| 2550873 | In an MLAG configuration with static VXLAN, static tunnels become unreachable. | 3.7.13, 4.1.1-4.2.0 |
| 2550606 | A VRRP role change over the EVPN network causes excessive BGP updates and connectivity issues to VIP for about one minute. | 4.1.1-4.2.0 |
| 2550375 | CPU utilization may increase when clag-managed bond interfaces are operationally/LACP down but the physical carrier remains up on the bond member switchports. This condition occurs when clag bond redirection is enabled and bond members remain up while the parent bond does not negotiate LACP. This issue is resolved in Cumulus Linux 3.7.14. | 3.7.9-3.7.13, 4.0.0-4.2.1 |
| 2550350 | Unicast traffic from downlink hosts is flooded to multiple remote VTEPs, which might also cause high HwIfOutQDrops/TX_DRP on the uplink ports. To work around this issue, restart switchd. | 3.7.10-3.7.13, 4.0.0-4.1.1 |
| 2549794 | The asic-monitor.service fails when you configure /etc/cumulus/datapath/monitor.conf with monitor.histogram_pg.collect.port_group_list = [all_packet_pg] and there is traffic passing through the buffer. When the service fails, you see the following traceback in journalctl:
| 3.7.11-3.7.13, 4.1.1-4.2.0 |
| 2548475 | After you add a new VNI and a layer 3 SVI to a set of leafs, certain leafs might not be able to communicate on the layer 3 VNI. To work around this issue, reboot the leaf switch or restart switchd. | 3.7.6-3.7.13 |
| 2548152 | On the Mellanox Spectrum switch in an EVPN symmetric configuration with MLAG, simultaneously shutting down the layer 3 interfaces that serve as uplinks to the VXLAN fabric might result in traffic loss of up to 15 seconds. | 4.1.0-4.1.1 |
| 2547799 | An error similar to the following shows in syslog for Mellanox switches:
To work around this issue, reboot the switch. | 3.7.11-3.7.13, 4.0.0-4.0.1 |
| 2547784 | PTM mis-detects incorrect hostnames of LLDP neighbors and does not fail them as expected. Instead they end up in an N/A cabling status. | 3.7.11-3.7.13, 4.0.0-4.1.1 |
| 2547341 | When host-resources and ucd-snmp-mib are polled, you see permission denied messages similar to the following:
| 3.7.13, 4.0.0-4.1.1 |
| 2547246 | The MLAG switch pair has VLANs defined that are not used on MLAG bonds. These VLANs still synchronize MAC addresses across to the peer switch. This results in log messages that indicate a MAC address is installed and the VLAN is not defined; for example:
| 3.7.10-3.7.13, 4.0.0-4.1.1 |
| 2546577 | A traditional bridge with QinQ and a VNI does not work for tagged traffic. | 3.7.10-3.7.13, 4.0.0-4.0.1 |
| 2545934 | Mellanox switches might experience higher CPU usage from the sx_sdk service or when BFD is in use.To work around this issue, disable BFD to alleviate some of the CPU load. | 3.7.13, 4.0.0-4.1.1 |
| 2545699 | On the Celestica Pebble switch, if you use IPv6 routes with mask /65 to /127, the switchd log fills with errors. | 3.7.10-3.7.13 |
| 2545537 | On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. | 4.0.0-4.1.1 |
| 2545404 | On the Trident3 switch, unicast ARP packets received on a VNI and forwarded to the CPU are not policed. | 3.7.10-3.7.13, 4.0.0-4.0.1 |
| 2535707 | On the Mellanox switch, GRE tunneling does not work if the tunnel source is configured on an SVI interface. If the tunnel source is configured on a physical switch port, then tunneling works as expected. | 4.0.0-4.1.1 |
| 2534978 | On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. | 4.0.0-4.2.1 |
| 2529322 | On a Mellanox switch in an MLAG configuration, routed packets that arrive on one switch to be forwarded to a destination MAC across the peer link are dropped due to MLAG loop prevention. This affects both routed unicast and multicast packets. To work around this issue, modify the routing design or policy such that routes do not have a next hop of an MLAG peer switch that traverses the MLAG peer link. |
3.7.13 Release Notes
Open Issues in 3.7.13
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 3410952 | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.12.1 |
| 3376798 | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlanMAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5 |
| 3330705 | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.12.1 |
| 3327477 | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3216921 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-3.7.16, 4.3.0-4.4.5 | |
| 3209699 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.12.1 |
| 3135801 | Zebra rejects MAC IP updates from BGP when the MAC mobility sequence number that BGP sends is lower than the sequence number known to zebra When the MAC mobility sequence that BGP knows legitimately lowers (due to narrow timing conditions during convergence or after rebooting an MLAG pair one VTEP at a time), zebra rejects these updates and maintains a stale state. If the stale information that zebra uses points to the wrong VTEP address, traffic goes to the wrong VTEP and might drop. | 3.7.12-4.3.0 | 4.3.1-4.4.5 |
| 3073668 | On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap. | 3.7.12-3.7.16, 4.3.0-4.4.5 | |
| 3017190 | When you power cycle the switch, multiple interfaces came up in a PoE disabled state To work around this issue, run the sudo poectl -a | grep disabled command to find ports with disabled POE. Run the sudo poectl -e swp1-swp48 command to enable POE on affected ports. | 3.7.10-3.7.16 | |
| 2959454 | CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2959444 | CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2957684 | CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2949602 | CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. | 3.7.0-3.7.15 | 3.7.16 |
| 2949586 | CVE-2022-21699: ipython may execute untrusted files in the current working directory Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2949585 | CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog. | 3.7.0-3.7.15 | 3.7.16 |
| 2949584 | CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2941560 | CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u | 3.7.0-3.7.15 | 3.7.16 |
| 2940076 | In a VXLAN fabric with ToR switches configured in a MLAG pair, BUM traffic received on a VXLAN tunnel is decapsulated and forwarded on the peer link bond. The BUM traffic is then encapsulated by the peer switch and sent back to the fabric. The issue has been seen in environments where the following conditions exist at the same time:1) high VNI scale2) switchd is busy processing updates3) clagd is in a transition state, such as Up, then Down, then Up. For example, when clagd restarts, the switch reboots, and so onThe problem is seen on the switch that experiences the clagd state transition. | 3.7.12-3.7.15 | 3.7.16 |
| 2940063 | Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file. | 3.7.12-3.7.15, 4.1.1-4.3.0 | 3.7.16, 4.3.1-4.4.5, 5.0.0-5.12.1 |
| 2934940 | When you change the SVI vlan-id value in the /etc/network/interfaces file, then run ifreload -a, the 802.1Q ID for the SVI in the kernel does not change.This operation is not supported in the kernel without recreating the SVI. To apply the change, run ifdown, then ifup for the SVI to recreate the interface. | 3.7.13-4.2.1 | 4.3.0-4.4.5 |
| 2934939 | When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usageTo workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:address-family ipv4 unicastAfter: ip route 10.10.0.0/16 Null0This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-3.7.16 | |
| 2910862 | CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file” Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2910861 | CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13 | 3.7.0-3.7.15 | 3.7.16 |
| 2885241 | CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14 | 3.7.0-3.7.15 | 3.7.16 |
| 2885239 | CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2885238 | The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2866111 | CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. | 3.7.0-3.7.15 | 3.7.16 |
| 2866084 | When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb deldev command, then add “vxlan-learning”: “off” in the /etc/network/ifupdown2/policy.d/vxlan.json file:$ cat /etc/network/ifupdown2/policy.d/vxlan.jsonReboot the affected switches. | 3.7.12-4.3.0 | 4.3.1-4.4.5 |
| 2866061 | On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic. | 3.7.12-3.7.16 | |
| 2862269 | CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2855881 | A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2855879 | The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2850806 | CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts) Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23 | 3.7.0-3.7.15 | 3.7.16 |
| 2845540 | CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2841003 | CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2835994 | CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2823255 | CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode) Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2821981 | The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions) CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2820758 | The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2815592 | In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence. | 3.7.12-3.7.15, 4.3.0, 4.4.2-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.12.1 |
| 2813826 | Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop” CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’ Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2813823 | Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19 | 3.7.0-3.7.15 | 3.7.16 |
| 2801262 | On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart. | 3.7.12-3.7.15, 4.3.0, 4.4.2-4.4.5 | 3.7.16, 4.3.1, 5.0.0-5.12.1 |
| 2801126 | CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2801125 | OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15 | 3.7.0-3.7.15 | 3.7.16 |
| 2801124 | GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2798139 | CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2794750 | When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF. To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2769687 | CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21 | 3.7.0-3.7.15 | 3.7.16 |
| 2769633 | CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2769632 | CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2769631 | CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2743132 | CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6 | 3.7.0-3.7.15 | 3.7.16 |
| 2736265 | After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2736247 | CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2736245 | CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2730225 | When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.2-4.4.5 |
| 2728207 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728206 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728205 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5 |
| 2726776 | CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18 | 3.7.0-3.7.15 | 3.7.16 |
| 2716841 | CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2705169 | CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2705168 | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2702519 | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2700767 | Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16 |
| 2687332 | When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usageTo workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:address-family ipv4 unicastAfter: ip route 10.10.0.0/16 Null0This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2684452 | When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb deldev command2. Add “vxlan-learning”: “off” under /etc/network/ifupdown2/policy.d/vxlan.json$ cat /etc/network/ifupdown2/policy.d/vxlan.json3. Reboot the affected switch(es) | 3.7.12-3.7.16 | |
| 2684404 | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2679950 | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.4.1-cl4.4.0u1Fixed: 4.4.1-cl4.4.0u2 | 3.7.0-4.3.3 | 4.4.0-4.4.5 |
| 2677063 | CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2677061 | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2677060 | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2669438 | Editing the /etc/frr/frr.conf file to add a new sequence at the beginning of an existing large prefix list changes the subsequent sequence numbers of the next entries in the list and FRR reload might fail with the error message frr.service reload operation timed out. Stopping. To work around this issue, instead of adding the new prefix using an existing sequence number and pushing other sequences forward, use a sequence number that is free; for example, instead of of using 5 -> 10 -> 15, use 5 -> 7 -> 10. | 3.7.11-3.7.16 | |
| 2668477 | CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2660693 | CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20 | 3.7.0-3.7.15 | 3.7.16 |
| 2660582 | In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure) To recover restart the clagd service with sudo systemctl restart clagd.service | 3.7.8-3.7.15 | 3.7.16 |
| 2658233 | The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2656291 | The following CVEs affect the linux kernel package: CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 3.7.12-3.7.16 | 4.0.0-4.4.5 |
| 2654684 | CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10 | 3.7.0-3.7.15 | 3.7.16 |
| 2653521 | CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2653400 | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface command, then add back the 802.1x configuration. | 3.7.10-3.7.16 | |
| 2646974 | The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2646968 | CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24 | 3.7.0-3.7.15 | 3.7.16 |
| 2645846 | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface command, then add back the 802.1x configuration. | 3.7.10-3.7.15 | 3.7.16, 4.3.1-4.4.5 |
| 2638137 | When you delete a static route using NCLU, the configuration is not deleted from the running configuration or from the /etc/frr/frr.conf file. | 3.7.13-3.7.16 | |
| 2635951 | The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2633245 | On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle. | 3.7.10-3.7.16 | |
| 2617009 | CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617008 | CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617007 | CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617006 | CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617002 | CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2599607 | In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.4-4.4.5, 5.0.0-5.12.1 |
| 2595889 | In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface. | 3.7.10-4.2.1 | 4.3.0-4.4.5 |
| 2595816 | Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2589747 | If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2589570 | The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589567 | The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2581473 | When netq-agent is installed on the Dell N3048EP platform, switchd might crash if pluggables are installed in the SFP+ ports. | 3.7.13-3.7.15 | 3.7.16 |
| 2562511 | hostapd does not fail over to secondary RADIUS servers for 802.1x authentication when the primary radius is reachable but not responding to Access-RequestsIf the primary RADIUS server is having a problem servicing requests, you can remove it from the configuration temporarily to force requests to be sent to alternate servers. | 3.7.10-3.7.14.2 | 3.7.15-3.7.16 |
| 2556233 | Some ECMP next-hops might fail installation into hardware at high ECMP group and route scale. The following log message will be observed when this condition occurs:WARN xx routes reverted to non-ECMP due to NH table capacity | 3.7.9-3.7.14.2 | 3.7.15-3.7.16 |
| 2556037 | After you add an interface to the bridge, an OSPF session flap might occur | 3.7.9-4.2.0 | 4.2.1-4.4.5 |
| 2556019 | After you add an interface to a bridge using the NCLU net add bridge bridge ports command, the bridge can go down and its MAC address changesTo work around this issue, use Linux commands to add an interface to a bridge. | 3.7.9-3.7.13 | 3.7.14-3.7.16 |
| 2555908 | If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command. | 3.7.12-4.0.1 | 4.1.0-4.4.5 |
| 2555278 | When you change the anycast address for the MLAG pair (clagd-vxlan-anycast-ip), high peak traffic occurs on the peer link interface of all MLAG switches. | 3.7.13-3.7.16 | 4.0.0-4.4.5 |
| 2554991 | When running traditional mode bridges at scale (for example, when you have more than 200 bridges and a large number of MAC addresses), MLAG bonds flap intermittently from dual to single connected, then back to dual connected, which causes a layer 2 loop and STP state changes. To work around this issue, either shut down one side of the MLAG bond or prune out VLANS over the bond. | 3.7.13-4.2.1 | 4.3.0-4.4.5 |
| 2554785 | After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX=“cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command4. Reboot the switch. | 3.7.11-4.2.1 | 4.3.0-4.4.5 |
| 2554719 | A slow memory leak is observed (1% per 14 hours) in kmalloc-256. To work around this issue, reboot the switch. | 3.7.12-3.7.14.2 | 3.7.15-3.7.16 |
| 2554709 | The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM. | 3.7.13-3.7.16, 4.2.1-4.4.5 | |
| 2554687 | CVE-2020-28196: There is a denial of service vulnerability in the MIT Kerberos network authentication system, krb5. The lack of a limit in the “ASN.1” decoder could lead to infinite recursion and allow an attacker to overrun the stack and cause the process to crash. Vulnerable: <= 1.12.1+dfsg-19+deb8u5 Fixed: 1.12.1+dfsg-19+deb8u6 | 3.7.13 | 3.7.14-3.7.16 |
| 2554588 | If you try to reconfigure a DHCP server after you delete the switch configuration with the net del all command, the dhcpd service fails because a duplicate process is runningTo work around this issue, edit the /usr/lib/python2.7/dist-packages/nclu/plugins/dhcp.py file to change:DHCPD_PID="-pf {0}” to:DHCPD_PID="-pf {1}" | 3.7.13-4.2.1 | 4.3.0-4.4.5 |
| 2554454 | The following vulnerability has been announced in the freetype / libfreetype6 packages: CVE-2020-15999: heap-based buffer overflow vulnerability in the handling of embedded PNG bitmaps in FreeType. Opening malformed fonts may result in denial of service or the execution of arbitrary code. Vulnerable: <= 2.5.2-3+deb8u4 Fixed: 2.5.2-3+deb8u5 | 3.7.13 | 3.7.14-3.7.16 |
| 2554369 | Certain Dell S4048-ON switches show an incorrect vendor name and hang when you issue the reboot command. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2554329 | On the Dell N3248PXE switch, fixed RJ45 interfaces with PoE neighbors can end up in Paused mode after a switchd restart, which blocks traffic on that interface. | 3.7.12-3.7.16 | |
| 2554232 | VXLAN encapsulated traffic is not routed to the next hop because the destination VTEP IP address is mis-programmed on the switch, which decapsulates the traffic unexpectedly. To work around this issue, restart switchd. | 3.7.12-3.7.13 | 3.7.14-3.7.16 |
| 2553887 | When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:
To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2553876 | The following vulnerability has been announced in the ruby2.1 packages: CVE-2020-25613: WEBrick (bundled along with ruby2.1) was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to “smuggle” a request. Vulnerable: <= 2.1.5-2+deb8u10 Fixed: 2.1.5-2+deb8u11. | 3.7.13 | 3.7.14-3.7.16 |
| 2553847 | The following vulnerabilities have been announced in the python3.4 packages: CVE-2019-20907: Avoid infinite loop with crafted tar file by improving header validation. CVE-2020-26116: Avoid injection of HTTP headers via the HTTP method without rejecting newline characters. Vulnerable: <= 3.4.2-1+deb8u8 Fixed: 3.4.2-1+deb8u9 | 3.7.13 | 3.7.14-3.7.16 |
| 2553748 | On switches with the Spectrum ASIC, the IPv6 default route is present in the kernel but missing in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5 |
| 2553738 | The following vulnerability has been announced in curl: CVE-2020-8231: In rare circumstances, when using the multi API of curl in combination with CURLOPT_CONNECT_ONLY, the wrong connection might be used when transfering data later. Vulnerable: <= 7.38.0-4+deb8u17 Fixed: 7.38.0-4+deb8u18 | 3.7.13 | 3.7.14-3.7.16 |
| 2553732 | A ping via a dual-connected bond fails, and the audio stream is not routed or encapsulated through the layer 3 VNI. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2553677 | When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:
To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:
Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. | 3.7.13-3.7.16, 4.0.0-4.4.5 | |
| 2553588 | Multicast traffic on a VPN is sent to remote VTEPs that are not part of the VPN and the remote VTEPs receive multicast traffic encapsulated in a VXLAN ID that doesn’t exist. To work around this issue, disable IGMP snooping on the switch. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2553530 | In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated. To work around this issue, restart FRR with the sudo systemctl restart frr.service command. | 3.7.10-4.2.1 | 4.3.0-4.4.5 |
| 2553450 | On the the Dell N3248-PXE switch, when you insert two PSUs at different times, the newly inserted PSU is detected as OK but the fan and temp sensors are ABSENT. To work around this issue, remove power to both PSUs at the same time, then reinsert power simultaneously. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2553229 | On the Dell N3248PXE switch, RJ45 fixed copper ports that auto-negotiate with a 100M or 10M neighbor incorrectly negotiate a half-duplex link that generates errors. Half duplex modes are not supported on this platform. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2553219 | You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2553190 | The following vulnerabilities have been announced in libxml2: CVE-2017-8872: Global buffer-overflow in the htmlParseTryOrFinish function. CVE-2019-20388: A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service. CVE-2020-24977: Out-of-bounds read restricted to xmllint –htmlout. CVE-2020-7595: Infinite loop in xmlStringLenDecodeEntities can cause a denial of service. Vulnerable: <= 2.9.1+dfsg1-5+deb8u8 Fixed: 2.9.1+dfsg1-5+deb8u9 | 3.7.13 | 3.7.14-3.7.16 |
| 2553151 | The following security vulnerabilities have been announced in imagemagick:CVE-2017-12806: A memory exhaustion vulnerability was found in the function format8BIM, which allows attackers to cause a denial of service CVE-2019-13308, CVE-2019-13391: Heap-based buffer overflow in MagickCore/fourier.c in ComplexImages may cause a denial-of-service or other unspecified results Vulnerable: <= 6.8.9.9-5+deb8u20Fixed: 6.8.9.9-5+deb8u21 | 3.7.13 | 3.7.14-3.7.16 |
| 2553116 | When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2553050 | SNMP status might incorrectly reflect that a BGP neighbor is down due to an issue between bgpd and SNMP AgentX when the IP-FORWARD-MIB is also polled.To work around this issue, avoid polling IP-FORWARD-MIB objects. | 3.7.12-3.7.16 | |
| 2553049 | The following vulnerability has been announced in the libx11 libraries: CVE-2020-14363: Integer overflow in the init_om function of libX11, the X11 client-side library, which could lead to a double free. Vulnerable: <= 1.6.2-3+deb8u3 Fixed: 1.6.2-3+deb8u4 | 3.7.13 | 3.7.14-3.7.16 |
| 2553015 | If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | |
| 2553001 | When the following conditions exist, clagd might fail to establish a TCP control session across the subinterface (such as, peerlink.4094):* clagd uses an IPv6 link-local address (LLA) to establish the TCP connection (the clagd-peer-ip linklocal command configures an IPv6 LLA connection)* Subsequent VLAN changes are made to VLAN sub-interfaces or adding or removing SVIs This issue occurs because the hardware stores one entry per VRF to represent the IPv6 LLA. The hardware entry for the LLA is removed when another interface is changed because the software interfaces are represented by a single entity in hardware. As a result, packets destined to the local IPv6 LLA address are received on the port but do not get forwarded to CPU for further processing. To workaround this issue, use IPv4 addresses under peerlink.4094 and configure clagd to peer on IPv4 addresses. | 3.7.12-4.1.1 | 4.2.0-4.4.5 |
| 2552953 | The following vulnerability has been announced in the bind9 packages: CVE-2020-8622: Crafted responses to TSIG-signed requests could lead to an assertion failure, causing named, a Domain Name Server, to exit. This could be done by malicious server operators or guessing attackers. Vulnerable: <= 9.9.5.dfsg-9+deb8u19 Fixed: 9.9.5.dfsg-9+deb8u20 | 3.7.13 | 3.7.14-3.7.16 |
| 2552952 | The following vulnerability has been announced in the nss / libnss3 packages: CVE-2020-12403: The ChaCha20 symmetric key cipher algorithm did not correctly enforce the tag length which may have led to an out-of-bounds read and a lack of confidentiality. Vulnerable: <= 3.26-1+debu8u12 Fixed: 3.26-1+debu8u13 | 3.7.13 | 3.7.14-3.7.16 |
| 2552939 | RX_DRP on a bond interface increases without any data traffic while the slave port does not increase. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2552925 | On the EdgeCore AS-6712-32X, AS5812-54X and AS5812-54T switch models, the temp sensors (DIMM temp sensor) show ABSENT. The amber diagnostic light on the front of the switch might also be turned on due to this issue. These messages and the light are cosmetic issues only and do not otherwise impact the function of the switch. | 3.7.12-3.7.13 | 3.7.14-3.7.16 |
| 2552881 | IPv6 TCP or UDP connections (sourcing from an ephemeral port in the range 34048 to 35071) are not forwarded if the switch has more than one layer 2 VNI defined. The traffic might be locally switched on the bridge and dropped. To work around this issue, disable ARP/ND suppression to remove the internal ACL rule that affects the ports. | 3.7.13-4.2.1 | 4.3.0-4.4.5 |
| 2552869 | On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.To work around this issue, use the ethtool -m command. | 3.7.13-4.2.1 | 4.3.0-4.4.5 |
| 2552859 | Mellanox switches with the Spectrum ASIC fail to read PSU Fan/Temp sensors and report them as Absent. The following messages are observed in syslog:
| 3.7.13 | 3.7.14-3.7.16 |
| 2552756 | An issue has been found in python2.7, an interactive high-level object-oriented language. CVE-2019-20907: Opening a crafted tar file could result in an infinite loop due to missing header validation. Vulnerable: <= 2.7.9-2-ds1+deb8u5 Fixed: 2.7.9-2-ds1+deb8u6 | 3.7.13 | 3.7.14-3.7.16 |
| 2552742 | On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2552739 | Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | |
| 2552647 | When you add a member to a bond that has a subinterface configured (such as peerlink.4094), the new member is assigned only the VLAN of the subinterface for forwarding. To work around this issue, bounce the bond or shutdown the new interface and use the remaining members over the bond. | 3.7.10-4.2.0 | 4.2.1-4.4.5 |
| 2552610 | The following vulnerability has been announced: CVE-2019-11360: A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c. | 3.7.13-4.2.0 | 4.2.1-4.4.5 |
| 2552608 | The following vulnerability has been announced: CVE-2019-20892: net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request. Fixed: 5.8.0-cl4.2.1u1, 5.8.0-cl3.7.14u1 | 3.7.13-4.2.0 | 4.2.1-4.4.5 |
| 2552528 | Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated. | 3.7.7-4.2.1 | 4.3.0-4.4.5 |
| 2552506 | Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports. To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-4.2.0 | 4.2.1-4.4.5 |
| 2552352 | The following security vulnerabilities have been announced in the nss / libnss3 packages: CVE-2020-6829: Side channel attack on ECDSA signature generation CVE-2020-12400: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function CVE-2020-12401: ECDSA timing attack mitigation bypass Vulnerable: <= 3.26-1+debu8u11 Fixed: 3.26-1+debu8u12 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2552351 | The following vulnerability has been announced in the libx11 packages: CVE-2020-14344: The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method. Vulnerable: <= 1.6.2-3+deb8u2 Fixed: 1.6.2-3+deb8u3 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2552301 | On a Mellanox switch with the Spectrum ASIC, you see LPC I2C driver errors similar to the following during boot:
| 3.7.13 | 3.7.14-3.7.16 |
| 2552298 | The following vulnerability has been announced in net-snmp: CVE-2020-15862: A privilege escalation involving the NET-SNMP-EXTEND-MIB support (which is enabled by default at compile-time). The fixed versions disable NET-SNMP-EXTEND-MIB support. Vulnerable: <= 5.8.0-cl3u11, <= 5.8.0-cl4u4 Fixed: 5.8.0-cl3.7.14u3, 5.8.0-cl4.2.1u1 | 3.7.13-4.2.0 | 4.2.1-4.4.5 |
| 2552294 | NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2552214 | The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14.2, 4.1.1-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2552205 | If the MAC address of an SVI changes, clagd does not update its permanent neighbor entry for the local interface, and it does not report the change to its MLAG peer. This leaves the MLAG peer in a state where its permanent neighbor for the MLAG peer’s SVI IP address continues to use the old MAC address, which causes routed traffic over this SVI to be dropped.To work around this issue, ifdown/ifup the SVI when a MAC address changes. | 3.7.12-4.2.0 | 4.2.1-4.4.5 |
| 2551911 | ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down. | 3.7.12-4.2.0 | 4.2.1-4.4.5 |
| 2551748 | In OVSDB high availability mode, deleting > 200 VLAN bindings might cause ovs-vtepd to crash. Limit the deletion to 200 or fewer VLAN bindings. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2551731 | When the OVSDB VTEP scale increases, the CPU utilization increases and eventually the switch (ptmd) fails to respond to the BFD, causing the BFD session to go down. As a result OVSDB cannot read the BFD socket status and outputs a warning in the ovs-vtepd debugs: PTM socket error: Bad file descriptor. | 3.7.12-4.2.0 | 4.2.1-4.4.5 |
| 2551728 | In OVSDB high availability mode, if you create, then delete a binding, the FDB entry is not replaced and you see an error. | 3.7.12-4.2.0 | 4.2.1-4.4.5 |
| 2551714 | There is a change to the default OVSDB bootstrapping process, where the script created now defaults to VLAN-aware bridge mode. If you want to use traditional bride mode, you need to force it by editing the ovs-vtep-ctl script generated by the bootstrap process. | 3.7.12-4.2.0 | 4.2.1-4.4.5 |
| 2551693 | A host migrated to an 802.1X MAB port within the same broadcast domain fails to have the correct FDB entry installed if a dynamic FDB entry for that MAC address exists from previous connectivity in the broadcast domain. To work around this issue, manually delete the dynamic FDB entry that is associated with the uplink trunk port. | 3.7.12-4.2.0 | 4.2.1-4.4.5 |
| 2551675 | When you restart clagd, the edge port setting on the peer link changes. | 3.7.2-4.2.0 | 4.2.1-4.4.5 |
| 2551651 | The net show dot1x interface summary command output shows a MAC address with all zeros associated with a port. | 3.7.12-4.2.0 | 4.2.1-4.4.5 |
| 2551578 | When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2551565 | If you toggle VRRP priority values between VRRP routers, then restart switchd, a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affectedTo work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands. | 3.7.13-3.7.16, 4.2.0-4.4.5 | |
| 2551554 | Customers running security scans on Cumulus Linux 4 may encounter the listing of an incorrect version of u-boot 2014.10+dfsg1-4 with the following vulnerabilities:CVE-2017-3225CVE-2017-3226CVE-2018-18440CVE-2019-11690CVE-2019-13103CVE-2019-14192CVE-2019-14193CVE-2019-14194CVE-2019-14195CVE-2019-14196CVE-2019-14197CVE-2019-14198CVE-2019-14199CVE-2019-14200CVE-2019-14201CVE-2019-14202CVE-2019-14203CVE-2019-14204CVE-2020-10648The u-boot-tools package is not installed on the switch by default, but is available in the repository for optional installation. On Cumulus Linux 4, the version is at least 2019.01+dfsg-7. However, the older versions available for optional installation on Cumulus Linux 3 may be vulnerable According to https://security-tracker.debian.org/tracker/source-package/u-boot , all except the following are fixed in 2019.01+dfsg-7:CVE-2017-3225: https://security-tracker.debian.org/tracker/CVE-2017-3225 says “Negligible security impact” CVE-2017-3226: https://security-tracker.debian.org/tracker/CVE-2017-3226 says “Negligible security impact” CVE-2018-18440: https://security-tracker.debian.org/tracker/CVE-2018-18440 says “No security impact as supported/packaged in Debian”. | 3.7.12-3.7.16 | 4.0.0-4.4.5 |
| 2551305 | The net show configuration command provides the wrong net add command for ACL under the VLAN interface. | 3.7.12-3.7.16, 4.1.0-4.4.5 | |
| 2551288 | When you remove BFD configuration by editing the /etc/frr/frr.conf file and restarting FRR, you see a traceback.To work around this issue, either use NCLU or vtysh commands to remove the BFD configuration, or restart FRR with the new /etc/frr/frr.conf file. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2550974 | On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured. | 3.7.11-3.7.16, 4.1.1-4.4.5 | |
| 2550942 | NCLU tab completion for net show displays the text add help text instead of system Information for the system option. | 3.7.11-4.2.0 | 4.2.1-4.4.5 |
| 2550873 | In an MLAG configuration with static VXLAN, static tunnels become unreachable. | 3.7.13-4.2.0 | 4.2.1-4.4.5 |
| 2550796 | On a Broadcom switch with the Trident2+ ASIC, ACL rules for VLANs are not applied after a reboot and the counters remain at zero. To work around this issue, either do not set acl.non_atomic_update_mode = TRUE in the /etc/cumulus/switchd.conf file or run the cl-acltool -i command after the reboot to install the ACLs. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2550793 | The NCLU net show bridge spanning-tree command displays the aging timer incorrectly. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550600 | The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged. | 3.7.8-3.7.14.2, 4.0.0-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2550478 | VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches. | 3.7.7-4.2.0 | 4.2.1-4.4.5, 4.3.0-4.4.5 |
| 2550444 | Tab completion for the net show rollback description command returns information about a snapshot instead of context help.To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550443 | The net show rollback description command returns an error even if the string matches a commit description.To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550375 | CPU utilization may increase when clag-managed bond interfaces are operationally/LACP down but the physical carrier remains up on the bond member switchports. This condition occurs when clag bond redirection is enabled and bond members remain up while the parent bond does not negotiate LACP. This issue is resolved in Cumulus Linux 3.7.14. | 3.7.9-4.2.1 | 4.3.0-4.4.5 |
| 2550350 | Unicast traffic from downlink hosts is flooded to multiple remote VTEPs, which might also cause high HwIfOutQDrops/TX_DRP on the uplink ports. To work around this issue, restart switchd. | 3.7.10-4.1.1 | 4.2.0-4.4.5 |
| 2550276 | In LLDP, the snmp subagent loses all subsequent lldpRemSysName (1.0.8802.1.1.2.1.4.1.1.9) entries after an entry with a missing SysName is added.All the information from lldpctl is correct. Only the entries after the entry that is missing a SysName in lldpRemSysName disappear from the snmp subagent. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2550243 | When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service. For example:
| 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550056 | The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:
| 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| 2549925 | When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:
To work around this issue, run the ifreload -a command a second time. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2549872 | If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error. | 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| 2549838 | In vtysh, if you configure, then remove a layer 3 VNI for a VRF, the VNI is removed from zebra even if the VNI interface still exists in the kernel. If you configure a layer 2 VNI as a layer 3 VNI by mistake, removing the layer 3 VNI binding removes it from zebra but EVPN-learned MACs and neighbors are not installed into the kernel. To work around this issue, delete, then re-add the missing VNI. For example:
If you flap the link with the ip link set vni10100 down; ip link set vni10100 up commands, zebra does not re-add the VNI. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2549794 | The asic-monitor.service fails when you configure /etc/cumulus/datapath/monitor.conf with monitor.histogram_pg.collect.port_group_list = [all_packet_pg] and there is traffic passing through the buffer. When the service fails, you see the following traceback in journalctl:
| 3.7.11-4.2.0 | 4.2.1-4.4.5 |
| 2549782 | The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2549731 | When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:
| 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| 2549472 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2549371 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.3 | 4.4.0-4.4.5 |
| 2549307 | The following vulnerabilities affect git, which is available in the repository for optional installation: CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host. CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. | 3.7.12-4.1.1 | 4.2.0-4.4.5 |
| 2549226 | You might see the following gport error messages in switchd.log:
These messages are harmless and can be ignored. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2548962 | With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table. | 3.7.12-4.1.1 | 4.2.0-4.4.5 |
| 2548930 | On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5 |
| 2548746 | On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2548657 | When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:
You can safely ignore these error messages. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2548490 | A change in a route map prefix list that should remove a route might not be reflected in the ospf6 database or in peers, and the route might not be deleted.To work around this issue, reenter the redistribute <connected|static> route-map statement in the configuration. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2548485 | If you configure the aggregate-addresssummary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:router bgp 1If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,To work around this issue, remove, then re-add the component prefix routes. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2548475 | After you add a new VNI and a layer 3 SVI to a set of leafs, certain leafs might not be able to communicate on the layer 3 VNI. To work around this issue, reboot the leaf switch or restart switchd. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2548315 | The following security advisory has been announced for bash: CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.To work around this issue, do not make bash or bash scripts setuid. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2548243 | On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2548155 | The net show bgp neighbor swpX json command shows negative output for the bgpTimerUpMsec timer. | 3.7.10-3.7.16 | 4.0.0-4.4.5 |
| 2548117 | In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2548044 | When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16 |
| 2548024 | On the Dell Z9100 switch, 100G-SR4 modules might not link up reliably in certain ports. swp1, 2, 3, 9, 10, 23, 24, 30, 31, and 32 might be affected To work around this issue, move 100G SR4 modules to one of the ports not affected by this issue. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547942 | On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547878 | The following vulnerability has been found in the libgcrypt20 cryptographic library.CVE-2019-13627: there was a ECDSA timing attack. For more information, see https://www.debian.org/lts/security/2020/dla-1931-2.en.html Vulnerable: 1.6.3-2+deb8u7 Fixed: 1.6.3-2+deb8u8 | 3.7.11-3.7.16 | |
| 2547876 | The following vulnerability affects libxml2: CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c has a memory leak related to newDoc->oldNs. This can lead to a denial of service. For more information, see https://www.debian.org/lts/security/2019/dla-2048.en.html . Vulnerable: 2.9.1+dfsg1-5+deb8u7 Fixed: 2.9.1+dfsg1-5+deb8u8 | 3.7.11-3.7.16 | |
| 2547874 | The following vulnerability affects libbsd, a package containing utility functions from BSD systems. CVE-2016-2090: In function fgetwln() an off-by-one error could triggers a heap buffer overflow. For more information, see https://www.debian.org/lts/security/2019/dla-2052.en.html . Vulnerable: 0.7.0-2 Fixed: 0.7.0-2+deb8u1 | 3.7.11-3.7.16 | |
| 2547839 | When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547799 | An error similar to the following shows in syslog for Mellanox switches:
To work around this issue, reboot the switch. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547784 | PTM mis-detects incorrect hostnames of LLDP neighbors and does not fail them as expected. Instead they end up in an N/A cabling status. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547782 | If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2547706 | When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2547659 | On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547573 | On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU. | 3.7.9-3.7.16 | |
| 2547443 | On the Dell N3248PXE-ON switch, 25G SFP ports do not work in 10G mode. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547381 | The hsflowd service sends an undefined header protocol 0 in the sampled flow sample to the collector, which is not recognized by the sFlow tool. You see errors similar to the following:
| 3.7.11-3.7.16 | 4.0.0-4.4.5 |
| 2547349 | When you change an interface IP address, then change it back, static routes are misprogrammed One of the following actions recovers the routes:- Bounce both layer 3 interfaces- Remove or add static routes in FRR- Restart FRR | 3.7.11-3.7.16 | 4.0.0-4.4.5 |
| 2547341 | When host-resources and ucd-snmp-mib are polled, you see permission denied messages similar to the following:
| 3.7.13-4.1.1 | 4.2.0-4.4.5 |
| 2547246 | The MLAG switch pair has VLANs defined that are not used on MLAG bonds. These VLANs still synchronize MAC addresses across to the peer switch. This results in log messages that indicate a MAC address is installed and the VLAN is not defined; for example:
| 3.7.10-4.1.1 | 4.2.0-4.4.5 |
| 2547123 | On the Broadcom switch with the Trident3 ASC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547120 | After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2547118 | The following security vulnerabilities have been announced in the libtiff5 library on Cumulus Linux 4.0: CVE-2019-14973, CVE-2019-17546: Multiple integer overflows have been discovered in the libtiff library and the included tools. Vulnerable: 4.0.10-4 Fixed: 4.1.0+git191117-2~deb10u1 | 3.7.10-4.0.1 | 4.1.0-4.4.5 |
| 2547100 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547068 | Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off”, change it to GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0”2. Run sudo update-grub3. Reboot the system with sudo rebootTo disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci32. Disable C-states by running the command ./cpupower idle-set -d 2C-states are disabled by default in Cumulus Linux 4.3.0 and later. | 3.7.9-4.2.1 | 4.3.0-4.4.5 |
| 2546991 | The FRR service does not provide a way for automation to know if the configuration applied properly. To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546895 | If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.serviceTo increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter2.Restart the switchd service with the sudo systemctl restart switchd.service commandsystemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546577 | A traditional bridge with QinQ and a VNI does not work for tagged traffic. | 3.7.10-4.0.1 | 4.1.0-4.4.5 |
| 2546450 | On the EdgeCore AS7326-56X switch, you might see the RPM of certain fans run over the maximum threshold. | 3.7.11-3.7.16 | |
| 2546385 | SNMP ifLastChange reports link transitions when there are none. | 3.7.6-3.7.16 | |
| 2546225 | When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support.
To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546203 | When using QinQ with a traditional bridge, if you enable the LLDP dot1 TLV option, you see the following suboptimal behavior: * Both the inner and outer VLAN information is sent as part of VLAN TLVs in the LLDP packet. * If the outer VLAN ID is the same as the inner VLAN ID, only one VLAN TLV is sent with that VLAN ID in the LLDP packet. | 3.7.11-3.7.16 | |
| 2546131 | On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546010 | When hal.bcm.per_vlan_router_mac_lookup is set to TRUE in the /etc/cumulus/switchd.conf file, inter-VLAN traffic is forwarded to the CPU when associated VNI interfaces exist. | 3.7.10-3.7.16 | |
| 2545997 | The NCLU command net show interface produces an error if bonds with no members exist.To work around this issue, remove the empty Bond interfaces from the /etc/network/interfaces file and run sudo ifreload -a. | 3.7.10-3.7.16 | |
| 2545934 | Mellanox switches might experience higher CPU usage from the sx_sdk service or when BFD is in use.To work around this issue, disable BFD to alleviate some of the CPU load. | 3.7.13-4.1.1 | 4.2.0-4.4.5 |
| 2545699 | On the Celestica Pebble switch, if you use IPv6 routes with mask /65 to /127, the switchd log fills with errors. | 3.7.10-4.0.1 | 4.1.0-4.4.5 |
| 2545566 | The Dell Z9100-ON switch incorrectly reports many sensors as ABSENT. | 3.7.12-4.0.1 | 4.1.0-4.4.5 |
| 2545446 | If you use NCLU commands to add a non-MLAG bond, then add an MLAG configuration, the net commit command fails. However, a subsequent net commit command succeeds. | 3.7.10-3.7.16 | |
| 2545404 | On the Trident3 switch, unicast ARP packets received on a VNI and forwarded to the CPU are not policed. | 3.7.10-4.0.1 | 4.1.0-4.4.5 |
| 2545125 | If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
| 2544978 | If you delete an undefined bond, then add a bond slave, the net commit command fails. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544968 | FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:
should be:
To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544953 | When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
| 2544904 | After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements. To work around this issue, restart FRR after removing the IPv6 numbered configuration. | 3.7.9-4.1.1 | 4.2.0-4.4.5 |
| 2544829 | Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump. | 3.7.8-3.7.16 | |
| 2544671 | Package : sudoCVE ID : CVE-2019-14287Debian Bug : 942322Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID -1 or 4294967295. This could allow a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access Details can be found in the upstream advisory at https://www.sudo.ws/alerts/minus_1_uid.html We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudoVulnerable versions: < 1.8.27-1+deb10u1Fixed versions: >= 1.8.27-1+deb10u1To work around this iisue, disable (comment out) any sudoers entries in /etc/sudoers or files in /etc/sudoers.d that have entries with !root in them. Only root or other users with a uid of 0 that are affected. | 3.7.9-3.7.16 | 4.0.0-4.4.5 |
| 2544556 | If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:
If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5 |
| 2544463 | Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544456 | The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544311 | Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544235 | The following CVEs affect the linux kernel package: CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 3.7.10-3.7.16 | |
| 2544155 | NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544113 | Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link. To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2543900 | On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
| 2543841 | The net show evpn vni detail json command includes an extra empty dictionary at the end of the output. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
| 2543840 | On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file. | 3.7.6-3.7.16 | |
| 2543800 | When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface. | 3.7.8-3.7.16 | 4.0.0-4.4.5 |
| 2543647 | ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:
| 3.7.6-4.2.1 | 4.3.0-4.4.5 |
| 2543646 | In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543627 | Tomahawk 40G DACs cannot disable auto-negotiation. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543270 | The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5 |
| 2543211 | In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2543164 | The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2543096 | When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543058 | The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces. To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543052 | Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as “inactive” in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR. To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:
You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5 |
| 2543044 | Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up. You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2542979 | On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5 |
| 2542945 | On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags. To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:
| 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542310 | hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6. | 3.7.6-3.7.16 | |
| 2542305 | If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542301 | When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2541212 | The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2541165 | On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, poectl reports that four_pair_mode_enabled is true. However, this configuration is not supported on the port so poectl should report that four_pair_mode_enabled is false. | 3.7.6-3.7.16 | |
| 2541029 | On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped. This issue only affects QinQ configurations. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540950 | On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status. | 3.7.3-4.1.1 | 4.2.0-4.4.5 |
| 2540885 | The Dell N3048EP-ON switch does not support 1G Base-T modules in the SFP ports. | 3.7.7-3.7.16 | |
| 2540863 | On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number. | 3.7.3-3.7.16 | |
| 2540753 | If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
| 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540444 | SNMP incorrectly requires engine ID specification. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540352 | When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2540340 | NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays
Tab completion for the net add vrf command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540274 | On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540204 | When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540192 | The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540155 | On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2540042 | When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540041 | On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540040 | Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540031 | NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2539994 | When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539962 | When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2539670 | On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539124 | The net add interface command adds no ptm-enable for that interface in the frr.conf file.Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539081 | When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2538875 | IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file. | 3.7.2-3.7.16 | |
| 2538790 | NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.To restore connectivity, remove the VLAN ID from the bridge. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538590 | When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538562 | On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538302 | portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap. | 3.7.0-3.7.16 | |
| 2538294 | If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2538256 | On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets. | 3.7.2-4.0.1 | 4.1.0-4.4.5 |
| 2537819 | When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2537699 | There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537544 | When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537378 | NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.To work around this issue, stop snmpd, remove the cache file, then restart snmpd. | 3.7.1-3.7.16 | |
| 2537188 | When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network. | 3.7.2-3.7.16 | |
| 2537104 | When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL. | 3.7.1-3.7.16 | 4.0.0-4.4.5 |
| 2537061 | The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent. | 3.7.1-4.0.1 | 4.1.0-4.4.5 |
| 2536608 | Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI. | 3.7.0-3.7.16 | |
| 2536384 | The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2536179 | On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535986 | At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535965 | On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2533691 | If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict.To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2532017 | In FRR, bgp_snmp does not show all BGP peers when peer groups used. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
Fixed Issues in 3.7.13
| Issue ID | Description | Affects |
|---|---|---|
| 2552134 | When the MLAG peerlink flaps on Broadcom Trident3 platforms, switchd might continually sync route and neighbor entries to hardware. This can be observed in /var/log/switchd.log with repeated Neighbor Summary and IPv4 Route Summary updates:sync_route.c:2063 Neighbor Summary : 0 Added, 0 Deleted, 501 Updated, 0 Skipped in 589761 usecs | 3.7.12 |
| 2551915 | The following vulnerabilities have been announced in NGINX, which is installed by default on Cumulus Linux (however, the default nginx configuration is not vulnerable, since it does not configure error_page redirection or use lua): CVE-2019-20372: NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer. CVE-2020-11724: An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API. Vulnerable: <= 1.6.2-5+deb8u6 Fixed: 1.6.2-5+deb8u7 | 3.7.12 |
| 2551779 | Several issues were discovered in Python 3.4, an interactive high-level object-oriented language, that allow an attacker to cause denial of service, trafic redirection, header injection and cross-site scripting. CVE-2013-1753: The gzip_decode function in the xmlrpc client library allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request. CVE-2016-1000110:The CGIHandler class does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests. CVE-2019-16935:The documentation XML-RPC server has XSS via the server_title field. This occurs in Lib/xmlrpc/server.py. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. CVE-2019-18348: In urllib2, CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. CVE-2020-8492: Python allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. CVE-2020-14422: Lib/ipaddress.py improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. Vulnerable: <= 3.4.2-1+deb8u7 Fixed: 3.4.2-1+deb8u8 | 3.7.12 |
| 2551778 | Several vulnerabilities where found in Perl’s regular expression compiler. An application that compiles untrusted regular expressions could be exploited to cause denial of service or code injection. It is discouraged to allow untrusted regular expressions to be compiled by Perl. CVE-2020-10543: Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow. CVE-2020-10878: Perl before 5.30.3 has an integer overflow related to mishandling of a “PL_regkind[OP(n)] == NOTHING” situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection. CVE-2020-12723: regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls. Vulnerable: <= 5.20.2-3+deb8u12 Fixed: 5.20.2-3+deb8u13 | 3.7.12 |
| 2551708 | On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. | |
| 2551543 | switchd might crash if more than 16 IPv6 default route next hops are installed in the kernel routing table and those 16 next hops recurse to MAC address table entries reachable over VXLAN VNI interfaces. This can occur when many IPv6 router advertisements (RAs) are received across VLAN interfaces that have IPv6 forwarding disabled.To work around this issue, add the following parameters to the /etc/sysctl.conf file to disable IPv6 default route installation from received router advertisements, then run the sudo sysctl -p –system command.
| 3.7.12 |
| 2551395 | The libnss3 package, available for optional installation on Cumulus Linux, has the following vulnerabilities:CVE-2020-12399: Timing differences when performing DSA signatures. CVE-2020-12402: Side channel vulnerabilities during RSA key generation. Vulnerable: <= 3.26-1+deb8u10 Fixed: 3.26-1+deb8u11 | 3.7.12 |
| 2551356 | The following vulnerabilities have been announced in the qemu package, which is available in the repository for optional installation on Cumulus Linux:CVE-2020-1983: slirp: Fix use-after-free in ip_reass(). CVE-2020-13361: es1370_transfer_audio in hw/audio/es1370.c allowed guest OS users to trigger an out-of-bounds access during an es1370_write() operation. CVE-2020-13362: megasas_lookup_frame in hw/scsi/megasas.c had an out-of-bounds read via a crafted reply_queue_head field from a guest OS user. CVE-2020-13765: hw/core/loader: Fix possible crash in rom_copy(). Vulnerable: <= 2.1+dfsg-12+deb8u14 Fixed: 2.1+dfsg-12+deb8u15 | 3.7.12 |
| 2551351 | CVE-2018-6381 CVE-2018-6484 CVE-2018-6540 CVE-2018-6541 CVE-2018-6869 CVE-2018-7725 CVE-2018-7726 CVE-2018-16548 Several issues have been fixed in zziplib, a library providing read access on ZIP-archives. They are all related to invalid memory access and resulting crash or memory leak.libzzip-0-13 is not installed by default on Cumulus Linux, but is available in the repository for optional installation. Vulnerable: <= 0.13.62-3+deb8u1 Fixed: 0.13.62-3+deb8u2 | 3.7.12 |
| 2551350 | CVE-2017-10790: The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack. Vulnerable: <= 4.2-3+deb8u3 Fixed: 4.2-3+dev8u4 | 3.7.12 |
| 2551161 | switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. | 3.7.11-3.7.12, 4.0.0-4.2.0 |
| 2550735 | The following security vulnerability has been found in BlueZ, in which the libbluetooth3 library is available in the repository for optional installation in Cumulus Linux:CVE-2020-0556: Improper access control in subsystem for BlueZ before version 5.54 may allow an unauthenticated user to potentially enable escalation of privilege and denial of service via adjacent access. Vulnerable: <= 5.23-2+deb8u1 Fixed: 5.43-2+deb9u2~deb8u1 | 3.7.12 |
| 2550693 | The following vulnerabilities have been announced in the cups package:CVE-2019-8842: The ‘ippReadIO’ function may under-read an extension field CVE-2020-3898: heap based buffer overflow in libcups’s ppdFindOption() in ppd-mark.c Vulnerable: <= 1.7.5-11+deb8u7 Fixed: 1.7.5-11+deb8u8 | 3.7.12 |
| 2550647 | CVE-2020-12049: There was a file descriptor leak in the D-Bus message bus. An unprivileged local attacker could use this to attack the system DBus daemon, leading to denial of service for all users of the machine. Vulnerable: <= 1.8.22-0+deb8u2 Fixed: 1.8.22-0+deb8u3 | 3.7.12 |
| 2550512 | The python-httplib2 package, which is available in the repository for optional installation, has the following vulnerability:CVE-2020-11078: In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for ‘httplib2.Http.request()’ could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0. Vulnerable: 0.9+dfsg-2 Fixed: 0.9+dfsg-2+deb8u1 | 3.7.12 |
| 2550511 | The following vulnerabilities have been announced in dosfstools, which is available in the repository for optional installation:CVE-2015-8872: The set_fat function in fat.c in dosfstools before 4.0 might allow attackers to corrupt a FAT12 filesystem or cause a denial of service (invalid memory read and crash) by writing an odd number of clusters to the third to last entry on a FAT12 filesystem, which triggers an “off-by-two error." CVE-2016-4804: The read_boot function in boot.c in dosfstools before 4.0 allows attackers to cause a denial of service (crash) via a crafted filesystem, which triggers a heap-based buffer overflow in the (1) read_fat function or an out-of-bounds heap read in (2) get_fat function. Vulnerable: 3.0.27-1 Fixed: 3.0.27-1+deb8u1 | 3.7.12 |
| 2550509 | The json-c shared library (libjson-c2) had an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend. The libjson-c2 library is installed by default on Cumulus Linux 3.x.Vulnerable: <= 0.11-4 Fixed: 0.11-4+deb8u2 | 3.7.12 |
| 2550507 | Several vulnerabilities were discovered in BIND, a DNS server implementation.bind9-host (containing only /usr/bin/host) and some libraries from the bind9 source package are installed on the switch by default; the BIND server referred to in these vulnerabilities is not installed by default but is available in the repository for optional installation.CVE-2020-8616: It was discovered that BIND does not sufficiently limit the number of fetches performed when processing referrals. An attacker can take advantage of this flaw to cause a denial of service (performance degradation) or use the recursing server in a reflection attack with a high amplification factor. CVE-2020-8617: It was discovered that a logic error in the code which checks TSIG validity can be used to trigger an assertion failure, resulting in denial of service. Vulnerable: <= 1:9.9.5.dfsg-9+deb8u18 Fixed: 1:9.9.5.dfsg-9+deb8u19 | 3.7.12 |
| 2550323 | After a neighbor is removed, the redistributed neighbor entry is withdrawn from the BGP table, but the prefix might still be selected as the bestpath when the host’s originated prefix is not advertised. To work around this issue, recreate the neighbor entry and flap the interface to the host. Or, if the host is already down, manually create a neighbor entry with an invalid MAC address, which forces redistribute neighbor to re-withdraw the entry. | 3.7.3-3.7.12 |
| 2550274 | If packets with an invalid checksum are received, the cumulus-poe service might restart and you see log messages similar to the following:May 20 10:48:04.665635 leaf01 poed[8012]: ERROR : invalid checksum in response [0xC2:0x00] May 20 10:48:04.671299 leaf01 poed[8012]: poed : ERROR : invalid checksum in response [0xC2:0x00] May 20 10:48:04.708620 leaf01 systemd[1]: cumulus-poe.service: main process exited, code=exited, status=1/FAILURE The service starts automatically but there is an impact to POE devices momentarily. | 3.7.12, 4.0.0-4.1.1 |
| 2550119 | The following vulnerability has been announced in the apt package:CVE-2020-3810: Shuaibing Lu discovered that missing input validation in the ar/tar implementations of APT, the high level package manager, could result in denial of service when processing specially crafted deb files. Vulnerable: <= 1.0.9.8.5-cl3u1 Fixed: 1.0.9.8.5-cl3u2 | 3.7.12 |
| 2549835 | The following vulnerability affects the openldap package: CVE-2020-12243: A vulnerability was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. LDAP search filters with nested boolean expressions can result in denial of service (slapd daemon crash). Vulnerable: <= 2.4.40+dfsg-1+deb8u5 Fixed: 2.4.40+dfsg-1+deb8u6 | 3.7.12 |
| 2549711 | The following vulnerability affects libgd2/libgd3: CVE-2018-14553: gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointer dereference allowing attackers to crash an application via a specific function call sequence. Only affects PHP when linked with an external libgd (not bundled). Vulnerable: <= 2.1.0-5+deb8u13 Fixed: 2.1.0-5+deb8u14 | 3.7.12 |
| 2549710 | The following vulnerability affects imptool: CVE-2020-5208: It’s been found that multiple functions in ipmitool before 1.8.19 neglect proper checking of the data received from a remote LAN party, which may lead to buffer overflows and potentially to remote code execution on the ipmitool side. This is especially dangerous if ipmitool is run as a privileged user. Vulnerable: <= 1.8.14-4 Fixed: 1.8.14-4+deb8u1 | 3.7.12 |
| 2549676 | After you add or remove a bridge VLAN identifier (VID) on a trunk port, the layer 2 VNI is put into VLAN 1. To work around this issue, revert the configuration change. | 3.7.10-3.7.12, 4.0.0-4.1.1 |
| 2549397 | When the BGP Multi-protocol Unreach NLRI attribute is received in a BGP update without a next hop attribute, the BGP session is brought down unexpectedly. RFC 4760 defines that the next-hop attribute is not required for updates containing MP_UNREACH_NLRI. | 3.7.12 |
| 2548673 | A large number of flapping peers causes FRR to require a corresponding update to internal data structures that track peer information. Updating this internal data structure does not delete links that are down due to the flapping. The size of this array then grows to contain both current peers as well as peers that should have been deleted during the flap processing. The contents of this array is processed by FRR to poll the links, which consumes CPU for all items in the array. This additional polling consumes more CPU than necessary but has no functional impact. To work around this issue, restart FRR. | 3.7.11-3.7.12, 4.0.0-4.1.1 |
| 2548659 | When a link flap occurs while IPv6 traffic traverses interfaces, a kernel panic may occur with the following logs printed to the console:
| 3.7.12 |
| 2548585 | After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors. Note: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active. To recover from this condition, restart switchd with the sudo systemctl restart switchd command. | 3.7.10-3.7.12, 4.1.0-4.1.1 |
| 2548579 | The following security vulnerability has been announced: CVE-2020-10531: An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp. | 3.7.12, 4.0.0-4.4.5 |
| 2548382 | The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog. | 3.7.5-3.7.12, 4.0.0-4.1.1 |
| 2548372 | On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. | 3.7.12, 4.0.0-4.1.1 |
| 2548307 | When the garbage collector does not release memory back to the operating system, clagd might consume a large amount of memory. As a result of low system memory, systemd might shut down services to reclaim memory. | 3.7.11-3.7.12, 4.1.0-4.1.1 |
| 2548116 | The OVSDB log contains duplicate MAC addresses with the well-known BFD MAC address (00:23:20:00:00:01). This is mainly cosmetic, but clutters the log. | 3.7.12, 4.0.0-4.0.1 |
| 2548112 | In OVSDB VLAN-aware mode, removing a VTEP binding on the NSX controller fails to clean up all interfaces associated with the logical switch. | 3.7.12, 4.0.0-4.1.1 |
| 2548111 | When you remove, then re-add an NSX VTEP binding, the VXLAN VTEP interface is not recreated. | 3.7.9-3.7.12, 4.0.0-4.0.1 |
| 2547880 | The following CVEs were announced that affect the cron package. All of these require untrusted local user access. CVE-2017-9525 is a local user privilege escalation attack: In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks against unsafe usage of the chown and chmod programs. CVE-2019-9704, CVE-2019-9705, CVE-2019-9706 are local user denial of service attacks. Note: the fix for CVE-2019-9705 imposes a limitation on the length of a crontab file (the vulnerability was that an unlimited size crontab file could cause excessive memory consumption). https://security-tracker.debian.org/tracker/DLA-1723-1 Vulnerable: <= 3.0pl1-cl3u1 Fixed: 3.0pl1-cl3u2 | 3.7.12 |
| 2547879 | The following CVE was announced for rsyslog: CVE-2019-17041 CVE-2019-17042 rsyslogd, when receiving remote log messages and using optional pmaixforwardedfrom or pmcisconames parser modules (not enabled by default on Cumulus Linux), is vulnerable to CVE-2019-17041 and CVE-2019-17042 where malicious messages that appear to be from AIX or Cisco respectively may be caused to skip sanity checks, resulting in incorrect negative lengths causing heap overflows.Do not enable (with $UDPServerRun or $InputTCPServerRun) receiving syslog messages from other hosts by the network. Also, do not enable (with $ModLoad) the vulnerable parsers pmaixforwardedfrom or pmcisconames.<br />The default /etc/rsyslog.conf file on Cumulus Linux does NOT enable $UDPServerRun or $InputTCPServerRun, so the vulnerability is not network exploitable in the default configuration. In addition, the vulnerable parsers are not enabled in the default configuration.Vulnerable: <= 8.4.2-1-cl3u5 Fixed: 8.4.2-1-cl3u6 | 3.7.12 |
| 2547769 | syslog might report a high load average with the CPU running a later microcode revision. | 3.7.4-3.7.12 |
| 2547666 | On the Dell S5232F-ON switch, the output of ledmgrd shows amber_blinking but smonctl shows all OK. | 3.7.11-3.7.12, 4.0.0-4.1.1 |
| 2547663 | When traffic from a double tag interface (facing a different site) is forwarded through VXLAN, the inner tag is not removed. The destination does not know this tag, so it discards it. | 3.7.8-3.7.12, 4.0.0-4.0.1 |
| 2547658 | On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl. | 3.7.11-3.7.12 |
| 2547609 | Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work. Mellanox switches with the Spectrum A1 ASIC do not have this issue. | 3.7.11-3.7.12, 4.0.0-4.1.1 |
| 2547592 | When you add a route map to advertise IPv4 unicast in a BGP EVPN configuration and the route map contains a set operation, BGP crashes. | 3.7.11-3.7.12 |
| 2547293 | On the Broadcom Trident3 switch with DHCP relay, where the DHCP server is reachable through the EVPN overlay, DHCP discover packets forwarded to the CPU might appear corrupt and might not get forwarded. | 3.7.9-3.7.12, 4.0.0-4.0.1 |
| 2547147 | The ospfd daemon might crash with the following kernel trace:
| 3.7.11-3.7.12, 4.0.0-4.0.1 |
| 2546984 | On the EdgeCore AS7326-56X switch, the PSU fans show constant LOW warnings. | 3.7.10-3.7.12, 4.0.0-4.2.0 |
| 2546950 | switchd crashes when dynamic VRF route leaking is enabled and the following is true:* The default route is leaked from VRF1 to VRF2 * Hardware-based dynamic VRF route leaking is configured ( vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).You might see logs similar to the following in /var/log/syslog:
To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.1.1 |
| 2546141 | CPU usage might be higher than normal if you have a high number of interfaces x VLANs and lldpd is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled.To check if lldpd is the heavy CPU resource user, run the following command:
Alternatively, check for messages in the /var/log/syslog directory similar to:
Note: The exact amount of CPU usage varies in each network based on a number of factors; however, it is unusual for lldpd to consume more than 30% CPU for an extended period of time.To work around this issue, you can do one of the following: * If the large number of VLANs is not absolutely necessary, manually prune the VLAN allowed list (if you use the range 1-2999, modify the bridge-vids list to include the VLANs being used).* Stop the lldpd service. (This approach might be undesirable if the switch is providing services that rely on LLDP such as Voice VLAN.) To stop the lldpd service (runtime setting), run the sudo systemctl stop lldpd.service command. To disable the lldpd service upon boot, run sudo systemctl disable lldpd.service. | 3.7.11-3.7.12, 4.0.0-4.0.1 |
| 2543792 | On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:
| 3.7.9-3.7.12, 4.0.0-4.0.1 |
| 2543648 | You cannot specify a source and destination MAC address in an ERSPAN ebtables rule. For example, the following rule does not work:
| 3.7.6-3.7.12, 4.0.0-4.1.1 |
| 2543472 | On switches with the Spectrum ASIC, the underlay hashes VXLAN packets for a given overlay flow randomly. To work around this issue, configure the ECMP hash seed to the same value on the EVPN egress leaf switches. | 3.7.7-3.7.12, 4.0.0-4.0.1 |
| 2542767 | If the BMC operating system fails to respond to IPMI, you see a traceback in bmcd and all the sensors might report ABSENT devices in smonctl.To work around this issue, power cycle the switch. | 3.7.6-3.7.12, 4.0.0-4.0.1 |
| 2535845 | On a Trident3 switch, IGMP packets are not policed by the police rule in the 00control ACL file. The packets are policed by the catchall policer in the 99control ACL file instead.-A $INGRESS_CHAIN -p ipv4 -d 01:00:5e:00:00:00/ff:ff:ff:80:00:00 -j police –set-mode pkt –set-rate 100 –set-burst 100To work around this issue, let the CPU bound IGMP packet hit the following rule and change the policer rate to a desired value for IGMP packets: -A $INGRESS_CHAIN -p ipv4 -d 01:00:5e:00:00:00/ff:ff:ff:80:00:00 -j police –set-mode pkt –set-rate 100 –set-burst 100Typically, the destination MAC address 01:00:5e:xx:xx:xx is used only for PIM/IGMP control and data stream packets. However, this workaround cannot handle data stream multicast packets that are not TCP/UDP; this is not typically done. | 4.0.0-4.0.1 |
3.7.12 Release Notes
Open Issues in 3.7.12
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 3410952 | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.12.1 |
| 3376798 | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlanMAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5 |
| 3330705 | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.12.1 |
| 3327477 | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3216921 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-3.7.16, 4.3.0-4.4.5 | |
| 3209699 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.12.1 |
| 3135801 | Zebra rejects MAC IP updates from BGP when the MAC mobility sequence number that BGP sends is lower than the sequence number known to zebra When the MAC mobility sequence that BGP knows legitimately lowers (due to narrow timing conditions during convergence or after rebooting an MLAG pair one VTEP at a time), zebra rejects these updates and maintains a stale state. If the stale information that zebra uses points to the wrong VTEP address, traffic goes to the wrong VTEP and might drop. | 3.7.12-4.3.0 | 4.3.1-4.4.5 |
| 3073668 | On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap. | 3.7.12-3.7.16, 4.3.0-4.4.5 | |
| 3017190 | When you power cycle the switch, multiple interfaces came up in a PoE disabled state To work around this issue, run the sudo poectl -a | grep disabled command to find ports with disabled POE. Run the sudo poectl -e swp1-swp48 command to enable POE on affected ports. | 3.7.10-3.7.16 | |
| 2959454 | CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2959444 | CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2957684 | CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2949602 | CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. | 3.7.0-3.7.15 | 3.7.16 |
| 2949586 | CVE-2022-21699: ipython may execute untrusted files in the current working directory Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2949585 | CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog. | 3.7.0-3.7.15 | 3.7.16 |
| 2949584 | CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2941560 | CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u | 3.7.0-3.7.15 | 3.7.16 |
| 2940076 | In a VXLAN fabric with ToR switches configured in a MLAG pair, BUM traffic received on a VXLAN tunnel is decapsulated and forwarded on the peer link bond. The BUM traffic is then encapsulated by the peer switch and sent back to the fabric. The issue has been seen in environments where the following conditions exist at the same time:1) high VNI scale2) switchd is busy processing updates3) clagd is in a transition state, such as Up, then Down, then Up. For example, when clagd restarts, the switch reboots, and so onThe problem is seen on the switch that experiences the clagd state transition. | 3.7.12-3.7.15 | 3.7.16 |
| 2940063 | Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file. | 3.7.12-3.7.15, 4.1.1-4.3.0 | 3.7.16, 4.3.1-4.4.5, 5.0.0-5.12.1 |
| 2934939 | When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usageTo workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:address-family ipv4 unicastAfter: ip route 10.10.0.0/16 Null0This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-3.7.16 | |
| 2910862 | CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file” Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2910861 | CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13 | 3.7.0-3.7.15 | 3.7.16 |
| 2885241 | CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14 | 3.7.0-3.7.15 | 3.7.16 |
| 2885239 | CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2885238 | The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2866111 | CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. | 3.7.0-3.7.15 | 3.7.16 |
| 2866084 | When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb deldev command, then add “vxlan-learning”: “off” in the /etc/network/ifupdown2/policy.d/vxlan.json file:$ cat /etc/network/ifupdown2/policy.d/vxlan.jsonReboot the affected switches. | 3.7.12-4.3.0 | 4.3.1-4.4.5 |
| 2866061 | On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic. | 3.7.12-3.7.16 | |
| 2862269 | CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2855881 | A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2855879 | The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2850806 | CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts) Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23 | 3.7.0-3.7.15 | 3.7.16 |
| 2845540 | CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2841003 | CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2835994 | CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2823255 | CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode) Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2821981 | The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions) CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2820758 | The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2815592 | In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence. | 3.7.12-3.7.15, 4.3.0, 4.4.2-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.12.1 |
| 2813826 | Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop” CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’ Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2813823 | Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19 | 3.7.0-3.7.15 | 3.7.16 |
| 2801262 | On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart. | 3.7.12-3.7.15, 4.3.0, 4.4.2-4.4.5 | 3.7.16, 4.3.1, 5.0.0-5.12.1 |
| 2801126 | CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2801125 | OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15 | 3.7.0-3.7.15 | 3.7.16 |
| 2801124 | GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2798139 | CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2794750 | When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF. To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2769687 | CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21 | 3.7.0-3.7.15 | 3.7.16 |
| 2769633 | CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2769632 | CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2769631 | CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2743132 | CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6 | 3.7.0-3.7.15 | 3.7.16 |
| 2736265 | After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2736247 | CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2736245 | CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2730225 | When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.2-4.4.5 |
| 2728207 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728206 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728205 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5 |
| 2726776 | CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18 | 3.7.0-3.7.15 | 3.7.16 |
| 2716841 | CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2705169 | CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2705168 | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2702519 | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2700767 | Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16 |
| 2687332 | When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usageTo workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:address-family ipv4 unicastAfter: ip route 10.10.0.0/16 Null0This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2684452 | When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb deldev command2. Add “vxlan-learning”: “off” under /etc/network/ifupdown2/policy.d/vxlan.json$ cat /etc/network/ifupdown2/policy.d/vxlan.json3. Reboot the affected switch(es) | 3.7.12-3.7.16 | |
| 2684404 | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2679950 | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.4.1-cl4.4.0u1Fixed: 4.4.1-cl4.4.0u2 | 3.7.0-4.3.3 | 4.4.0-4.4.5 |
| 2677063 | CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2677061 | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2677060 | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2669438 | Editing the /etc/frr/frr.conf file to add a new sequence at the beginning of an existing large prefix list changes the subsequent sequence numbers of the next entries in the list and FRR reload might fail with the error message frr.service reload operation timed out. Stopping. To work around this issue, instead of adding the new prefix using an existing sequence number and pushing other sequences forward, use a sequence number that is free; for example, instead of of using 5 -> 10 -> 15, use 5 -> 7 -> 10. | 3.7.11-3.7.16 | |
| 2668477 | CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2660693 | CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20 | 3.7.0-3.7.15 | 3.7.16 |
| 2660582 | In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure) To recover restart the clagd service with sudo systemctl restart clagd.service | 3.7.8-3.7.15 | 3.7.16 |
| 2658233 | The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2656291 | The following CVEs affect the linux kernel package: CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 3.7.12-3.7.16 | 4.0.0-4.4.5 |
| 2654684 | CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10 | 3.7.0-3.7.15 | 3.7.16 |
| 2653521 | CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2653400 | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface command, then add back the 802.1x configuration. | 3.7.10-3.7.16 | |
| 2646974 | The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2646968 | CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24 | 3.7.0-3.7.15 | 3.7.16 |
| 2645846 | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface command, then add back the 802.1x configuration. | 3.7.10-3.7.15 | 3.7.16, 4.3.1-4.4.5 |
| 2635951 | The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2633245 | On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle. | 3.7.10-3.7.16 | |
| 2617009 | CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617008 | CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617007 | CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617006 | CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617002 | CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2599607 | In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.4-4.4.5, 5.0.0-5.12.1 |
| 2595889 | In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface. | 3.7.10-4.2.1 | 4.3.0-4.4.5 |
| 2595816 | Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2589747 | If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2589570 | The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589567 | The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2562511 | hostapd does not fail over to secondary RADIUS servers for 802.1x authentication when the primary radius is reachable but not responding to Access-RequestsIf the primary RADIUS server is having a problem servicing requests, you can remove it from the configuration temporarily to force requests to be sent to alternate servers. | 3.7.10-3.7.14.2 | 3.7.15-3.7.16 |
| 2556233 | Some ECMP next-hops might fail installation into hardware at high ECMP group and route scale. The following log message will be observed when this condition occurs:WARN xx routes reverted to non-ECMP due to NH table capacity | 3.7.9-3.7.14.2 | 3.7.15-3.7.16 |
| 2556037 | After you add an interface to the bridge, an OSPF session flap might occur | 3.7.9-4.2.0 | 4.2.1-4.4.5 |
| 2556019 | After you add an interface to a bridge using the NCLU net add bridge bridge ports command, the bridge can go down and its MAC address changesTo work around this issue, use Linux commands to add an interface to a bridge. | 3.7.9-3.7.13 | 3.7.14-3.7.16 |
| 2555908 | If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command. | 3.7.12-4.0.1 | 4.1.0-4.4.5 |
| 2554785 | After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX=“cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command4. Reboot the switch. | 3.7.11-4.2.1 | 4.3.0-4.4.5 |
| 2554719 | A slow memory leak is observed (1% per 14 hours) in kmalloc-256. To work around this issue, reboot the switch. | 3.7.12-3.7.14.2 | 3.7.15-3.7.16 |
| 2554369 | Certain Dell S4048-ON switches show an incorrect vendor name and hang when you issue the reboot command. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2554329 | On the Dell N3248PXE switch, fixed RJ45 interfaces with PoE neighbors can end up in Paused mode after a switchd restart, which blocks traffic on that interface. | 3.7.12-3.7.16 | |
| 2554232 | VXLAN encapsulated traffic is not routed to the next hop because the destination VTEP IP address is mis-programmed on the switch, which decapsulates the traffic unexpectedly. To work around this issue, restart switchd. | 3.7.12-3.7.13 | 3.7.14-3.7.16 |
| 2553887 | When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:
To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2553748 | On switches with the Spectrum ASIC, the IPv6 default route is present in the kernel but missing in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5 |
| 2553732 | A ping via a dual-connected bond fails, and the audio stream is not routed or encapsulated through the layer 3 VNI. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2553588 | Multicast traffic on a VPN is sent to remote VTEPs that are not part of the VPN and the remote VTEPs receive multicast traffic encapsulated in a VXLAN ID that doesn’t exist. To work around this issue, disable IGMP snooping on the switch. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2553530 | In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated. To work around this issue, restart FRR with the sudo systemctl restart frr.service command. | 3.7.10-4.2.1 | 4.3.0-4.4.5 |
| 2553450 | On the the Dell N3248-PXE switch, when you insert two PSUs at different times, the newly inserted PSU is detected as OK but the fan and temp sensors are ABSENT. To work around this issue, remove power to both PSUs at the same time, then reinsert power simultaneously. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2553229 | On the Dell N3248PXE switch, RJ45 fixed copper ports that auto-negotiate with a 100M or 10M neighbor incorrectly negotiate a half-duplex link that generates errors. Half duplex modes are not supported on this platform. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2553219 | You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2553116 | When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2553050 | SNMP status might incorrectly reflect that a BGP neighbor is down due to an issue between bgpd and SNMP AgentX when the IP-FORWARD-MIB is also polled.To work around this issue, avoid polling IP-FORWARD-MIB objects. | 3.7.12-3.7.16 | |
| 2553015 | If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | |
| 2553001 | When the following conditions exist, clagd might fail to establish a TCP control session across the subinterface (such as, peerlink.4094):* clagd uses an IPv6 link-local address (LLA) to establish the TCP connection (the clagd-peer-ip linklocal command configures an IPv6 LLA connection)* Subsequent VLAN changes are made to VLAN sub-interfaces or adding or removing SVIs This issue occurs because the hardware stores one entry per VRF to represent the IPv6 LLA. The hardware entry for the LLA is removed when another interface is changed because the software interfaces are represented by a single entity in hardware. As a result, packets destined to the local IPv6 LLA address are received on the port but do not get forwarded to CPU for further processing. To workaround this issue, use IPv4 addresses under peerlink.4094 and configure clagd to peer on IPv4 addresses. | 3.7.12-4.1.1 | 4.2.0-4.4.5 |
| 2552939 | RX_DRP on a bond interface increases without any data traffic while the slave port does not increase. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2552925 | On the EdgeCore AS-6712-32X, AS5812-54X and AS5812-54T switch models, the temp sensors (DIMM temp sensor) show ABSENT. The amber diagnostic light on the front of the switch might also be turned on due to this issue. These messages and the light are cosmetic issues only and do not otherwise impact the function of the switch. | 3.7.12-3.7.13 | 3.7.14-3.7.16 |
| 2552742 | On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2552739 | Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | |
| 2552647 | When you add a member to a bond that has a subinterface configured (such as peerlink.4094), the new member is assigned only the VLAN of the subinterface for forwarding. To work around this issue, bounce the bond or shutdown the new interface and use the remaining members over the bond. | 3.7.10-4.2.0 | 4.2.1-4.4.5 |
| 2552528 | Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated. | 3.7.7-4.2.1 | 4.3.0-4.4.5 |
| 2552506 | Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports. To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-4.2.0 | 4.2.1-4.4.5 |
| 2552352 | The following security vulnerabilities have been announced in the nss / libnss3 packages: CVE-2020-6829: Side channel attack on ECDSA signature generation CVE-2020-12400: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function CVE-2020-12401: ECDSA timing attack mitigation bypass Vulnerable: <= 3.26-1+debu8u11 Fixed: 3.26-1+debu8u12 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2552351 | The following vulnerability has been announced in the libx11 packages: CVE-2020-14344: The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method. Vulnerable: <= 1.6.2-3+deb8u2 Fixed: 1.6.2-3+deb8u3 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2552294 | NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2552214 | The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14.2, 4.1.1-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2552205 | If the MAC address of an SVI changes, clagd does not update its permanent neighbor entry for the local interface, and it does not report the change to its MLAG peer. This leaves the MLAG peer in a state where its permanent neighbor for the MLAG peer’s SVI IP address continues to use the old MAC address, which causes routed traffic over this SVI to be dropped.To work around this issue, ifdown/ifup the SVI when a MAC address changes. | 3.7.12-4.2.0 | 4.2.1-4.4.5 |
| 2552134 | When the MLAG peerlink flaps on Broadcom Trident3 platforms, switchd might continually sync route and neighbor entries to hardware. This can be observed in /var/log/switchd.log with repeated Neighbor Summary and IPv4 Route Summary updates:sync_route.c:2063 Neighbor Summary : 0 Added, 0 Deleted, 501 Updated, 0 Skipped in 589761 usecs | 3.7.12 | 3.7.13-3.7.16 |
| 2551915 | The following vulnerabilities have been announced in NGINX, which is installed by default on Cumulus Linux (however, the default nginx configuration is not vulnerable, since it does not configure error_page redirection or use lua): CVE-2019-20372: NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer. CVE-2020-11724: An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API. Vulnerable: <= 1.6.2-5+deb8u6 Fixed: 1.6.2-5+deb8u7 | 3.7.12 | 3.7.13-3.7.16 |
| 2551911 | ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down. | 3.7.12-4.2.0 | 4.2.1-4.4.5 |
| 2551779 | Several issues were discovered in Python 3.4, an interactive high-level object-oriented language, that allow an attacker to cause denial of service, trafic redirection, header injection and cross-site scripting. CVE-2013-1753: The gzip_decode function in the xmlrpc client library allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request. CVE-2016-1000110:The CGIHandler class does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests. CVE-2019-16935:The documentation XML-RPC server has XSS via the server_title field. This occurs in Lib/xmlrpc/server.py. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. CVE-2019-18348: In urllib2, CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. CVE-2020-8492: Python allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. CVE-2020-14422: Lib/ipaddress.py improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. Vulnerable: <= 3.4.2-1+deb8u7 Fixed: 3.4.2-1+deb8u8 | 3.7.12 | 3.7.13-3.7.16 |
| 2551778 | Several vulnerabilities where found in Perl’s regular expression compiler. An application that compiles untrusted regular expressions could be exploited to cause denial of service or code injection. It is discouraged to allow untrusted regular expressions to be compiled by Perl. CVE-2020-10543: Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow. CVE-2020-10878: Perl before 5.30.3 has an integer overflow related to mishandling of a “PL_regkind[OP(n)] == NOTHING” situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection. CVE-2020-12723: regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls. Vulnerable: <= 5.20.2-3+deb8u12 Fixed: 5.20.2-3+deb8u13 | 3.7.12 | 3.7.13-3.7.16 |
| 2551748 | In OVSDB high availability mode, deleting > 200 VLAN bindings might cause ovs-vtepd to crash. Limit the deletion to 200 or fewer VLAN bindings. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2551731 | When the OVSDB VTEP scale increases, the CPU utilization increases and eventually the switch (ptmd) fails to respond to the BFD, causing the BFD session to go down. As a result OVSDB cannot read the BFD socket status and outputs a warning in the ovs-vtepd debugs: PTM socket error: Bad file descriptor. | 3.7.12-4.2.0 | 4.2.1-4.4.5 |
| 2551728 | In OVSDB high availability mode, if you create, then delete a binding, the FDB entry is not replaced and you see an error. | 3.7.12-4.2.0 | 4.2.1-4.4.5 |
| 2551714 | There is a change to the default OVSDB bootstrapping process, where the script created now defaults to VLAN-aware bridge mode. If you want to use traditional bride mode, you need to force it by editing the ovs-vtep-ctl script generated by the bootstrap process. | 3.7.12-4.2.0 | 4.2.1-4.4.5 |
| 2551693 | A host migrated to an 802.1X MAB port within the same broadcast domain fails to have the correct FDB entry installed if a dynamic FDB entry for that MAC address exists from previous connectivity in the broadcast domain. To work around this issue, manually delete the dynamic FDB entry that is associated with the uplink trunk port. | 3.7.12-4.2.0 | 4.2.1-4.4.5 |
| 2551675 | When you restart clagd, the edge port setting on the peer link changes. | 3.7.2-4.2.0 | 4.2.1-4.4.5 |
| 2551651 | The net show dot1x interface summary command output shows a MAC address with all zeros associated with a port. | 3.7.12-4.2.0 | 4.2.1-4.4.5 |
| 2551578 | When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2551554 | Customers running security scans on Cumulus Linux 4 may encounter the listing of an incorrect version of u-boot 2014.10+dfsg1-4 with the following vulnerabilities:CVE-2017-3225CVE-2017-3226CVE-2018-18440CVE-2019-11690CVE-2019-13103CVE-2019-14192CVE-2019-14193CVE-2019-14194CVE-2019-14195CVE-2019-14196CVE-2019-14197CVE-2019-14198CVE-2019-14199CVE-2019-14200CVE-2019-14201CVE-2019-14202CVE-2019-14203CVE-2019-14204CVE-2020-10648The u-boot-tools package is not installed on the switch by default, but is available in the repository for optional installation. On Cumulus Linux 4, the version is at least 2019.01+dfsg-7. However, the older versions available for optional installation on Cumulus Linux 3 may be vulnerable According to https://security-tracker.debian.org/tracker/source-package/u-boot , all except the following are fixed in 2019.01+dfsg-7:CVE-2017-3225: https://security-tracker.debian.org/tracker/CVE-2017-3225 says “Negligible security impact” CVE-2017-3226: https://security-tracker.debian.org/tracker/CVE-2017-3226 says “Negligible security impact” CVE-2018-18440: https://security-tracker.debian.org/tracker/CVE-2018-18440 says “No security impact as supported/packaged in Debian”. | 3.7.12-3.7.16 | 4.0.0-4.4.5 |
| 2551543 | switchd might crash if more than 16 IPv6 default route next hops are installed in the kernel routing table and those 16 next hops recurse to MAC address table entries reachable over VXLAN VNI interfaces. This can occur when many IPv6 router advertisements (RAs) are received across VLAN interfaces that have IPv6 forwarding disabled.To work around this issue, add the following parameters to the /etc/sysctl.conf file to disable IPv6 default route installation from received router advertisements, then run the sudo sysctl -p –system command.
| 3.7.12 | 3.7.13-3.7.16 |
| 2551395 | The libnss3 package, available for optional installation on Cumulus Linux, has the following vulnerabilities:CVE-2020-12399: Timing differences when performing DSA signatures. CVE-2020-12402: Side channel vulnerabilities during RSA key generation. Vulnerable: <= 3.26-1+deb8u10 Fixed: 3.26-1+deb8u11 | 3.7.12 | 3.7.13-3.7.16 |
| 2551356 | The following vulnerabilities have been announced in the qemu package, which is available in the repository for optional installation on Cumulus Linux:CVE-2020-1983: slirp: Fix use-after-free in ip_reass(). CVE-2020-13361: es1370_transfer_audio in hw/audio/es1370.c allowed guest OS users to trigger an out-of-bounds access during an es1370_write() operation. CVE-2020-13362: megasas_lookup_frame in hw/scsi/megasas.c had an out-of-bounds read via a crafted reply_queue_head field from a guest OS user. CVE-2020-13765: hw/core/loader: Fix possible crash in rom_copy(). Vulnerable: <= 2.1+dfsg-12+deb8u14 Fixed: 2.1+dfsg-12+deb8u15 | 3.7.12 | 3.7.13-3.7.16 |
| 2551351 | CVE-2018-6381 CVE-2018-6484 CVE-2018-6540 CVE-2018-6541 CVE-2018-6869 CVE-2018-7725 CVE-2018-7726 CVE-2018-16548 Several issues have been fixed in zziplib, a library providing read access on ZIP-archives. They are all related to invalid memory access and resulting crash or memory leak.libzzip-0-13 is not installed by default on Cumulus Linux, but is available in the repository for optional installation. Vulnerable: <= 0.13.62-3+deb8u1 Fixed: 0.13.62-3+deb8u2 | 3.7.12 | 3.7.13-3.7.16 |
| 2551350 | CVE-2017-10790: The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack. Vulnerable: <= 4.2-3+deb8u3 Fixed: 4.2-3+dev8u4 | 3.7.12 | 3.7.13-3.7.16 |
| 2551305 | The net show configuration command provides the wrong net add command for ACL under the VLAN interface. | 3.7.12-3.7.16, 4.1.0-4.4.5 | |
| 2551288 | When you remove BFD configuration by editing the /etc/frr/frr.conf file and restarting FRR, you see a traceback.To work around this issue, either use NCLU or vtysh commands to remove the BFD configuration, or restart FRR with the new /etc/frr/frr.conf file. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2551161 | switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. | 3.7.11-3.7.12, 4.0.0-4.2.0 | 3.7.13-3.7.16, 4.2.1-4.4.5 |
| 2550974 | On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured. | 3.7.11-3.7.16, 4.1.1-4.4.5 | |
| 2550942 | NCLU tab completion for net show displays the text add help text instead of system Information for the system option. | 3.7.11-4.2.0 | 4.2.1-4.4.5 |
| 2550796 | On a Broadcom switch with the Trident2+ ASIC, ACL rules for VLANs are not applied after a reboot and the counters remain at zero. To work around this issue, either do not set acl.non_atomic_update_mode = TRUE in the /etc/cumulus/switchd.conf file or run the cl-acltool -i command after the reboot to install the ACLs. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2550793 | The NCLU net show bridge spanning-tree command displays the aging timer incorrectly. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550735 | The following security vulnerability has been found in BlueZ, in which the libbluetooth3 library is available in the repository for optional installation in Cumulus Linux:CVE-2020-0556: Improper access control in subsystem for BlueZ before version 5.54 may allow an unauthenticated user to potentially enable escalation of privilege and denial of service via adjacent access. Vulnerable: <= 5.23-2+deb8u1 Fixed: 5.43-2+deb9u2~deb8u1 | 3.7.12 | 3.7.13-3.7.16 |
| 2550693 | The following vulnerabilities have been announced in the cups package:CVE-2019-8842: The ‘ippReadIO’ function may under-read an extension field CVE-2020-3898: heap based buffer overflow in libcups’s ppdFindOption() in ppd-mark.c Vulnerable: <= 1.7.5-11+deb8u7 Fixed: 1.7.5-11+deb8u8 | 3.7.12 | 3.7.13-3.7.16 |
| 2550647 | CVE-2020-12049: There was a file descriptor leak in the D-Bus message bus. An unprivileged local attacker could use this to attack the system DBus daemon, leading to denial of service for all users of the machine. Vulnerable: <= 1.8.22-0+deb8u2 Fixed: 1.8.22-0+deb8u3 | 3.7.12 | 3.7.13-3.7.16 |
| 2550600 | The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged. | 3.7.8-3.7.14.2, 4.0.0-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2550512 | The python-httplib2 package, which is available in the repository for optional installation, has the following vulnerability:CVE-2020-11078: In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for ‘httplib2.Http.request()’ could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0. Vulnerable: 0.9+dfsg-2 Fixed: 0.9+dfsg-2+deb8u1 | 3.7.12 | 3.7.13-3.7.16 |
| 2550511 | The following vulnerabilities have been announced in dosfstools, which is available in the repository for optional installation:CVE-2015-8872: The set_fat function in fat.c in dosfstools before 4.0 might allow attackers to corrupt a FAT12 filesystem or cause a denial of service (invalid memory read and crash) by writing an odd number of clusters to the third to last entry on a FAT12 filesystem, which triggers an “off-by-two error." CVE-2016-4804: The read_boot function in boot.c in dosfstools before 4.0 allows attackers to cause a denial of service (crash) via a crafted filesystem, which triggers a heap-based buffer overflow in the (1) read_fat function or an out-of-bounds heap read in (2) get_fat function. Vulnerable: 3.0.27-1 Fixed: 3.0.27-1+deb8u1 | 3.7.12 | 3.7.13-3.7.16 |
| 2550509 | The json-c shared library (libjson-c2) had an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend. The libjson-c2 library is installed by default on Cumulus Linux 3.x.Vulnerable: <= 0.11-4 Fixed: 0.11-4+deb8u2 | 3.7.12 | 3.7.13-3.7.16 |
| 2550507 | Several vulnerabilities were discovered in BIND, a DNS server implementation.bind9-host (containing only /usr/bin/host) and some libraries from the bind9 source package are installed on the switch by default; the BIND server referred to in these vulnerabilities is not installed by default but is available in the repository for optional installation.CVE-2020-8616: It was discovered that BIND does not sufficiently limit the number of fetches performed when processing referrals. An attacker can take advantage of this flaw to cause a denial of service (performance degradation) or use the recursing server in a reflection attack with a high amplification factor. CVE-2020-8617: It was discovered that a logic error in the code which checks TSIG validity can be used to trigger an assertion failure, resulting in denial of service. Vulnerable: <= 1:9.9.5.dfsg-9+deb8u18 Fixed: 1:9.9.5.dfsg-9+deb8u19 | 3.7.12 | 3.7.13-3.7.16 |
| 2550478 | VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches. | 3.7.7-4.2.0 | 4.2.1-4.4.5, 4.3.0-4.4.5 |
| 2550444 | Tab completion for the net show rollback description command returns information about a snapshot instead of context help.To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550443 | The net show rollback description command returns an error even if the string matches a commit description.To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550375 | CPU utilization may increase when clag-managed bond interfaces are operationally/LACP down but the physical carrier remains up on the bond member switchports. This condition occurs when clag bond redirection is enabled and bond members remain up while the parent bond does not negotiate LACP. This issue is resolved in Cumulus Linux 3.7.14. | 3.7.9-4.2.1 | 4.3.0-4.4.5 |
| 2550350 | Unicast traffic from downlink hosts is flooded to multiple remote VTEPs, which might also cause high HwIfOutQDrops/TX_DRP on the uplink ports. To work around this issue, restart switchd. | 3.7.10-4.1.1 | 4.2.0-4.4.5 |
| 2550323 | After a neighbor is removed, the redistributed neighbor entry is withdrawn from the BGP table, but the prefix might still be selected as the bestpath when the host’s originated prefix is not advertised. To work around this issue, recreate the neighbor entry and flap the interface to the host. Or, if the host is already down, manually create a neighbor entry with an invalid MAC address, which forces redistribute neighbor to re-withdraw the entry. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2550276 | In LLDP, the snmp subagent loses all subsequent lldpRemSysName (1.0.8802.1.1.2.1.4.1.1.9) entries after an entry with a missing SysName is added.All the information from lldpctl is correct. Only the entries after the entry that is missing a SysName in lldpRemSysName disappear from the snmp subagent. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2550274 | If packets with an invalid checksum are received, the cumulus-poe service might restart and you see log messages similar to the following:May 20 10:48:04.665635 leaf01 poed[8012]: ERROR : invalid checksum in response [0xC2:0x00] May 20 10:48:04.671299 leaf01 poed[8012]: poed : ERROR : invalid checksum in response [0xC2:0x00] May 20 10:48:04.708620 leaf01 systemd[1]: cumulus-poe.service: main process exited, code=exited, status=1/FAILURE The service starts automatically but there is an impact to POE devices momentarily. | 3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2550243 | When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service. For example:
| 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2550119 | The following vulnerability has been announced in the apt package:CVE-2020-3810: Shuaibing Lu discovered that missing input validation in the ar/tar implementations of APT, the high level package manager, could result in denial of service when processing specially crafted deb files. Vulnerable: <= 1.0.9.8.5-cl3u1 Fixed: 1.0.9.8.5-cl3u2 | 3.7.12 | 3.7.13-3.7.16 |
| 2550056 | The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:
| 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| 2549925 | When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:
To work around this issue, run the ifreload -a command a second time. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2549872 | If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error. | 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| 2549838 | In vtysh, if you configure, then remove a layer 3 VNI for a VRF, the VNI is removed from zebra even if the VNI interface still exists in the kernel. If you configure a layer 2 VNI as a layer 3 VNI by mistake, removing the layer 3 VNI binding removes it from zebra but EVPN-learned MACs and neighbors are not installed into the kernel. To work around this issue, delete, then re-add the missing VNI. For example:
If you flap the link with the ip link set vni10100 down; ip link set vni10100 up commands, zebra does not re-add the VNI. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2549835 | The following vulnerability affects the openldap package: CVE-2020-12243: A vulnerability was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. LDAP search filters with nested boolean expressions can result in denial of service (slapd daemon crash). Vulnerable: <= 2.4.40+dfsg-1+deb8u5 Fixed: 2.4.40+dfsg-1+deb8u6 | 3.7.12 | 3.7.13-3.7.16 |
| 2549794 | The asic-monitor.service fails when you configure /etc/cumulus/datapath/monitor.conf with monitor.histogram_pg.collect.port_group_list = [all_packet_pg] and there is traffic passing through the buffer. When the service fails, you see the following traceback in journalctl:
| 3.7.11-4.2.0 | 4.2.1-4.4.5 |
| 2549782 | The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2549731 | When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:
| 3.7.12-3.7.16, 4.1.1-4.4.5 | |
| 2549711 | The following vulnerability affects libgd2/libgd3: CVE-2018-14553: gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointer dereference allowing attackers to crash an application via a specific function call sequence. Only affects PHP when linked with an external libgd (not bundled). Vulnerable: <= 2.1.0-5+deb8u13 Fixed: 2.1.0-5+deb8u14 | 3.7.12 | 3.7.13-3.7.16 |
| 2549710 | The following vulnerability affects imptool: CVE-2020-5208: It’s been found that multiple functions in ipmitool before 1.8.19 neglect proper checking of the data received from a remote LAN party, which may lead to buffer overflows and potentially to remote code execution on the ipmitool side. This is especially dangerous if ipmitool is run as a privileged user. Vulnerable: <= 1.8.14-4 Fixed: 1.8.14-4+deb8u1 | 3.7.12 | 3.7.13-3.7.16 |
| 2549676 | After you add or remove a bridge VLAN identifier (VID) on a trunk port, the layer 2 VNI is put into VLAN 1. To work around this issue, revert the configuration change. | 3.7.10-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2549472 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2549397 | When the BGP Multi-protocol Unreach NLRI attribute is received in a BGP update without a next hop attribute, the BGP session is brought down unexpectedly. RFC 4760 defines that the next-hop attribute is not required for updates containing MP_UNREACH_NLRI. | 3.7.12-3.7.16 | 4.0.0-4.4.5 |
| 2549371 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.3 | 4.4.0-4.4.5 |
| 2549307 | The following vulnerabilities affect git, which is available in the repository for optional installation: CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host. CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. | 3.7.12-4.1.1 | 4.2.0-4.4.5 |
| 2549226 | You might see the following gport error messages in switchd.log:
These messages are harmless and can be ignored. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2548962 | With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table. | 3.7.12-4.1.1 | 4.2.0-4.4.5 |
| 2548930 | On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5 |
| 2548746 | On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2548673 | A large number of flapping peers causes FRR to require a corresponding update to internal data structures that track peer information. Updating this internal data structure does not delete links that are down due to the flapping. The size of this array then grows to contain both current peers as well as peers that should have been deleted during the flap processing. The contents of this array is processed by FRR to poll the links, which consumes CPU for all items in the array. This additional polling consumes more CPU than necessary but has no functional impact. To work around this issue, restart FRR. | 3.7.11-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2548659 | When a link flap occurs while IPv6 traffic traverses interfaces, a kernel panic may occur with the following logs printed to the console:
| 3.7.12 | 3.7.13-3.7.16 |
| 2548657 | When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:
You can safely ignore these error messages. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2548585 | After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors. Note: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active. To recover from this condition, restart switchd with the sudo systemctl restart switchd command. | 3.7.10-3.7.12, 4.1.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2548579 | The following security vulnerability has been announced: CVE-2020-10531: An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp. | 3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16 |
| 2548490 | A change in a route map prefix list that should remove a route might not be reflected in the ospf6 database or in peers, and the route might not be deleted.To work around this issue, reenter the redistribute <connected|static> route-map statement in the configuration. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2548485 | If you configure the aggregate-addresssummary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:router bgp 1If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,To work around this issue, remove, then re-add the component prefix routes. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
| 2548475 | After you add a new VNI and a layer 3 SVI to a set of leafs, certain leafs might not be able to communicate on the layer 3 VNI. To work around this issue, reboot the leaf switch or restart switchd. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2548382 | The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog. | 3.7.5-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2548372 | On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. | 3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2548315 | The following security advisory has been announced for bash: CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.To work around this issue, do not make bash or bash scripts setuid. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2548307 | When the garbage collector does not release memory back to the operating system, clagd might consume a large amount of memory. As a result of low system memory, systemd might shut down services to reclaim memory. | 3.7.11-3.7.12, 4.1.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2548243 | On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2548155 | The net show bgp neighbor swpX json command shows negative output for the bgpTimerUpMsec timer. | 3.7.10-3.7.16 | 4.0.0-4.4.5 |
| 2548117 | In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2548116 | The OVSDB log contains duplicate MAC addresses with the well-known BFD MAC address (00:23:20:00:00:01). This is mainly cosmetic, but clutters the log. | 3.7.12-4.0.1 | 4.1.0-4.4.5 |
| 2548112 | In OVSDB VLAN-aware mode, removing a VTEP binding on the NSX controller fails to clean up all interfaces associated with the logical switch. | 3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2548111 | When you remove, then re-add an NSX VTEP binding, the VXLAN VTEP interface is not recreated. | 3.7.9-4.0.1 | 4.1.0-4.4.5 |
| 2548044 | When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16 |
| 2548024 | On the Dell Z9100 switch, 100G-SR4 modules might not link up reliably in certain ports. swp1, 2, 3, 9, 10, 23, 24, 30, 31, and 32 might be affected To work around this issue, move 100G SR4 modules to one of the ports not affected by this issue. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547942 | On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547880 | The following CVEs were announced that affect the cron package. All of these require untrusted local user access. CVE-2017-9525 is a local user privilege escalation attack: In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks against unsafe usage of the chown and chmod programs. CVE-2019-9704, CVE-2019-9705, CVE-2019-9706 are local user denial of service attacks. Note: the fix for CVE-2019-9705 imposes a limitation on the length of a crontab file (the vulnerability was that an unlimited size crontab file could cause excessive memory consumption). https://security-tracker.debian.org/tracker/DLA-1723-1 Vulnerable: <= 3.0pl1-cl3u1 Fixed: 3.0pl1-cl3u2 | 3.7.12 | 3.7.13-3.7.16 |
| 2547879 | The following CVE was announced for rsyslog: CVE-2019-17041 CVE-2019-17042 rsyslogd, when receiving remote log messages and using optional pmaixforwardedfrom or pmcisconames parser modules (not enabled by default on Cumulus Linux), is vulnerable to CVE-2019-17041 and CVE-2019-17042 where malicious messages that appear to be from AIX or Cisco respectively may be caused to skip sanity checks, resulting in incorrect negative lengths causing heap overflows.Do not enable (with $UDPServerRun or $InputTCPServerRun) receiving syslog messages from other hosts by the network. Also, do not enable (with $ModLoad) the vulnerable parsers pmaixforwardedfrom or pmcisconames.<br />The default /etc/rsyslog.conf file on Cumulus Linux does NOT enable $UDPServerRun or $InputTCPServerRun, so the vulnerability is not network exploitable in the default configuration. In addition, the vulnerable parsers are not enabled in the default configuration.Vulnerable: <= 8.4.2-1-cl3u5 Fixed: 8.4.2-1-cl3u6 | 3.7.12 | 3.7.13-3.7.16 |
| 2547878 | The following vulnerability has been found in the libgcrypt20 cryptographic library.CVE-2019-13627: there was a ECDSA timing attack. For more information, see https://www.debian.org/lts/security/2020/dla-1931-2.en.html Vulnerable: 1.6.3-2+deb8u7 Fixed: 1.6.3-2+deb8u8 | 3.7.11-3.7.16 | |
| 2547876 | The following vulnerability affects libxml2: CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c has a memory leak related to newDoc->oldNs. This can lead to a denial of service. For more information, see https://www.debian.org/lts/security/2019/dla-2048.en.html . Vulnerable: 2.9.1+dfsg1-5+deb8u7 Fixed: 2.9.1+dfsg1-5+deb8u8 | 3.7.11-3.7.16 | |
| 2547874 | The following vulnerability affects libbsd, a package containing utility functions from BSD systems. CVE-2016-2090: In function fgetwln() an off-by-one error could triggers a heap buffer overflow. For more information, see https://www.debian.org/lts/security/2019/dla-2052.en.html . Vulnerable: 0.7.0-2 Fixed: 0.7.0-2+deb8u1 | 3.7.11-3.7.16 | |
| 2547839 | When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547799 | An error similar to the following shows in syslog for Mellanox switches:
To work around this issue, reboot the switch. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547784 | PTM mis-detects incorrect hostnames of LLDP neighbors and does not fail them as expected. Instead they end up in an N/A cabling status. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547782 | If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2547769 | syslog might report a high load average with the CPU running a later microcode revision. | 3.7.4-3.7.12 | 3.7.13-3.7.16 |
| 2547706 | When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2547666 | On the Dell S5232F-ON switch, the output of ledmgrd shows amber_blinking but smonctl shows all OK. | 3.7.11-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2547663 | When traffic from a double tag interface (facing a different site) is forwarded through VXLAN, the inner tag is not removed. The destination does not know this tag, so it discards it. | 3.7.8-4.0.1 | 4.1.0-4.4.5 |
| 2547659 | On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547658 | On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl. | 3.7.11-3.7.12 | 3.7.13-3.7.16 |
| 2547609 | Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work. Mellanox switches with the Spectrum A1 ASIC do not have this issue. | 3.7.11-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2547592 | When you add a route map to advertise IPv4 unicast in a BGP EVPN configuration and the route map contains a set operation, BGP crashes. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547573 | On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU. | 3.7.9-3.7.16 | |
| 2547443 | On the Dell N3248PXE-ON switch, 25G SFP ports do not work in 10G mode. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547381 | The hsflowd service sends an undefined header protocol 0 in the sampled flow sample to the collector, which is not recognized by the sFlow tool. You see errors similar to the following:
| 3.7.11-3.7.16 | 4.0.0-4.4.5 |
| 2547349 | When you change an interface IP address, then change it back, static routes are misprogrammed One of the following actions recovers the routes:- Bounce both layer 3 interfaces- Remove or add static routes in FRR- Restart FRR | 3.7.11-3.7.16 | 4.0.0-4.4.5 |
| 2547293 | On the Broadcom Trident3 switch with DHCP relay, where the DHCP server is reachable through the EVPN overlay, DHCP discover packets forwarded to the CPU might appear corrupt and might not get forwarded. | 3.7.9-4.0.1 | 4.1.0-4.4.5 |
| 2547246 | The MLAG switch pair has VLANs defined that are not used on MLAG bonds. These VLANs still synchronize MAC addresses across to the peer switch. This results in log messages that indicate a MAC address is installed and the VLAN is not defined; for example:
| 3.7.10-4.1.1 | 4.2.0-4.4.5 |
| 2547147 | The ospfd daemon might crash with the following kernel trace:
| 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547123 | On the Broadcom switch with the Trident3 ASC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547120 | After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2547118 | The following security vulnerabilities have been announced in the libtiff5 library on Cumulus Linux 4.0: CVE-2019-14973, CVE-2019-17546: Multiple integer overflows have been discovered in the libtiff library and the included tools. Vulnerable: 4.0.10-4 Fixed: 4.1.0+git191117-2~deb10u1 | 3.7.10-4.0.1 | 4.1.0-4.4.5 |
| 2547100 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547068 | Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off”, change it to GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0”2. Run sudo update-grub3. Reboot the system with sudo rebootTo disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci32. Disable C-states by running the command ./cpupower idle-set -d 2C-states are disabled by default in Cumulus Linux 4.3.0 and later. | 3.7.9-4.2.1 | 4.3.0-4.4.5 |
| 2546991 | The FRR service does not provide a way for automation to know if the configuration applied properly. To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546984 | On the EdgeCore AS7326-56X switch, the PSU fans show constant LOW warnings. | 3.7.10-3.7.12, 4.0.0-4.2.0 | 3.7.13-3.7.16, 4.2.1-4.4.5 |
| 2546950 | switchd crashes when dynamic VRF route leaking is enabled and the following is true:* The default route is leaked from VRF1 to VRF2 * Hardware-based dynamic VRF route leaking is configured ( vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).You might see logs similar to the following in /var/log/syslog:
To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2546895 | If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.serviceTo increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter2.Restart the switchd service with the sudo systemctl restart switchd.service commandsystemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546577 | A traditional bridge with QinQ and a VNI does not work for tagged traffic. | 3.7.10-4.0.1 | 4.1.0-4.4.5 |
| 2546450 | On the EdgeCore AS7326-56X switch, you might see the RPM of certain fans run over the maximum threshold. | 3.7.11-3.7.16 | |
| 2546385 | SNMP ifLastChange reports link transitions when there are none. | 3.7.6-3.7.16 | |
| 2546225 | When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support.
To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546203 | When using QinQ with a traditional bridge, if you enable the LLDP dot1 TLV option, you see the following suboptimal behavior: * Both the inner and outer VLAN information is sent as part of VLAN TLVs in the LLDP packet. * If the outer VLAN ID is the same as the inner VLAN ID, only one VLAN TLV is sent with that VLAN ID in the LLDP packet. | 3.7.11-3.7.16 | |
| 2546141 | CPU usage might be higher than normal if you have a high number of interfaces x VLANs and lldpd is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled.To check if lldpd is the heavy CPU resource user, run the following command:
Alternatively, check for messages in the /var/log/syslog directory similar to:
Note: The exact amount of CPU usage varies in each network based on a number of factors; however, it is unusual for lldpd to consume more than 30% CPU for an extended period of time.To work around this issue, you can do one of the following: * If the large number of VLANs is not absolutely necessary, manually prune the VLAN allowed list (if you use the range 1-2999, modify the bridge-vids list to include the VLANs being used).* Stop the lldpd service. (This approach might be undesirable if the switch is providing services that rely on LLDP such as Voice VLAN.) To stop the lldpd service (runtime setting), run the sudo systemctl stop lldpd.service command. To disable the lldpd service upon boot, run sudo systemctl disable lldpd.service. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2546131 | On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546010 | When hal.bcm.per_vlan_router_mac_lookup is set to TRUE in the /etc/cumulus/switchd.conf file, inter-VLAN traffic is forwarded to the CPU when associated VNI interfaces exist. | 3.7.10-3.7.16 | |
| 2545997 | The NCLU command net show interface produces an error if bonds with no members exist.To work around this issue, remove the empty Bond interfaces from the /etc/network/interfaces file and run sudo ifreload -a. | 3.7.10-3.7.16 | |
| 2545699 | On the Celestica Pebble switch, if you use IPv6 routes with mask /65 to /127, the switchd log fills with errors. | 3.7.10-4.0.1 | 4.1.0-4.4.5 |
| 2545566 | The Dell Z9100-ON switch incorrectly reports many sensors as ABSENT. | 3.7.12-4.0.1 | 4.1.0-4.4.5 |
| 2545446 | If you use NCLU commands to add a non-MLAG bond, then add an MLAG configuration, the net commit command fails. However, a subsequent net commit command succeeds. | 3.7.10-3.7.16 | |
| 2545404 | On the Trident3 switch, unicast ARP packets received on a VNI and forwarded to the CPU are not policed. | 3.7.10-4.0.1 | 4.1.0-4.4.5 |
| 2545125 | If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
| 2544978 | If you delete an undefined bond, then add a bond slave, the net commit command fails. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544968 | FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:
should be:
To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544953 | When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
| 2544904 | After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements. To work around this issue, restart FRR after removing the IPv6 numbered configuration. | 3.7.9-4.1.1 | 4.2.0-4.4.5 |
| 2544829 | Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump. | 3.7.8-3.7.16 | |
| 2544671 | Package : sudoCVE ID : CVE-2019-14287Debian Bug : 942322Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID -1 or 4294967295. This could allow a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access Details can be found in the upstream advisory at https://www.sudo.ws/alerts/minus_1_uid.html We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudoVulnerable versions: < 1.8.27-1+deb10u1Fixed versions: >= 1.8.27-1+deb10u1To work around this iisue, disable (comment out) any sudoers entries in /etc/sudoers or files in /etc/sudoers.d that have entries with !root in them. Only root or other users with a uid of 0 that are affected. | 3.7.9-3.7.16 | 4.0.0-4.4.5 |
| 2544556 | If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:
If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5 |
| 2544463 | Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544456 | The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544311 | Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544235 | The following CVEs affect the linux kernel package: CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 3.7.10-3.7.16 | |
| 2544155 | NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544113 | Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link. To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2543900 | On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
| 2543841 | The net show evpn vni detail json command includes an extra empty dictionary at the end of the output. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
| 2543840 | On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file. | 3.7.6-3.7.16 | |
| 2543800 | When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface. | 3.7.8-3.7.16 | 4.0.0-4.4.5 |
| 2543792 | On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:
| 3.7.9-4.0.1 | 4.1.0-4.4.5 |
| 2543648 | You cannot specify a source and destination MAC address in an ERSPAN ebtables rule. For example, the following rule does not work:
| 3.7.6-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2543647 | ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:
| 3.7.6-4.2.1 | 4.3.0-4.4.5 |
| 2543646 | In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543627 | Tomahawk 40G DACs cannot disable auto-negotiation. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543472 | On switches with the Spectrum ASIC, the underlay hashes VXLAN packets for a given overlay flow randomly. To work around this issue, configure the ECMP hash seed to the same value on the EVPN egress leaf switches. | 3.7.7-4.0.1 | 4.1.0-4.4.5 |
| 2543270 | The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5 |
| 2543211 | In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2543164 | The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2543096 | When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543058 | The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces. To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543052 | Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as “inactive” in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR. To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:
You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5 |
| 2543044 | Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up. You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2542979 | On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5 |
| 2542945 | On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags. To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:
| 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542767 | If the BMC operating system fails to respond to IPMI, you see a traceback in bmcd and all the sensors might report ABSENT devices in smonctl.To work around this issue, power cycle the switch. | 3.7.6-4.0.1 | 4.1.0-4.4.5 |
| 2542310 | hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6. | 3.7.6-3.7.16 | |
| 2542305 | If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542301 | When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2541212 | The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2541165 | On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, poectl reports that four_pair_mode_enabled is true. However, this configuration is not supported on the port so poectl should report that four_pair_mode_enabled is false. | 3.7.6-3.7.16 | |
| 2541029 | On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped. This issue only affects QinQ configurations. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540950 | On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status. | 3.7.3-4.1.1 | 4.2.0-4.4.5 |
| 2540885 | The Dell N3048EP-ON switch does not support 1G Base-T modules in the SFP ports. | 3.7.7-3.7.16 | |
| 2540863 | On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number. | 3.7.3-3.7.16 | |
| 2540753 | If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
| 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540444 | SNMP incorrectly requires engine ID specification. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540352 | When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2540340 | NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays
Tab completion for the net add vrf command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540274 | On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540204 | When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540192 | The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540155 | On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2540042 | When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540041 | On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540040 | Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540031 | NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2539994 | When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539962 | When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2539670 | On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539124 | The net add interface command adds no ptm-enable for that interface in the frr.conf file.Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539081 | When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2538875 | IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file. | 3.7.2-3.7.16 | |
| 2538790 | NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.To restore connectivity, remove the VLAN ID from the bridge. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538590 | When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538562 | On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538302 | portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap. | 3.7.0-3.7.16 | |
| 2538294 | If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2538256 | On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets. | 3.7.2-4.0.1 | 4.1.0-4.4.5 |
| 2537819 | When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2537699 | There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537544 | When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537378 | NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.To work around this issue, stop snmpd, remove the cache file, then restart snmpd. | 3.7.1-3.7.16 | |
| 2537188 | When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network. | 3.7.2-3.7.16 | |
| 2537104 | When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL. | 3.7.1-3.7.16 | 4.0.0-4.4.5 |
| 2537061 | The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent. | 3.7.1-4.0.1 | 4.1.0-4.4.5 |
| 2536608 | Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI. | 3.7.0-3.7.16 | |
| 2536384 | The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2536179 | On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535986 | At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535965 | On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2533691 | If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict.To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
| 2532017 | In FRR, bgp_snmp does not show all BGP peers when peer groups used. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
Fixed Issues in 3.7.12
| Issue ID | Description | Affects |
|---|---|---|
| 2547557 | On the EdgeCore Wedge100 and Facebook Wedge-100S switch, certain physical ports are not correctly mapped to the logical ones. For example: Logical swp39 controls physical swp41 Logical swp40 controls physical swp42 Logical swp43 controls physical swp45 Logical swp44 controls physical swp46 This might causes incorrect forwarding behavior. | 3.7.11, 4.0.0-4.0.1 |
| 2547508 | When a Trident3 switch receives packets containing an IP checksum value that is not compliant with RFC 1624, the TTL is decremented after a routing operation but the checksum is not recalculated. This results in the IP checksum value being invalid as the packet leaves the switch. | 3.7.10-3.7.11, 4.0.0-4.0.1 |
| 2547302 | On the Dell Z9264F-ON switch, the CPU core temperature sensors report ABSENT. | 3.7.11, 4.0.0-4.0.1 |
| 2547148 | The last eight ports of the EdgeCore AS4610-54P switch (swp41 through swp48) do not power UPOE access points. | 3.7.11, 4.0.0-4.0.1 |
| 2547121 | An unhandled exception might occur after you run the sudo poectl -i command. In addition, random poed daemon restarts can occur without any unhandled exceptions but with an invalid response length error. Both issues can occur due to a SerialException.To work around this issue, power cycle the switch. A software reboot does not resolve the issue. | 3.7.10-3.7.11 |
| 2547106 | Editing the outbound route-map of a BGP peer causes all received prefixes by that BGP peer to reset and reinstall. This might cause a brief impact to traffic for those prefixes. | 3.7.11 |
| 2547070 | On the Lenovo NE2580 switch, the fan speeds are higher than expected within normal operating conditions. | 3.7.11, 4.0.0-4.0.1 |
| 2547042 | After you convert a bond back to a layer 2 access port, ifupdown2 changes all SVI MTUs to 1500. To work around this issue, run ifreload -a a second time. | 3.7.11, 4.0.0-4.0.1 |
| 2547012 | On the Mellanox Spectrum switch, switchd can sometimes fail when PBR rules are installed or removed from hardware if the rule is setting a next hop learned via a routing protocol. | 3.7.7-3.7.11, 4.0.0-4.0.1 |
| 2546998 | When you configure Cumulus Linux with a /32 address on a switch port with a configured peer address (for example, to connect to a device using IP unnumbered), the switch sends GARPs for the peer address. | 3.7.5-3.7.11 |
| 2546868 | Broadcom Field Alert - SID - MMU 2B Errors A few of the MMU memories on Broadcom switches are grouped together with single parity control. During SER correction when a parity error occurs on one of those groups, other memory in that group might also report a SER error. This occurs when the memory is accessed either by a packet hit or through a schan operation. This issue can cause SER errors in other memory and cause traffic mis-forwarding or a packet drop. | 3.7.0-3.7.11, 4.0.0-4.0.1 |
| 2546815 | On the Delta AG6248C switch, the NCLU net show system sensors command shows an error:
To work around this issue, run the net show system sensors json command instead. | 3.7.11 |
| 2546702 | The FRR cl-support module times out on switches on the ARM platform even when the switch is not under heavy load. To work around this issue, run the cl-support -M command to disable timeouts. | 3.7.0-3.7.11, 4.0.0-4.0.1 |
| 2546564 | You might see a switchd memory leak during ECMP group expansion or consolidation. | 3.7.10-3.7.11 |
| 2546501 | On the EdgeCore AS7326-56X switch, eth0 and swp1 use the same MAC address. | 3.7.9-3.7.11, 4.0.0-4.0.1 |
| 2546354 | The following CVEs were announced that affect the Linux kernel: CVE-2019-12378: An issue was discovered in ip6_ra_control in net/ipv6/ipv6_sockglue.c in the Linux kernel through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). CVE-2019-12381: An issue was discovered in ip_ra_control in net/ipv4/ip_sockglue.c in the Linux kernel through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). CVE-2019-15239: In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was properly incorporated into 4.16.12, was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability that was potentially more severe than the issue that was intended to be fixed by backporting. Specifically, by adding to a write queue between disconnection and re-connection, a local attacker can trigger multiple use-after-free conditions. This can result in a kernel crash, or potentially in privilege escalation. CVE-2019-19062: A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042. CVE-2019-19537: In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9. This affects drivers/usb/core/file.c. CVE-2019-20054: In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e. | 3.7.11 |
| 2546328 | A memory leak in switchd might occur, which causes switchd to restart. | 3.7.10-3.7.11, 4.0.0-4.0.1 |
| 2546264 | Ifupdown2 does not set up the front panel interface for the dhclient to accept the DHCP OFFER.To work around this issue, restart the networking service after ifreload -a with the systemctl restart networking command. | 3.7.10-3.7.11, 4.0.0-4.0.1 |
| 2546003 | On the Delta AG6248C PoE switch, if the PoE priority is set to low on some ports, other ports with a higher priority might have their requests to draw power rejected instead of the lower priority ports being brought down. | 3.7.11 |
| 2545971 | The ports.conf file on the Dell S5248F-ON switch does not show port ganging or breakout options. | 3.7.10-3.7.11 |
| 2545948 | All Broadcom Trident3 X7 switches contain PCIE firmware, which is programmed by the vendor when the switch is manufactured. The latest version of this firmware (2.6) is incompatible with Cumulus Linux 3.7.11 and earlier, and Cumulus Linux 4.0. To work around this issue, downgrade the Broadcom ASIC firmware to an earlier version. | 3.7.11, 4.0.0-4.0.1 |
| 2545837 | If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server command, the /etc/ntp.conf file is misconfigured.To work around this issue, run the net add time ntp server command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 |
| 2545599 | IPv6 table rules might affect forwarding. For example, if you create the following rule in the /etc/cumulus/acl/policy.d/03-sshd.rules file, the rule counter increments but IPv4 SSH traffic might be dropped.
| 3.7.2-3.7.11, 4.0.0-4.0.1 |
| 2545316 | When an interface flap occurs, numbered IPv6 BGP sessions might fail to establish. To work around this issue, run the ip -6 route flush cache command to flush the IPv6 route cache. | 3.7.9-3.7.11 |
| 2544937 | The neighmgrd service does not ignore neighbors on reserved devices (lo and management devices). This issue is not seen when management VRF is enabled. | 3.7.8-3.7.11 |
| 2544853 | On the Dell S5248F-ON switch, CPU core temp sensors may show as ABSENT. | 4.0.0-4.0.1 |
| 2544012 | After you remove a subinterface, the BGP session stays in a Connect state. | 3.7.8-3.7.11 |
| 2543903 | The Dell N3048EP, N3048UP, and N3248PXE switches do not report the class correctly when the powered device (PD) requests a class that is greater than four. The actual power grant is correct; however, poectl displays the class as 4 for a PD requesting anything above that value. | |
| 2543816 | On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages. | 3.7.6-3.7.11, 4.0.0-4.4.5 |
| 2542823 | On the Broadcom Trident 3 switch, VXLAN encapsulated packets are dropped on the ingress port (tagged layer 2 port) during transit forwarding (the local switch does not terminate the VXLAN tunnel). An example of where this two-layer VXLAN inside VXLAN encapsulation might occur: - VXLAN tunnel (#1) between two servers (different racks) to provide layer 2 extension for containers or VM hosts. - VXLAN tunnel (#2) between the TOR switch in rack 1 to the TOR switch located in the remote rack. To work around this issue, either: - Configure the edge port (facing the servers) to be an access port (instead of a trunk/tagged port) - Change the destination port from 4789 to something else (VXLAN tunnel terminated by the servers) | 3.7.5-3.7.11, 4.0.0-4.0.1 |
| 2536616 | CVE-2018-5391 (FragmentSmack) is a network vulnerability where an attacker can trigger time and calculation expensive fragment reassembly with specially crafted packets, leading to a denial of service. On a Cumulus Linux switch, the impact is limited to control plane and management plane traffic. Any control plane traffic coming in the front panel ports will be limited by existing policer ACLs. To work around this issue, create a file called /etc/sysctl.d/ip.conf and add these settings:
| 3.7.0-3.7.11, 4.0.0-4.0.1 |
3.7.11 Release Notes
Open Issues in 3.7.11
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 3410952 | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.12.1 |
| 3376798 | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlanMAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5 |
| 3330705 | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.12.1 |
| 3327477 | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3216921 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-3.7.16, 4.3.0-4.4.5 | |
| 3209699 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.12.1 |
| 3017190 | When you power cycle the switch, multiple interfaces came up in a PoE disabled state To work around this issue, run the sudo poectl -a | grep disabled command to find ports with disabled POE. Run the sudo poectl -e swp1-swp48 command to enable POE on affected ports. | 3.7.10-3.7.16 | |
| 2959454 | CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2959444 | CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2957684 | CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2949602 | CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. | 3.7.0-3.7.15 | 3.7.16 |
| 2949586 | CVE-2022-21699: ipython may execute untrusted files in the current working directory Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2949585 | CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog. | 3.7.0-3.7.15 | 3.7.16 |
| 2949584 | CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2941560 | CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u | 3.7.0-3.7.15 | 3.7.16 |
| 2910862 | CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file” Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2910861 | CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13 | 3.7.0-3.7.15 | 3.7.16 |
| 2885241 | CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14 | 3.7.0-3.7.15 | 3.7.16 |
| 2885239 | CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2885238 | The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2866111 | CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. | 3.7.0-3.7.15 | 3.7.16 |
| 2862269 | CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2855881 | A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2855879 | The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2850806 | CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts) Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23 | 3.7.0-3.7.15 | 3.7.16 |
| 2845540 | CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2841003 | CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2835994 | CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2823255 | CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode) Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2821981 | The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions) CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2820758 | The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2813826 | Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop” CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’ Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2813823 | Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19 | 3.7.0-3.7.15 | 3.7.16 |
| 2801126 | CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2801125 | OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15 | 3.7.0-3.7.15 | 3.7.16 |
| 2801124 | GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2798139 | CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2769687 | CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21 | 3.7.0-3.7.15 | 3.7.16 |
| 2769633 | CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2769632 | CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2769631 | CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2743132 | CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6 | 3.7.0-3.7.15 | 3.7.16 |
| 2736247 | CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2736245 | CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2728207 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728206 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728205 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5 |
| 2726776 | CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18 | 3.7.0-3.7.15 | 3.7.16 |
| 2716841 | CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2705169 | CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2705168 | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2702519 | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2684404 | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2679950 | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.4.1-cl4.4.0u1Fixed: 4.4.1-cl4.4.0u2 | 3.7.0-4.3.3 | 4.4.0-4.4.5 |
| 2677063 | CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2677061 | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2677060 | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2669438 | Editing the /etc/frr/frr.conf file to add a new sequence at the beginning of an existing large prefix list changes the subsequent sequence numbers of the next entries in the list and FRR reload might fail with the error message frr.service reload operation timed out. Stopping. To work around this issue, instead of adding the new prefix using an existing sequence number and pushing other sequences forward, use a sequence number that is free; for example, instead of of using 5 -> 10 -> 15, use 5 -> 7 -> 10. | 3.7.11-3.7.16 | |
| 2668477 | CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2660693 | CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20 | 3.7.0-3.7.15 | 3.7.16 |
| 2660582 | In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure) To recover restart the clagd service with sudo systemctl restart clagd.service | 3.7.8-3.7.15 | 3.7.16 |
| 2658233 | The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2654684 | CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10 | 3.7.0-3.7.15 | 3.7.16 |
| 2653521 | CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2653400 | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface command, then add back the 802.1x configuration. | 3.7.10-3.7.16 | |
| 2646974 | The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2646968 | CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24 | 3.7.0-3.7.15 | 3.7.16 |
| 2645846 | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface command, then add back the 802.1x configuration. | 3.7.10-3.7.15 | 3.7.16, 4.3.1-4.4.5 |
| 2635951 | The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2633245 | On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle. | 3.7.10-3.7.16 | |
| 2617009 | CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617008 | CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617007 | CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617006 | CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617002 | CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2595889 | In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface. | 3.7.10-4.2.1 | 4.3.0-4.4.5 |
| 2589570 | The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589567 | The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2562511 | hostapd does not fail over to secondary RADIUS servers for 802.1x authentication when the primary radius is reachable but not responding to Access-RequestsIf the primary RADIUS server is having a problem servicing requests, you can remove it from the configuration temporarily to force requests to be sent to alternate servers. | 3.7.10-3.7.14.2 | 3.7.15-3.7.16 |
| 2556233 | Some ECMP next-hops might fail installation into hardware at high ECMP group and route scale. The following log message will be observed when this condition occurs:WARN xx routes reverted to non-ECMP due to NH table capacity | 3.7.9-3.7.14.2 | 3.7.15-3.7.16 |
| 2556037 | After you add an interface to the bridge, an OSPF session flap might occur | 3.7.9-4.2.0 | 4.2.1-4.4.5 |
| 2556019 | After you add an interface to a bridge using the NCLU net add bridge bridge ports command, the bridge can go down and its MAC address changesTo work around this issue, use Linux commands to add an interface to a bridge. | 3.7.9-3.7.13 | 3.7.14-3.7.16 |
| 2554785 | After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX=“cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command4. Reboot the switch. | 3.7.11-4.2.1 | 4.3.0-4.4.5 |
| 2553887 | When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:
To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2553748 | On switches with the Spectrum ASIC, the IPv6 default route is present in the kernel but missing in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5 |
| 2553530 | In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated. To work around this issue, restart FRR with the sudo systemctl restart frr.service command. | 3.7.10-4.2.1 | 4.3.0-4.4.5 |
| 2553015 | If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | |
| 2552739 | Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | |
| 2552647 | When you add a member to a bond that has a subinterface configured (such as peerlink.4094), the new member is assigned only the VLAN of the subinterface for forwarding. To work around this issue, bounce the bond or shutdown the new interface and use the remaining members over the bond. | 3.7.10-4.2.0 | 4.2.1-4.4.5 |
| 2552528 | Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated. | 3.7.7-4.2.1 | 4.3.0-4.4.5 |
| 2552506 | Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports. To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-4.2.0 | 4.2.1-4.4.5 |
| 2552352 | The following security vulnerabilities have been announced in the nss / libnss3 packages: CVE-2020-6829: Side channel attack on ECDSA signature generation CVE-2020-12400: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function CVE-2020-12401: ECDSA timing attack mitigation bypass Vulnerable: <= 3.26-1+debu8u11 Fixed: 3.26-1+debu8u12 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2552351 | The following vulnerability has been announced in the libx11 packages: CVE-2020-14344: The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method. Vulnerable: <= 1.6.2-3+deb8u2 Fixed: 1.6.2-3+deb8u3 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2552214 | The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14.2, 4.1.1-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2551675 | When you restart clagd, the edge port setting on the peer link changes. | 3.7.2-4.2.0 | 4.2.1-4.4.5 |
| 2551288 | When you remove BFD configuration by editing the /etc/frr/frr.conf file and restarting FRR, you see a traceback.To work around this issue, either use NCLU or vtysh commands to remove the BFD configuration, or restart FRR with the new /etc/frr/frr.conf file. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2551161 | switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. | 3.7.11-3.7.12, 4.0.0-4.2.0 | 3.7.13-3.7.16, 4.2.1-4.4.5 |
| 2550974 | On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured. | 3.7.11-3.7.16, 4.1.1-4.4.5 | |
| 2550942 | NCLU tab completion for net show displays the text add help text instead of system Information for the system option. | 3.7.11-4.2.0 | 4.2.1-4.4.5 |
| 2550600 | The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged. | 3.7.8-3.7.14.2, 4.0.0-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2550478 | VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches. | 3.7.7-4.2.0 | 4.2.1-4.4.5, 4.3.0-4.4.5 |
| 2550375 | CPU utilization may increase when clag-managed bond interfaces are operationally/LACP down but the physical carrier remains up on the bond member switchports. This condition occurs when clag bond redirection is enabled and bond members remain up while the parent bond does not negotiate LACP. This issue is resolved in Cumulus Linux 3.7.14. | 3.7.9-4.2.1 | 4.3.0-4.4.5 |
| 2550350 | Unicast traffic from downlink hosts is flooded to multiple remote VTEPs, which might also cause high HwIfOutQDrops/TX_DRP on the uplink ports. To work around this issue, restart switchd. | 3.7.10-4.1.1 | 4.2.0-4.4.5 |
| 2550323 | After a neighbor is removed, the redistributed neighbor entry is withdrawn from the BGP table, but the prefix might still be selected as the bestpath when the host’s originated prefix is not advertised. To work around this issue, recreate the neighbor entry and flap the interface to the host. Or, if the host is already down, manually create a neighbor entry with an invalid MAC address, which forces redistribute neighbor to re-withdraw the entry. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2549794 | The asic-monitor.service fails when you configure /etc/cumulus/datapath/monitor.conf with monitor.histogram_pg.collect.port_group_list = [all_packet_pg] and there is traffic passing through the buffer. When the service fails, you see the following traceback in journalctl:
| 3.7.11-4.2.0 | 4.2.1-4.4.5 |
| 2549676 | After you add or remove a bridge VLAN identifier (VID) on a trunk port, the layer 2 VNI is put into VLAN 1. To work around this issue, revert the configuration change. | 3.7.10-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2549472 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2549371 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.3 | 4.4.0-4.4.5 |
| 2548930 | On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5 |
| 2548746 | On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2548673 | A large number of flapping peers causes FRR to require a corresponding update to internal data structures that track peer information. Updating this internal data structure does not delete links that are down due to the flapping. The size of this array then grows to contain both current peers as well as peers that should have been deleted during the flap processing. The contents of this array is processed by FRR to poll the links, which consumes CPU for all items in the array. This additional polling consumes more CPU than necessary but has no functional impact. To work around this issue, restart FRR. | 3.7.11-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2548585 | After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors. Note: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active. To recover from this condition, restart switchd with the sudo systemctl restart switchd command. | 3.7.10-3.7.12, 4.1.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2548490 | A change in a route map prefix list that should remove a route might not be reflected in the ospf6 database or in peers, and the route might not be deleted.To work around this issue, reenter the redistribute <connected|static> route-map statement in the configuration. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2548475 | After you add a new VNI and a layer 3 SVI to a set of leafs, certain leafs might not be able to communicate on the layer 3 VNI. To work around this issue, reboot the leaf switch or restart switchd. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2548382 | The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog. | 3.7.5-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2548307 | When the garbage collector does not release memory back to the operating system, clagd might consume a large amount of memory. As a result of low system memory, systemd might shut down services to reclaim memory. | 3.7.11-3.7.12, 4.1.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2548243 | On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2548155 | The net show bgp neighbor swpX json command shows negative output for the bgpTimerUpMsec timer. | 3.7.10-3.7.16 | 4.0.0-4.4.5 |
| 2548111 | When you remove, then re-add an NSX VTEP binding, the VXLAN VTEP interface is not recreated. | 3.7.9-4.0.1 | 4.1.0-4.4.5 |
| 2548024 | On the Dell Z9100 switch, 100G-SR4 modules might not link up reliably in certain ports. swp1, 2, 3, 9, 10, 23, 24, 30, 31, and 32 might be affected To work around this issue, move 100G SR4 modules to one of the ports not affected by this issue. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547942 | On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547878 | The following vulnerability has been found in the libgcrypt20 cryptographic library.CVE-2019-13627: there was a ECDSA timing attack. For more information, see https://www.debian.org/lts/security/2020/dla-1931-2.en.html Vulnerable: 1.6.3-2+deb8u7 Fixed: 1.6.3-2+deb8u8 | 3.7.11-3.7.16 | |
| 2547876 | The following vulnerability affects libxml2: CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c has a memory leak related to newDoc->oldNs. This can lead to a denial of service. For more information, see https://www.debian.org/lts/security/2019/dla-2048.en.html . Vulnerable: 2.9.1+dfsg1-5+deb8u7 Fixed: 2.9.1+dfsg1-5+deb8u8 | 3.7.11-3.7.16 | |
| 2547874 | The following vulnerability affects libbsd, a package containing utility functions from BSD systems. CVE-2016-2090: In function fgetwln() an off-by-one error could triggers a heap buffer overflow. For more information, see https://www.debian.org/lts/security/2019/dla-2052.en.html . Vulnerable: 0.7.0-2 Fixed: 0.7.0-2+deb8u1 | 3.7.11-3.7.16 | |
| 2547839 | When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547799 | An error similar to the following shows in syslog for Mellanox switches:
To work around this issue, reboot the switch. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547784 | PTM mis-detects incorrect hostnames of LLDP neighbors and does not fail them as expected. Instead they end up in an N/A cabling status. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547782 | If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2547769 | syslog might report a high load average with the CPU running a later microcode revision. | 3.7.4-3.7.12 | 3.7.13-3.7.16 |
| 2547706 | When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2547666 | On the Dell S5232F-ON switch, the output of ledmgrd shows amber_blinking but smonctl shows all OK. | 3.7.11-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2547663 | When traffic from a double tag interface (facing a different site) is forwarded through VXLAN, the inner tag is not removed. The destination does not know this tag, so it discards it. | 3.7.8-4.0.1 | 4.1.0-4.4.5 |
| 2547659 | On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547658 | On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl. | 3.7.11-3.7.12 | 3.7.13-3.7.16 |
| 2547609 | Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work. Mellanox switches with the Spectrum A1 ASIC do not have this issue. | 3.7.11-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2547592 | When you add a route map to advertise IPv4 unicast in a BGP EVPN configuration and the route map contains a set operation, BGP crashes. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547573 | On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU. | 3.7.9-3.7.16 | |
| 2547557 | On the EdgeCore Wedge100 and Facebook Wedge-100S switch, certain physical ports are not correctly mapped to the logical ones. For example: Logical swp39 controls physical swp41 Logical swp40 controls physical swp42 Logical swp43 controls physical swp45 Logical swp44 controls physical swp46 This might causes incorrect forwarding behavior. | 3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2547508 | When a Trident3 switch receives packets containing an IP checksum value that is not compliant with RFC 1624, the TTL is decremented after a routing operation but the checksum is not recalculated. This results in the IP checksum value being invalid as the packet leaves the switch. | 3.7.10-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2547443 | On the Dell N3248PXE-ON switch, 25G SFP ports do not work in 10G mode. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547381 | The hsflowd service sends an undefined header protocol 0 in the sampled flow sample to the collector, which is not recognized by the sFlow tool. You see errors similar to the following:
| 3.7.11-3.7.16 | 4.0.0-4.4.5 |
| 2547349 | When you change an interface IP address, then change it back, static routes are misprogrammed One of the following actions recovers the routes:- Bounce both layer 3 interfaces- Remove or add static routes in FRR- Restart FRR | 3.7.11-3.7.16 | 4.0.0-4.4.5 |
| 2547302 | On the Dell Z9264F-ON switch, the CPU core temperature sensors report ABSENT. | 3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2547293 | On the Broadcom Trident3 switch with DHCP relay, where the DHCP server is reachable through the EVPN overlay, DHCP discover packets forwarded to the CPU might appear corrupt and might not get forwarded. | 3.7.9-4.0.1 | 4.1.0-4.4.5 |
| 2547246 | The MLAG switch pair has VLANs defined that are not used on MLAG bonds. These VLANs still synchronize MAC addresses across to the peer switch. This results in log messages that indicate a MAC address is installed and the VLAN is not defined; for example:
| 3.7.10-4.1.1 | 4.2.0-4.4.5 |
| 2547148 | The last eight ports of the EdgeCore AS4610-54P switch (swp41 through swp48) do not power UPOE access points. | 3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2547147 | The ospfd daemon might crash with the following kernel trace:
| 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2547123 | On the Broadcom switch with the Trident3 ASC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547121 | An unhandled exception might occur after you run the sudo poectl -i command. In addition, random poed daemon restarts can occur without any unhandled exceptions but with an invalid response length error. Both issues can occur due to a SerialException.To work around this issue, power cycle the switch. A software reboot does not resolve the issue. | 3.7.10-3.7.11 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2547120 | After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2547118 | The following security vulnerabilities have been announced in the libtiff5 library on Cumulus Linux 4.0: CVE-2019-14973, CVE-2019-17546: Multiple integer overflows have been discovered in the libtiff library and the included tools. Vulnerable: 4.0.10-4 Fixed: 4.1.0+git191117-2~deb10u1 | 3.7.10-4.0.1 | 4.1.0-4.4.5 |
| 2547106 | Editing the outbound route-map of a BGP peer causes all received prefixes by that BGP peer to reset and reinstall. This might cause a brief impact to traffic for those prefixes. | 3.7.11 | 3.7.12-3.7.16 |
| 2547100 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5 |
| 2547070 | On the Lenovo NE2580 switch, the fan speeds are higher than expected within normal operating conditions. | 3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2547068 | Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off”, change it to GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0”2. Run sudo update-grub3. Reboot the system with sudo rebootTo disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci32. Disable C-states by running the command ./cpupower idle-set -d 2C-states are disabled by default in Cumulus Linux 4.3.0 and later. | 3.7.9-4.2.1 | 4.3.0-4.4.5 |
| 2547042 | After you convert a bond back to a layer 2 access port, ifupdown2 changes all SVI MTUs to 1500. To work around this issue, run ifreload -a a second time. | 3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2547012 | On the Mellanox Spectrum switch, switchd can sometimes fail when PBR rules are installed or removed from hardware if the rule is setting a next hop learned via a routing protocol. | 3.7.7-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546998 | When you configure Cumulus Linux with a /32 address on a switch port with a configured peer address (for example, to connect to a device using IP unnumbered), the switch sends GARPs for the peer address. | 3.7.5-3.7.11 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546991 | The FRR service does not provide a way for automation to know if the configuration applied properly. To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546984 | On the EdgeCore AS7326-56X switch, the PSU fans show constant LOW warnings. | 3.7.10-3.7.12, 4.0.0-4.2.0 | 3.7.13-3.7.16, 4.2.1-4.4.5 |
| 2546950 | switchd crashes when dynamic VRF route leaking is enabled and the following is true:* The default route is leaked from VRF1 to VRF2 * Hardware-based dynamic VRF route leaking is configured ( vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).You might see logs similar to the following in /var/log/syslog:
To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2546895 | If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.serviceTo increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter2.Restart the switchd service with the sudo systemctl restart switchd.service commandsystemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546868 | Broadcom Field Alert - SID - MMU 2B Errors A few of the MMU memories on Broadcom switches are grouped together with single parity control. During SER correction when a parity error occurs on one of those groups, other memory in that group might also report a SER error. This occurs when the memory is accessed either by a packet hit or through a schan operation. This issue can cause SER errors in other memory and cause traffic mis-forwarding or a packet drop. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546815 | On the Delta AG6248C switch, the NCLU net show system sensors command shows an error:
To work around this issue, run the net show system sensors json command instead. | 3.7.11 | 3.7.12-3.7.16 |
| 2546702 | The FRR cl-support module times out on switches on the ARM platform even when the switch is not under heavy load. To work around this issue, run the cl-support -M command to disable timeouts. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546577 | A traditional bridge with QinQ and a VNI does not work for tagged traffic. | 3.7.10-4.0.1 | 4.1.0-4.4.5 |
| 2546564 | You might see a switchd memory leak during ECMP group expansion or consolidation. | 3.7.10-3.7.11 | 3.7.12-3.7.16 |
| 2546501 | On the EdgeCore AS7326-56X switch, eth0 and swp1 use the same MAC address. | 3.7.9-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546450 | On the EdgeCore AS7326-56X switch, you might see the RPM of certain fans run over the maximum threshold. | 3.7.11-3.7.16 | |
| 2546385 | SNMP ifLastChange reports link transitions when there are none. | 3.7.6-3.7.16 | |
| 2546354 | The following CVEs were announced that affect the Linux kernel: CVE-2019-12378: An issue was discovered in ip6_ra_control in net/ipv6/ipv6_sockglue.c in the Linux kernel through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). CVE-2019-12381: An issue was discovered in ip_ra_control in net/ipv4/ip_sockglue.c in the Linux kernel through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). CVE-2019-15239: In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was properly incorporated into 4.16.12, was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability that was potentially more severe than the issue that was intended to be fixed by backporting. Specifically, by adding to a write queue between disconnection and re-connection, a local attacker can trigger multiple use-after-free conditions. This can result in a kernel crash, or potentially in privilege escalation. CVE-2019-19062: A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042. CVE-2019-19537: In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9. This affects drivers/usb/core/file.c. CVE-2019-20054: In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e. | 3.7.11 | 3.7.12-3.7.16 |
| 2546328 | A memory leak in switchd might occur, which causes switchd to restart. | 3.7.10-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546264 | Ifupdown2 does not set up the front panel interface for the dhclient to accept the DHCP OFFER.To work around this issue, restart the networking service after ifreload -a with the systemctl restart networking command. | 3.7.10-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546225 | When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support.
To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546203 | When using QinQ with a traditional bridge, if you enable the LLDP dot1 TLV option, you see the following suboptimal behavior: * Both the inner and outer VLAN information is sent as part of VLAN TLVs in the LLDP packet. * If the outer VLAN ID is the same as the inner VLAN ID, only one VLAN TLV is sent with that VLAN ID in the LLDP packet. | 3.7.11-3.7.16 | |
| 2546141 | CPU usage might be higher than normal if you have a high number of interfaces x VLANs and lldpd is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled.To check if lldpd is the heavy CPU resource user, run the following command:
Alternatively, check for messages in the /var/log/syslog directory similar to:
Note: The exact amount of CPU usage varies in each network based on a number of factors; however, it is unusual for lldpd to consume more than 30% CPU for an extended period of time.To work around this issue, you can do one of the following: * If the large number of VLANs is not absolutely necessary, manually prune the VLAN allowed list (if you use the range 1-2999, modify the bridge-vids list to include the VLANs being used).* Stop the lldpd service. (This approach might be undesirable if the switch is providing services that rely on LLDP such as Voice VLAN.) To stop the lldpd service (runtime setting), run the sudo systemctl stop lldpd.service command. To disable the lldpd service upon boot, run sudo systemctl disable lldpd.service. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
| 2546131 | On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | |
| 2546010 | When hal.bcm.per_vlan_router_mac_lookup is set to TRUE in the /etc/cumulus/switchd.conf file, inter-VLAN traffic is forwarded to the CPU when associated VNI interfaces exist. | 3.7.10-3.7.16 | |
| 2546003 | On the Delta AG6248C PoE switch, if the PoE priority is set to low on some ports, other ports with a higher priority might have their requests to draw power rejected instead of the lower priority ports being brought down. | 3.7.11 | 3.7.12-3.7.16 |
| 2545997 | The NCLU command net show interface produces an error if bonds with no members exist.To work around this issue, remove the empty Bond interfaces from the /etc/network/interfaces file and run sudo ifreload -a. | 3.7.10-3.7.16 | |
| 2545971 | The ports.conf file on the Dell S5248F-ON switch does not show port ganging or breakout options. | 3.7.10-3.7.11 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2545948 | All Broadcom Trident3 X7 switches contain PCIE firmware, which is programmed by the vendor when the switch is manufactured. The latest version of this firmware (2.6) is incompatible with Cumulus Linux 3.7.11 and earlier, and Cumulus Linux 4.0. To work around this issue, downgrade the Broadcom ASIC firmware to an earlier version. | 3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2545837 | If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server command, the /etc/ntp.conf file is misconfigured.To work around this issue, run the net add time ntp server command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
| 2545699 | On the Celestica Pebble switch, if you use IPv6 routes with mask /65 to /127, the switchd log fills with errors. | 3.7.10-4.0.1 | 4.1.0-4.4.5 |
| 2545599 | IPv6 table rules might affect forwarding. For example, if you create the following rule in the /etc/cumulus/acl/policy.d/03-sshd.rules file, the rule counter increments but IPv4 SSH traffic might be dropped.
| 3.7.2-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2545446 | If you use NCLU commands to add a non-MLAG bond, then add an MLAG configuration, the net commit command fails. However, a subsequent net commit command succeeds. | 3.7.10-3.7.16 | |
| 2545404 | On the Trident3 switch, unicast ARP packets received on a VNI and forwarded to the CPU are not policed. | 3.7.10-4.0.1 | 4.1.0-4.4.5 |
| 2545316 | When an interface flap occurs, numbered IPv6 BGP sessions might fail to establish. To work around this issue, run the ip -6 route flush cache command to flush the IPv6 route cache. | 3.7.9-3.7.11 | 3.7.12-3.7.16 |
| 2545125 | If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
| 2544978 | If you delete an undefined bond, then add a bond slave, the net commit command fails. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544968 | FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:
should be:
To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544953 | When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
| 2544937 | The neighmgrd service does not ignore neighbors on reserved devices (lo and management devices). This issue is not seen when management VRF is enabled. | 3.7.8-3.7.11 | 3.7.12-3.7.16 |
| 2544904 | After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements. To work around this issue, restart FRR after removing the IPv6 numbered configuration. | 3.7.9-4.1.1 | 4.2.0-4.4.5 |
| 2544829 | Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump. | 3.7.8-3.7.16 | |
| 2544671 | Package : sudoCVE ID : CVE-2019-14287Debian Bug : 942322Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID -1 or 4294967295. This could allow a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access Details can be found in the upstream advisory at https://www.sudo.ws/alerts/minus_1_uid.html We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudoVulnerable versions: < 1.8.27-1+deb10u1Fixed versions: >= 1.8.27-1+deb10u1To work around this iisue, disable (comment out) any sudoers entries in /etc/sudoers or files in /etc/sudoers.d that have entries with !root in them. Only root or other users with a uid of 0 that are affected. | 3.7.9-3.7.16 | 4.0.0-4.4.5 |
| 2544556 | If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:
If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5 |
| 2544463 | Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544456 | The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544311 | Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544235 | The following CVEs affect the linux kernel package: CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 3.7.10-3.7.16 | |
| 2544155 | NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544113 | Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link. To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544012 | After you remove a subinterface, the BGP session stays in a Connect state. | 3.7.8-3.7.11 | 3.7.12-3.7.16 |
| 2543900 | On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
| 2543841 | The net show evpn vni detail json command includes an extra empty dictionary at the end of the output. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
| 2543840 | On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file. | 3.7.6-3.7.16 | |
| 2543816 | On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages. | 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
| 2543800 | When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface. | 3.7.8-3.7.16 | 4.0.0-4.4.5 |
| 2543792 | On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:
| 3.7.9-4.0.1 | 4.1.0-4.4.5 |
| 2543648 | You cannot specify a source and destination MAC address in an ERSPAN ebtables rule. For example, the following rule does not work:
| 3.7.6-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2543647 | ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:
| 3.7.6-4.2.1 | 4.3.0-4.4.5 |
| 2543646 | In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543627 | Tomahawk 40G DACs cannot disable auto-negotiation. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543472 | On switches with the Spectrum ASIC, the underlay hashes VXLAN packets for a given overlay flow randomly. To work around this issue, configure the ECMP hash seed to the same value on the EVPN egress leaf switches. | 3.7.7-4.0.1 | 4.1.0-4.4.5 |
| 2543270 | The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5 |
| 2543211 | In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2543164 | The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2543096 | When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543058 | The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces. To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543052 | Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as “inactive” in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR. To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:
You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5 |
| 2543044 | Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up. You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2542979 | On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5 |
| 2542945 | On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags. To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:
| 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542823 | On the Broadcom Trident 3 switch, VXLAN encapsulated packets are dropped on the ingress port (tagged layer 2 port) during transit forwarding (the local switch does not terminate the VXLAN tunnel). An example of where this two-layer VXLAN inside VXLAN encapsulation might occur: - VXLAN tunnel (#1) between two servers (different racks) to provide layer 2 extension for containers or VM hosts. - VXLAN tunnel (#2) between the TOR switch in rack 1 to the TOR switch located in the remote rack. To work around this issue, either: - Configure the edge port (facing the servers) to be an access port (instead of a trunk/tagged port) - Change the destination port from 4789 to something else (VXLAN tunnel terminated by the servers) | 3.7.5-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2542767 | If the BMC operating system fails to respond to IPMI, you see a traceback in bmcd and all the sensors might report ABSENT devices in smonctl.To work around this issue, power cycle the switch. | 3.7.6-4.0.1 | 4.1.0-4.4.5 |
| 2542310 | hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6. | 3.7.6-3.7.16 | |
| 2542305 | If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542301 | When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2541212 | The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2541165 | On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, poectl reports that four_pair_mode_enabled is true. However, this configuration is not supported on the port so poectl should report that four_pair_mode_enabled is false. | 3.7.6-3.7.16 | |
| 2541029 | On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped. This issue only affects QinQ configurations. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540950 | On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status. | 3.7.3-4.1.1 | 4.2.0-4.4.5 |
| 2540885 | The Dell N3048EP-ON switch does not support 1G Base-T modules in the SFP ports. | 3.7.7-3.7.16 | |
| 2540863 | On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number. | 3.7.3-3.7.16 | |
| 2540753 | If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
| 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540444 | SNMP incorrectly requires engine ID specification. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540352 | When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2540340 | NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays
Tab completion for the net add vrf command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540274 | On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540204 | When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540192 | The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540155 | On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2540042 | When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540041 | On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540040 | Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540031 | NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2539994 | When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539962 | When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2539670 | On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539124 | The net add interface command adds no ptm-enable for that interface in the frr.conf file.Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539081 | When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2538875 | IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file. | 3.7.2-3.7.16 | |
| 2538790 | NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.To restore connectivity, remove the VLAN ID from the bridge. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538590 | When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538562 | On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538302 | portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap. | 3.7.0-3.7.16 | |
| 2538294 | If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2538256 | On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets. | 3.7.2-4.0.1 | 4.1.0-4.4.5 |
| 2537819 | When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2537699 | There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537544 | When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537378 | NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.To work around this issue, stop snmpd, remove the cache file, then restart snmpd. | 3.7.1-3.7.16 | |
| 2537188 | When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network. | 3.7.2-3.7.16 | |
| 2537104 | When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL. | 3.7.1-3.7.16 | 4.0.0-4.4.5 |
| 2537061 | The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent. | 3.7.1-4.0.1 | 4.1.0-4.4.5 |
| 2536616 | CVE-2018-5391 (FragmentSmack) is a network vulnerability where an attacker can trigger time and calculation expensive fragment reassembly with specially crafted packets, leading to a denial of service. On a Cumulus Linux switch, the impact is limited to control plane and management plane traffic. Any control plane traffic coming in the front panel ports will be limited by existing policer ACLs. To work around this issue, create a file called /etc/sysctl.d/ip.conf and add these settings:
| 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2536608 | Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI. | 3.7.0-3.7.16 | |
| 2536384 | The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2536179 | On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535986 | At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535965 | On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2532017 | In FRR, bgp_snmp does not show all BGP peers when peer groups used. | 3.7.11-4.0.1 | 4.1.0-4.4.5 |
Fixed Issues in 3.7.11
| Issue ID | Description | Affects |
|---|---|---|
| 2546228 | The following security vulnerabilities have been announced in the nss/libnss3 library, which is not installed by default but is available in the repository: CVE-2019-11745: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate CVE-2019-17007: nss: Handling of Netscape Certificate Sequences in CERT_DecodeCertPackage() may crash with a NULL deref leading to DoS See https://security-tracker.debian.org/tracker/source-package/nss for more information. Vulnerable: <= 3.26-1+debu8u7 Fixed: 3.26-1+debu8u9 | 3.7.10 |
| 2545867 | If you delete, then re-add a PBR policy on an interface, the configured PBR policy is not programmed in the kernel or switchd. | 3.7.9-3.7.10, 4.0.0-4.0.1 |
| 2545865 | After making a series of PBR configuration changes using NCLU commands, the stale PBR entry is still present in the kernel. | 3.7.9-3.7.10, 4.0.0-4.0.1 |
| 2545693 | On rare occasions, after rebooting the MLAG secondary switch, one MLAG device might see the peer as down, which can cause traffic disruption to connected hosts. | 3.7.7-3.7.10 |
| 2545607 | The protocol daemon bgpd crashes when a link/neighbor flaps if static routes pointing to Null0 are advertising through BGP.To work around this issue, reboot the switch, then remove the static routes or stop advertising these routes. | 3.7.9-3.7.10, 4.0.0-4.0.1 |
| 2545563 | The following Linux kernel security vulnerabilities do not affect Cumulus Linux in supported configurations: CVE-2018-12207 CVE-2019-0154 CVE-2019-0155 CVE-2019-11135 Several vulnerabilities have been discovered in the Linux kernel that may may to a privilege escalation, denial of service, or information leak. CVE-2018-12207: Intel CPU hypervisor vulnerability. Running hypervisors on Cumulus Linux is not supported. CVE-2019-0154, CVE-2019-0155: Intel GPU vulnerabilities. GPUs are not present on our switches. CVE-2019-11135, CVE-2019-11139: Intel CPU transactional memory vulnerability. None of our switches support transactional memory. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | |
| 2545520 | The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 |
| 2545505 | If you change multiple BGP or BFD timers in the /etc/frr/frr.conf file and then reload FRR, a traceback is encountered and the change does not take effect. | 3.7.9-3.7.10 |
| 2545447 | The l1-show command prints a traceback for switch ports that have sub-interfaces configured. There is no functional impact to traffic but the l1-show troubleshooting and validation command does not execute on switch ports that have VLAN sub-interfaces. | 3.7.10, 4.0.0-4.0.1 |
| 2545405 | The ospfd daemon might crash with the following kernel trace:
| 3.7.6-3.7.10 |
| 2545235 | On the Edgecore AS6812 switch, you might see rare I2C errors. | 3.7.2-3.7.10, 4.0.0-4.0.1 |
| 2545193 | switchd does not program multicast routes 224/8 into hardware. | 3.7.9-3.7.10 |
| 2545132 | On the Mellanox switch, ACL lookups are performed for VLAN matches when no rules with UNTAGGED match are present. | 3.7.2-3.7.10, 4.0.0-4.0.1 |
| 2545086 | On the Mellanox switch with the Spectrum ASIC, the –set-burst parameter in an iptables rule does not take effect. | 3.7.10, 4.0.0-4.0.1 |
| 2545048 | When networking fails to start properly, an MLAG memory leak occurs, which might cause memory issues. | 3.7.9-3.7.10, 4.0.0-4.0.1 |
| 2545027 | In the default VRF, VRRP might crash and stay in an initialize state. As a result, VRRP multicast traffic is not generated. | 3.7.8-3.7.10 |
| 2544867 | Package: tcpdump CVE ID: CVE-2018-10103 CVE-2018-10105 CVE-2018-14461 CVE-2018-14462 CVE-2018-14463 CVE-2018-14464 CVE-2018-14465 CVE-2018-14466 CVE-2018-14467 CVE-2018-14468 CVE-2018-14469 CVE-2018-14470 CVE-2018-14879 CVE-2018-14880 CVE-2018-14881 CVE-2018-14882 CVE-2018-16227 CVE-2018-16228 CVE-2018-16229 CVE-2018-16230 CVE-2018-16300 CVE-2018-16451 CVE-2018-16452 CVE-2019-15166 Several vulnerabilities have been discovered in tcpdump, a command-line network traffic analyzer. These vulnerabilities might result in denial of service or, potentially, execution of arbitrary code. For the detailed security status of tcpdump, refer to its security tracker page at: https://security-tracker.debian.org/tracker/tcpdump Fixed versions: 4.9.3-1~deb10u1 on Cumulus Linux 4, 4.9.3-1~deb8u1 on Cumulus Linux 3. | 3.7.10 |
| 2544846 | You might experience a bgpd memory usage increase and significant update exchanges due to host moves between VTEPs. | 3.7.7-3.7.10, 4.0.0-4.0.1 |
| 2544815 | If a router MAC address changes on a VTEP, other VTEPs might still point to the previous router MAC address. | 3.7.10 |
| 2544723 | Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 |
| 2544624 | VXLAN encapsulated ICMP packets hit the catchall EFP policer instead of the ICMP policer and you might experience partial packet loss. | 3.7.9-3.7.10, 4.0.0-4.0.1 |
| 2544609 | BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. | 3.7.7-3.7.10 |
| 2544559 | When you install a large number of new rules with nonatomic mode enabled, there is a chance that you install more rules than the number of available slots in the slice, which results in the slice being completely wiped and reinstalled. This causes a large drop increase, including to cpu0, and might cause a major outage by dropping all BGP sessions. | 3.7.8-3.7.10 |
| 2544401 | Package: openssl CVE ID: CVE-2019-1547 CVE-2019-1549 CVE-2019-1563 Three security issues were discovered in OpenSSL: A timing attack against ECDSA, a padding oracle in PKCS7_dataDecode() and CMS_decrypt_set1_pkey() and it was discovered that a feature of the random number generator (RNG) intended to protect against shared RNG state between parent and child processes in the event of a fork() syscall was not used by default. Fixed version: 1.1.1d-0+deb10u1 We recommend that you upgrade your openssl packages. For the detailed security status of openssl, refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl | 3.7.0-3.7.10 |
| 2544385 | The QCT QuantaMesh BMS T7032-IX7 switch may report “failed to request GPIO pin” errors during the boot up. | 3.7.5-3.7.10 |
| 2544328 | When an MLAG peerlink frequently alternates states between learning and blocking, an excessive number of TCP sessions might be created, which results in the following error display:
| 4.0.0-4.0.1 |
| 2544324 | Package: hostapd CVE ID: CVE-2019-13377 CVE-2019-16275 Two vulnerabilities were found in the WPA protocol implementation found in wpa_supplication (station) and hostapd (access point). CVE-2019-13377 A timing-based side-channel attack against WPA3’s Dragonfly handshake when using Brainpool curves could be used by an attacker to retrieve the password. CVE-2019-16275 Insufficient source address validation for some received Management frames in hostapd could lead to a denial of service for stations associated to an access point. An attacker in radio range of the access point could inject a specially constructed unauthenticated IEEE 802.11 frame to the access point to cause associated stations to be disconnected and require a reconnection to the network. Fixed version: 1:2.8.0-cl4u3 | 3.7.0-3.7.10 |
| 2544212 | Cumulus Linux poed generates excessive debug log entries. These will be reduced in a future release. | 3.7.3-3.7.10, 4.0.0-4.0.1 |
| 2544199 | Traffic sent to the SVI IP address of a switch might be lost if all of the following conditions are met: * The switch is a member of an MLAG pair * The traffic is sourced from a layer 2 adjacent host * The host is located within a VRF of the MLAG pair * The traffic from the source crosses the peer link * VXLAN is configured on the MLAG pair This issue does not impact transit traffic or traffic that does not meet all of the described conditions. To workaround this issue, restart switchd. | 3.7.9-3.7.10, 4.0.0-4.0.1 |
| 2544182 | NCLU crashes when you run the net add interface storage-optimized pfc command because non-ascii quotes exist in the datapath.conf file.To work around this issue, manually edit the /usr/lib/python2.7/dist-packages/cumulus/__chip_config/mlx/datapath.conf file and replace the non-ascii single quotes with ascii single quotes (standard single quote on the keyboard). | 3.7.9-3.7.10 |
| 2544057 | FRR crashes when adding an IPv6 neighbor with extended-nexthop capability. | 3.7.9-3.7.10 |
| 2543937 | An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 |
| 2543875 | On the Mellanox Spectrum switch, a route withdrawal might cause the associated next hop neighbor entry to be deleted in hardware but remain in the kernel. This can cause traffic going through the directly connected route to the removed neighbor entry to be forwarded to the CPU. | 3.7.6-3.7.10 |
| 2543835 | The following CVEs were announced that affect the ghostscript package: CVE ID : CVE-2019-14811 CVE-2019-14812 CVE-2019-14813 CVE-2019-14817 It was discovered that various procedures in Ghostscript, the GPL PostScript/PDF interpreter, do not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript | 3.7.0-3.7.10 |
| 2543781 | NCLU does not allow you to configure OSPF NSSAs. For example:
To work around this issue, use FRR instead. For example:
| 3.7.7-3.7.10, 4.0.0-4.4.5 |
| 2543727 | ACL rules, such as the following, fail to install if you use swp+ (interfaces mentioned as wildcards).
You can now install such rules with swp+. | 3.7.3-3.7.10 |
| 2543724 | If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error:
| 3.7.7-3.7.10, 4.0.0-4.4.5 |
| 2543708 | Cumulus Linux does not map QinQ packets to VXLANs in a configuration with a VLAN-aware bridge and MLAG on the Trident3 platform. | 3.7.9-3.7.10 |
| 2543689 | On the Mellanox switch, UFT profiles are unable to support the documented capacity for routes to addresses that are more than 64 bits in length. The listed capacities assume 64-bit destination IP addresses. | 3.7.8-3.7.10, 4.0.0-4.0.1 |
| 2543667 | On the EdgeCore AS4610 switch, the ping command fails unless you run the command with sudo.To work around this issue, run the following commands:
Run the following command to verify the workaround:
You should see the following output:
| 3.7.6-3.7.10, 4.1.0-4.1.1 |
| 2543665 | clagd memory consumption increases under certain unknown conditions. | 3.7.8-3.7.10 |
| 2543473 | Configuring an inbound route map to manually change the next hop IP address received from an eBGP peer locally causes the next hop to not be updated when advertising this route out to other eBGP peers. To work around this issue, set a “dummy” route map outbound to the eBGP peer or configure the route map to manually set the next hop outbound from the originating eBGP peer. | 3.7.6-3.7.10 |
| 2543374 | After a remote VTEP peer link goes down, the tunnel destination IP address might be incorrect in hardware, which might cause loss of overlay communication between VTEPs. | 3.7.8-3.7.10 |
| 2543325 | Lenovo switches do not send or receive LLDP on eth0 interfaces. | 3.7.7-3.7.10 |
| 2543113 | NCLU restarts FRR when attempting to remove a BGP VRF stanza. This happens regardless of whether the VRF is valid/configured elsewhere on the switch or the removal is successful. To work around this issue, remove the stanza using vtysh. | 3.7.3-3.7.10 |
| 2542958 | When transitioning from a down state to an up state due to peerlink failure and recovery, MLAG does not start the initDelay timer before trying to bring everything back up. | 3.7.7-3.7.10 |
| 2542913 | IF-MIB::ifHCInOctets reports significantly lower values than reported by interface counters seen elsewhere. | 3.7.6-3.7.10 |
| 2542885 | The following CVEs affect the linux package: CVE-2019-13272 It was discovered that the ptrace subsystem in the Linux kernel mishandles the management of the credentials of a process that wants to create a ptrace relationship, allowing a local user to obtain root privileges under certain scenarios. Cumulus Linux is not affected. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/CVE-2019-13272 | |
| 2542871 | After you issue the NCLU net del bgp vrf command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands. | 3.7.3-3.7.10, 4.0.0-4.0.1 |
| 2542835 | snmpd fails because NCLU does not remove agentaddress @vrf lines when running the net add snmp-server listening-address all command. | 3.7.4-3.7.10 |
| 2542765 | When you configure the switch to send an EAP request with the net add dot1x send-eap-request-id command, the switch ignores re-authentication attempts and does not send back an EAPol. | 3.7.6-3.7.10 |
| 2542509 | In EVPN symmetric or centralized configurations with BGP peering over a peer link, VXLAN routed packets transiting an MLAG peer are dropped until the clagd init-delay timer expires during the bring-up sequence following a reboot.The problem is caused by a race condition when programming the anycast IP address (used to terminate VXLAN tunnels), where the hardware is programmed before the software by clagd.To work around this issue, configure the BGP path across the peer link to be less preferred. The example below uses AS path prepending and the MLAG switches are iBGP neighbors. However, other BGP configurations achieve the same result. In the /etc/frr/frr.conf file, make a new AS path access list and route map to apply BGP pre-pending of the local ASN one or more times. For example:
| 3.7.6-3.7.10, 4.0.0-4.0.1 |
| 2542384 | When you define a trap destination using @mgmt, snmpd indicates that the network is unreachable even though the IP address is reachable in the management VRF.To work around this issue, remove @mgmt vrf references in the /etc/snmp/snmpd.conf file, stop snmpd, then start snmpd manually in the management VRF with the systemctl start snmpd@mgmt command. | 3.7.6-3.7.10 |
| 2542248 | When you generate a cl-support file, clagd.service prints log messages similar to the following:
| 3.7.6-3.7.10 |
| 2542100 | On the EdgeCore AS7816 switch, PCIE errors cause switchd startup to fail. | 3.7.9-3.7.10 |
| 2542065 | The following CVEs were announced in a Debian Security Advisory that affects vim modelines. Package: vim and neovim CVE ID: CVE-2019-12735 Debian Bugs: 930020, 930024 getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim. For the detailed security status, refer to the security tracker page at: https://security-tracker.debian.org/tracker/CVE-2019-12735 https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12735.html https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md Cumulus Networks recommends that you disable modelines in the the vimrc file (set nomodeline) to use the securemodelines plugin or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines.To check if you have modelines enabled, open vim and enter: :set modeline? If vim returns nomodeline, you are not vulnerable. If you are vulnerable or you want to ensure your security with this issue, add these lines to your vimrc file:
modeline is enabled by default. Verify that you do not have any existing lines in .vimrc that set modelines or modeline. | |
| 2537536 | When FRR restarts, snmp[err] dev/kmem: Permission denied error messages are recorded in the log file and SNMPd might crash periodically. | 3.7.5-3.7.10 |
| 2536639 | On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.To work around this issue: * If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000). * If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.10 |
| 2536559 | When deleting an interface using NCLU, if the /etc/network/interfaces alias is different than the /etc/frr/frr.conf description, the net commit command returns the following error:
Despite this error, the change is made and the description is removed from the frr.conf file. | 3.7.3-3.7.10 |
| 2536230 | On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is no longer set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 |
| 2535306 | Debian issued the following security advisory, DSA-4231-1, which affects the libgcrypt20 package. This advisory applies only to the the Debian Stretch release. Debian Jessie, upon which Cumulus Linux 3.0 - 3.6.2 is based, is vulnerable. CVE-2018-0495 It was discovered that Libgcrypt is prone to a local side-channel attack allowing recovery of ECDSA private keys. For the stable distribution (stretch), this problem has been fixed in version 1.7.6-2+deb9u3. We recommend that you upgrade your libgcrypt20 packages. For the detailed security status of libgcrypt20, refer to its security tracker page at: https://security-tracker.debian.org/tracker/libgcrypt20 | |
| 2535209 | The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. | 3.7.5-3.7.10, 4.0.0-4.4.5 |
| 2534450 | The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.10 |
| 2534040 | On Trident2 switches running 802.3x regular link pause, pause frames are accounted in HwIfInDiscards counters and are dropped instead of processed. | |
| 2532592 | On the Mellanox SN-2100 switch, unicast packets are counted in multicast queue counters. | |
| 2528990 | During a link flap test, you might occasionally see a message similar to: warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use. | 3.7.6-3.7.10 |
| 2526985 | When you try to remove a VNI from a bridge using a regex match, the VNI is added back when you run the ifreload -a command. |
3.7.10 Release Notes
Open Issues in 3.7.10
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 3410952 | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.12.1 |
| 3376798 | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlanMAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5 |
| 3330705 | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.12.1 |
| 3327477 | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3216921 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-3.7.16, 4.3.0-4.4.5 | |
| 3209699 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.12.1 |
| 3017190 | When you power cycle the switch, multiple interfaces came up in a PoE disabled state To work around this issue, run the sudo poectl -a | grep disabled command to find ports with disabled POE. Run the sudo poectl -e swp1-swp48 command to enable POE on affected ports. | 3.7.10-3.7.16 | |
| 2959454 | CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2959444 | CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2957684 | CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2949602 | CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. | 3.7.0-3.7.15 | 3.7.16 |
| 2949586 | CVE-2022-21699: ipython may execute untrusted files in the current working directory Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2949585 | CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog. | 3.7.0-3.7.15 | 3.7.16 |
| 2949584 | CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2941560 | CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u | 3.7.0-3.7.15 | 3.7.16 |
| 2910862 | CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file” Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2910861 | CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13 | 3.7.0-3.7.15 | 3.7.16 |
| 2885241 | CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14 | 3.7.0-3.7.15 | 3.7.16 |
| 2885239 | CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2885238 | The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2866111 | CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. | 3.7.0-3.7.15 | 3.7.16 |
| 2862269 | CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2855881 | A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2855879 | The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2850806 | CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts) Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23 | 3.7.0-3.7.15 | 3.7.16 |
| 2845540 | CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2841003 | CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2835994 | CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2823255 | CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode) Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2821981 | The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions) CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2820758 | The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2813826 | Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop” CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’ Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2813823 | Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19 | 3.7.0-3.7.15 | 3.7.16 |
| 2801126 | CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2801125 | OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15 | 3.7.0-3.7.15 | 3.7.16 |
| 2801124 | GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2798139 | CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2769687 | CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21 | 3.7.0-3.7.15 | 3.7.16 |
| 2769633 | CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2769632 | CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2769631 | CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2743132 | CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6 | 3.7.0-3.7.15 | 3.7.16 |
| 2736247 | CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2736245 | CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2728207 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728206 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728205 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5 |
| 2726776 | CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18 | 3.7.0-3.7.15 | 3.7.16 |
| 2716841 | CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2705169 | CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2705168 | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2702519 | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2684404 | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2679950 | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.4.1-cl4.4.0u1Fixed: 4.4.1-cl4.4.0u2 | 3.7.0-4.3.3 | 4.4.0-4.4.5 |
| 2677063 | CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2677061 | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2677060 | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2668477 | CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2660693 | CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20 | 3.7.0-3.7.15 | 3.7.16 |
| 2660582 | In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure) To recover restart the clagd service with sudo systemctl restart clagd.service | 3.7.8-3.7.15 | 3.7.16 |
| 2658233 | The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2654684 | CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10 | 3.7.0-3.7.15 | 3.7.16 |
| 2653521 | CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2653400 | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface command, then add back the 802.1x configuration. | 3.7.10-3.7.16 | |
| 2646974 | The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2646968 | CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24 | 3.7.0-3.7.15 | 3.7.16 |
| 2645846 | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface command, then add back the 802.1x configuration. | 3.7.10-3.7.15 | 3.7.16, 4.3.1-4.4.5 |
| 2635951 | The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2633245 | On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle. | 3.7.10-3.7.16 | |
| 2617009 | CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617008 | CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617007 | CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617006 | CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617002 | CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2595889 | In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface. | 3.7.10-4.2.1 | 4.3.0-4.4.5 |
| 2589570 | The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589567 | The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2562511 | hostapd does not fail over to secondary RADIUS servers for 802.1x authentication when the primary radius is reachable but not responding to Access-RequestsIf the primary RADIUS server is having a problem servicing requests, you can remove it from the configuration temporarily to force requests to be sent to alternate servers. | 3.7.10-3.7.14.2 | 3.7.15-3.7.16 |
| 2556233 | Some ECMP next-hops might fail installation into hardware at high ECMP group and route scale. The following log message will be observed when this condition occurs:WARN xx routes reverted to non-ECMP due to NH table capacity | 3.7.9-3.7.14.2 | 3.7.15-3.7.16 |
| 2556037 | After you add an interface to the bridge, an OSPF session flap might occur | 3.7.9-4.2.0 | 4.2.1-4.4.5 |
| 2556019 | After you add an interface to a bridge using the NCLU net add bridge bridge ports command, the bridge can go down and its MAC address changesTo work around this issue, use Linux commands to add an interface to a bridge. | 3.7.9-3.7.13 | 3.7.14-3.7.16 |
| 2553887 | When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:
To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2553530 | In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated. To work around this issue, restart FRR with the sudo systemctl restart frr.service command. | 3.7.10-4.2.1 | 4.3.0-4.4.5 |
| 2553015 | If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | |
| 2552739 | Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | |
| 2552647 | When you add a member to a bond that has a subinterface configured (such as peerlink.4094), the new member is assigned only the VLAN of the subinterface for forwarding. To work around this issue, bounce the bond or shutdown the new interface and use the remaining members over the bond. | 3.7.10-4.2.0 | 4.2.1-4.4.5 |
| 2552528 | Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated. | 3.7.7-4.2.1 | 4.3.0-4.4.5 |
| 2552352 | The following security vulnerabilities have been announced in the nss / libnss3 packages: CVE-2020-6829: Side channel attack on ECDSA signature generation CVE-2020-12400: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function CVE-2020-12401: ECDSA timing attack mitigation bypass Vulnerable: <= 3.26-1+debu8u11 Fixed: 3.26-1+debu8u12 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2552351 | The following vulnerability has been announced in the libx11 packages: CVE-2020-14344: The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method. Vulnerable: <= 1.6.2-3+deb8u2 Fixed: 1.6.2-3+deb8u3 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2551675 | When you restart clagd, the edge port setting on the peer link changes. | 3.7.2-4.2.0 | 4.2.1-4.4.5 |
| 2551288 | When you remove BFD configuration by editing the /etc/frr/frr.conf file and restarting FRR, you see a traceback.To work around this issue, either use NCLU or vtysh commands to remove the BFD configuration, or restart FRR with the new /etc/frr/frr.conf file. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2550600 | The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged. | 3.7.8-3.7.14.2, 4.0.0-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2550478 | VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches. | 3.7.7-4.2.0 | 4.2.1-4.4.5, 4.3.0-4.4.5 |
| 2550375 | CPU utilization may increase when clag-managed bond interfaces are operationally/LACP down but the physical carrier remains up on the bond member switchports. This condition occurs when clag bond redirection is enabled and bond members remain up while the parent bond does not negotiate LACP. This issue is resolved in Cumulus Linux 3.7.14. | 3.7.9-4.2.1 | 4.3.0-4.4.5 |
| 2550350 | Unicast traffic from downlink hosts is flooded to multiple remote VTEPs, which might also cause high HwIfOutQDrops/TX_DRP on the uplink ports. To work around this issue, restart switchd. | 3.7.10-4.1.1 | 4.2.0-4.4.5 |
| 2550323 | After a neighbor is removed, the redistributed neighbor entry is withdrawn from the BGP table, but the prefix might still be selected as the bestpath when the host’s originated prefix is not advertised. To work around this issue, recreate the neighbor entry and flap the interface to the host. Or, if the host is already down, manually create a neighbor entry with an invalid MAC address, which forces redistribute neighbor to re-withdraw the entry. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2549676 | After you add or remove a bridge VLAN identifier (VID) on a trunk port, the layer 2 VNI is put into VLAN 1. To work around this issue, revert the configuration change. | 3.7.10-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2548585 | After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors. Note: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active. To recover from this condition, restart switchd with the sudo systemctl restart switchd command. | 3.7.10-3.7.12, 4.1.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2548475 | After you add a new VNI and a layer 3 SVI to a set of leafs, certain leafs might not be able to communicate on the layer 3 VNI. To work around this issue, reboot the leaf switch or restart switchd. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2548382 | The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog. | 3.7.5-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2548243 | On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2548155 | The net show bgp neighbor swpX json command shows negative output for the bgpTimerUpMsec timer. | 3.7.10-3.7.16 | 4.0.0-4.4.5 |
| 2548111 | When you remove, then re-add an NSX VTEP binding, the VXLAN VTEP interface is not recreated. | 3.7.9-4.0.1 | 4.1.0-4.4.5 |
| 2547769 | syslog might report a high load average with the CPU running a later microcode revision. | 3.7.4-3.7.12 | 3.7.13-3.7.16 |
| 2547663 | When traffic from a double tag interface (facing a different site) is forwarded through VXLAN, the inner tag is not removed. The destination does not know this tag, so it discards it. | 3.7.8-4.0.1 | 4.1.0-4.4.5 |
| 2547573 | On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU. | 3.7.9-3.7.16 | |
| 2547508 | When a Trident3 switch receives packets containing an IP checksum value that is not compliant with RFC 1624, the TTL is decremented after a routing operation but the checksum is not recalculated. This results in the IP checksum value being invalid as the packet leaves the switch. | 3.7.10-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2547293 | On the Broadcom Trident3 switch with DHCP relay, where the DHCP server is reachable through the EVPN overlay, DHCP discover packets forwarded to the CPU might appear corrupt and might not get forwarded. | 3.7.9-4.0.1 | 4.1.0-4.4.5 |
| 2547246 | The MLAG switch pair has VLANs defined that are not used on MLAG bonds. These VLANs still synchronize MAC addresses across to the peer switch. This results in log messages that indicate a MAC address is installed and the VLAN is not defined; for example:
| 3.7.10-4.1.1 | 4.2.0-4.4.5 |
| 2547121 | An unhandled exception might occur after you run the sudo poectl -i command. In addition, random poed daemon restarts can occur without any unhandled exceptions but with an invalid response length error. Both issues can occur due to a SerialException.To work around this issue, power cycle the switch. A software reboot does not resolve the issue. | 3.7.10-3.7.11 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2547118 | The following security vulnerabilities have been announced in the libtiff5 library on Cumulus Linux 4.0: CVE-2019-14973, CVE-2019-17546: Multiple integer overflows have been discovered in the libtiff library and the included tools. Vulnerable: 4.0.10-4 Fixed: 4.1.0+git191117-2~deb10u1 | 3.7.10-4.0.1 | 4.1.0-4.4.5 |
| 2547068 | Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off”, change it to GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0”2. Run sudo update-grub3. Reboot the system with sudo rebootTo disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci32. Disable C-states by running the command ./cpupower idle-set -d 2C-states are disabled by default in Cumulus Linux 4.3.0 and later. | 3.7.9-4.2.1 | 4.3.0-4.4.5 |
| 2547012 | On the Mellanox Spectrum switch, switchd can sometimes fail when PBR rules are installed or removed from hardware if the rule is setting a next hop learned via a routing protocol. | 3.7.7-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546998 | When you configure Cumulus Linux with a /32 address on a switch port with a configured peer address (for example, to connect to a device using IP unnumbered), the switch sends GARPs for the peer address. | 3.7.5-3.7.11 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546984 | On the EdgeCore AS7326-56X switch, the PSU fans show constant LOW warnings. | 3.7.10-3.7.12, 4.0.0-4.2.0 | 3.7.13-3.7.16, 4.2.1-4.4.5 |
| 2546950 | switchd crashes when dynamic VRF route leaking is enabled and the following is true:* The default route is leaked from VRF1 to VRF2 * Hardware-based dynamic VRF route leaking is configured ( vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).You might see logs similar to the following in /var/log/syslog:
To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2546868 | Broadcom Field Alert - SID - MMU 2B Errors A few of the MMU memories on Broadcom switches are grouped together with single parity control. During SER correction when a parity error occurs on one of those groups, other memory in that group might also report a SER error. This occurs when the memory is accessed either by a packet hit or through a schan operation. This issue can cause SER errors in other memory and cause traffic mis-forwarding or a packet drop. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546702 | The FRR cl-support module times out on switches on the ARM platform even when the switch is not under heavy load. To work around this issue, run the cl-support -M command to disable timeouts. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546577 | A traditional bridge with QinQ and a VNI does not work for tagged traffic. | 3.7.10-4.0.1 | 4.1.0-4.4.5 |
| 2546564 | You might see a switchd memory leak during ECMP group expansion or consolidation. | 3.7.10-3.7.11 | 3.7.12-3.7.16 |
| 2546501 | On the EdgeCore AS7326-56X switch, eth0 and swp1 use the same MAC address. | 3.7.9-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546385 | SNMP ifLastChange reports link transitions when there are none. | 3.7.6-3.7.16 | |
| 2546328 | A memory leak in switchd might occur, which causes switchd to restart. | 3.7.10-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546264 | Ifupdown2 does not set up the front panel interface for the dhclient to accept the DHCP OFFER.To work around this issue, restart the networking service after ifreload -a with the systemctl restart networking command. | 3.7.10-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546228 | The following security vulnerabilities have been announced in the nss/libnss3 library, which is not installed by default but is available in the repository: CVE-2019-11745: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate CVE-2019-17007: nss: Handling of Netscape Certificate Sequences in CERT_DecodeCertPackage() may crash with a NULL deref leading to DoS See https://security-tracker.debian.org/tracker/source-package/nss for more information. Vulnerable: <= 3.26-1+debu8u7 Fixed: 3.26-1+debu8u9 | 3.7.10 | 3.7.11-3.7.16 |
| 2546010 | When hal.bcm.per_vlan_router_mac_lookup is set to TRUE in the /etc/cumulus/switchd.conf file, inter-VLAN traffic is forwarded to the CPU when associated VNI interfaces exist. | 3.7.10-3.7.16 | |
| 2545997 | The NCLU command net show interface produces an error if bonds with no members exist.To work around this issue, remove the empty Bond interfaces from the /etc/network/interfaces file and run sudo ifreload -a. | 3.7.10-3.7.16 | |
| 2545971 | The ports.conf file on the Dell S5248F-ON switch does not show port ganging or breakout options. | 3.7.10-3.7.11 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2545867 | If you delete, then re-add a PBR policy on an interface, the configured PBR policy is not programmed in the kernel or switchd. | 3.7.9-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545865 | After making a series of PBR configuration changes using NCLU commands, the stale PBR entry is still present in the kernel. | 3.7.9-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545837 | If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server command, the /etc/ntp.conf file is misconfigured.To work around this issue, run the net add time ntp server command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
| 2545699 | On the Celestica Pebble switch, if you use IPv6 routes with mask /65 to /127, the switchd log fills with errors. | 3.7.10-4.0.1 | 4.1.0-4.4.5 |
| 2545693 | On rare occasions, after rebooting the MLAG secondary switch, one MLAG device might see the peer as down, which can cause traffic disruption to connected hosts. | 3.7.7-3.7.10 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545607 | The protocol daemon bgpd crashes when a link/neighbor flaps if static routes pointing to Null0 are advertising through BGP.To work around this issue, reboot the switch, then remove the static routes or stop advertising these routes. | 3.7.9-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545599 | IPv6 table rules might affect forwarding. For example, if you create the following rule in the /etc/cumulus/acl/policy.d/03-sshd.rules file, the rule counter increments but IPv4 SSH traffic might be dropped.
| 3.7.2-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2545520 | The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2545505 | If you change multiple BGP or BFD timers in the /etc/frr/frr.conf file and then reload FRR, a traceback is encountered and the change does not take effect. | 3.7.9-3.7.10 | 3.7.11-3.7.16 |
| 2545447 | The l1-show command prints a traceback for switch ports that have sub-interfaces configured. There is no functional impact to traffic but the l1-show troubleshooting and validation command does not execute on switch ports that have VLAN sub-interfaces. | 3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545446 | If you use NCLU commands to add a non-MLAG bond, then add an MLAG configuration, the net commit command fails. However, a subsequent net commit command succeeds. | 3.7.10-3.7.16 | |
| 2545405 | The ospfd daemon might crash with the following kernel trace:
| 3.7.6-3.7.10 | 3.7.11-3.7.16 |
| 2545404 | On the Trident3 switch, unicast ARP packets received on a VNI and forwarded to the CPU are not policed. | 3.7.10-4.0.1 | 4.1.0-4.4.5 |
| 2545316 | When an interface flap occurs, numbered IPv6 BGP sessions might fail to establish. To work around this issue, run the ip -6 route flush cache command to flush the IPv6 route cache. | 3.7.9-3.7.11 | 3.7.12-3.7.16 |
| 2545235 | On the Edgecore AS6812 switch, you might see rare I2C errors. | 3.7.2-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545193 | switchd does not program multicast routes 224/8 into hardware. | 3.7.9-3.7.16 | 4.0.0-4.4.5 |
| 2545132 | On the Mellanox switch, ACL lookups are performed for VLAN matches when no rules with UNTAGGED match are present. | 3.7.2-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545125 | If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
| 2545086 | On the Mellanox switch with the Spectrum ASIC, the –set-burst parameter in an iptables rule does not take effect. | 3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545048 | When networking fails to start properly, an MLAG memory leak occurs, which might cause memory issues. | 3.7.9-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545027 | In the default VRF, VRRP might crash and stay in an initialize state. As a result, VRRP multicast traffic is not generated. | 3.7.8-3.7.10 | 3.7.11-3.7.16 |
| 2544978 | If you delete an undefined bond, then add a bond slave, the net commit command fails. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544968 | FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:
should be:
To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544953 | When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
| 2544937 | The neighmgrd service does not ignore neighbors on reserved devices (lo and management devices). This issue is not seen when management VRF is enabled. | 3.7.8-3.7.11 | 3.7.12-3.7.16 |
| 2544904 | After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements. To work around this issue, restart FRR after removing the IPv6 numbered configuration. | 3.7.9-4.1.1 | 4.2.0-4.4.5 |
| 2544867 | Package: tcpdump CVE ID: CVE-2018-10103 CVE-2018-10105 CVE-2018-14461 CVE-2018-14462 CVE-2018-14463 CVE-2018-14464 CVE-2018-14465 CVE-2018-14466 CVE-2018-14467 CVE-2018-14468 CVE-2018-14469 CVE-2018-14470 CVE-2018-14879 CVE-2018-14880 CVE-2018-14881 CVE-2018-14882 CVE-2018-16227 CVE-2018-16228 CVE-2018-16229 CVE-2018-16230 CVE-2018-16300 CVE-2018-16451 CVE-2018-16452 CVE-2019-15166 Several vulnerabilities have been discovered in tcpdump, a command-line network traffic analyzer. These vulnerabilities might result in denial of service or, potentially, execution of arbitrary code. For the detailed security status of tcpdump, refer to its security tracker page at: https://security-tracker.debian.org/tracker/tcpdump Fixed versions: 4.9.3-1~deb10u1 on Cumulus Linux 4, 4.9.3-1~deb8u1 on Cumulus Linux 3. | 3.7.10-3.7.16 | 4.0.0-4.4.5 |
| 2544846 | You might experience a bgpd memory usage increase and significant update exchanges due to host moves between VTEPs. | 3.7.7-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2544829 | Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump. | 3.7.8-3.7.16 | |
| 2544815 | If a router MAC address changes on a VTEP, other VTEPs might still point to the previous router MAC address. | 3.7.10-3.7.16 | 4.0.0-4.4.5 |
| 2544723 | Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2544671 | Package : sudoCVE ID : CVE-2019-14287Debian Bug : 942322Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID -1 or 4294967295. This could allow a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access Details can be found in the upstream advisory at https://www.sudo.ws/alerts/minus_1_uid.html We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudoVulnerable versions: < 1.8.27-1+deb10u1Fixed versions: >= 1.8.27-1+deb10u1To work around this iisue, disable (comment out) any sudoers entries in /etc/sudoers or files in /etc/sudoers.d that have entries with !root in them. Only root or other users with a uid of 0 that are affected. | 3.7.9-3.7.16 | 4.0.0-4.4.5 |
| 2544624 | VXLAN encapsulated ICMP packets hit the catchall EFP policer instead of the ICMP policer and you might experience partial packet loss. | 3.7.9-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2544609 | BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2544559 | When you install a large number of new rules with nonatomic mode enabled, there is a chance that you install more rules than the number of available slots in the slice, which results in the slice being completely wiped and reinstalled. This causes a large drop increase, including to cpu0, and might cause a major outage by dropping all BGP sessions. | 3.7.8-3.7.16 | 4.0.0-4.4.5 |
| 2544556 | If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:
If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5 |
| 2544463 | Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544456 | The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544401 | Package: openssl CVE ID: CVE-2019-1547 CVE-2019-1549 CVE-2019-1563 Three security issues were discovered in OpenSSL: A timing attack against ECDSA, a padding oracle in PKCS7_dataDecode() and CMS_decrypt_set1_pkey() and it was discovered that a feature of the random number generator (RNG) intended to protect against shared RNG state between parent and child processes in the event of a fork() syscall was not used by default. Fixed version: 1.1.1d-0+deb10u1 We recommend that you upgrade your openssl packages. For the detailed security status of openssl, refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2544385 | The QCT QuantaMesh BMS T7032-IX7 switch may report “failed to request GPIO pin” errors during the boot up. | 3.7.5-3.7.10 | 3.7.11-3.7.16 |
| 2544324 | Package: hostapd CVE ID: CVE-2019-13377 CVE-2019-16275 Two vulnerabilities were found in the WPA protocol implementation found in wpa_supplication (station) and hostapd (access point). CVE-2019-13377 A timing-based side-channel attack against WPA3’s Dragonfly handshake when using Brainpool curves could be used by an attacker to retrieve the password. CVE-2019-16275 Insufficient source address validation for some received Management frames in hostapd could lead to a denial of service for stations associated to an access point. An attacker in radio range of the access point could inject a specially constructed unauthenticated IEEE 802.11 frame to the access point to cause associated stations to be disconnected and require a reconnection to the network. Fixed version: 1:2.8.0-cl4u3 | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2544311 | Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544235 | The following CVEs affect the linux kernel package: CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 3.7.10-3.7.16 | |
| 2544212 | Cumulus Linux poed generates excessive debug log entries. These will be reduced in a future release. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2544199 | Traffic sent to the SVI IP address of a switch might be lost if all of the following conditions are met: * The switch is a member of an MLAG pair * The traffic is sourced from a layer 2 adjacent host * The host is located within a VRF of the MLAG pair * The traffic from the source crosses the peer link * VXLAN is configured on the MLAG pair This issue does not impact transit traffic or traffic that does not meet all of the described conditions. To workaround this issue, restart switchd. | 3.7.9-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2544182 | NCLU crashes when you run the net add interface storage-optimized pfc command because non-ascii quotes exist in the datapath.conf file.To work around this issue, manually edit the /usr/lib/python2.7/dist-packages/cumulus/__chip_config/mlx/datapath.conf file and replace the non-ascii single quotes with ascii single quotes (standard single quote on the keyboard). | 3.7.9-3.7.10 | 3.7.11-3.7.16 |
| 2544155 | NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544113 | Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link. To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544057 | FRR crashes when adding an IPv6 neighbor with extended-nexthop capability. | 3.7.9-3.7.10 | 3.7.11-3.7.16 |
| 2544012 | After you remove a subinterface, the BGP session stays in a Connect state. | 3.7.8-3.7.11 | 3.7.12-3.7.16 |
| 2543937 | An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2543900 | On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
| 2543875 | On the Mellanox Spectrum switch, a route withdrawal might cause the associated next hop neighbor entry to be deleted in hardware but remain in the kernel. This can cause traffic going through the directly connected route to the removed neighbor entry to be forwarded to the CPU. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2543841 | The net show evpn vni detail json command includes an extra empty dictionary at the end of the output. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
| 2543840 | On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file. | 3.7.6-3.7.16 | |
| 2543835 | The following CVEs were announced that affect the ghostscript package: CVE ID : CVE-2019-14811 CVE-2019-14812 CVE-2019-14813 CVE-2019-14817 It was discovered that various procedures in Ghostscript, the GPL PostScript/PDF interpreter, do not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript | 3.7.0-3.7.10 | 3.7.11-3.7.16 |
| 2543816 | On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages. | 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
| 2543800 | When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface. | 3.7.8-3.7.16 | 4.0.0-4.4.5 |
| 2543792 | On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:
| 3.7.9-4.0.1 | 4.1.0-4.4.5 |
| 2543781 | NCLU does not allow you to configure OSPF NSSAs. For example:
To work around this issue, use FRR instead. For example:
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2543727 | ACL rules, such as the following, fail to install if you use swp+ (interfaces mentioned as wildcards).
You can now install such rules with swp+. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2543724 | If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error:
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2543708 | Cumulus Linux does not map QinQ packets to VXLANs in a configuration with a VLAN-aware bridge and MLAG on the Trident3 platform. | 3.7.9-3.7.16 | 4.0.0-4.4.5 |
| 2543689 | On the Mellanox switch, UFT profiles are unable to support the documented capacity for routes to addresses that are more than 64 bits in length. The listed capacities assume 64-bit destination IP addresses. | 3.7.8-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2543667 | On the EdgeCore AS4610 switch, the ping command fails unless you run the command with sudo.To work around this issue, run the following commands:
Run the following command to verify the workaround:
You should see the following output:
| 3.7.6-3.7.10, 4.1.0-4.1.1 | 3.7.11-3.7.16, 4.2.0-4.4.5 |
| 2543665 | clagd memory consumption increases under certain unknown conditions. | 3.7.8-3.7.16 | 4.0.0-4.4.5 |
| 2543648 | You cannot specify a source and destination MAC address in an ERSPAN ebtables rule. For example, the following rule does not work:
| 3.7.6-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2543647 | ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:
| 3.7.6-4.2.1 | 4.3.0-4.4.5 |
| 2543646 | In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543627 | Tomahawk 40G DACs cannot disable auto-negotiation. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543473 | Configuring an inbound route map to manually change the next hop IP address received from an eBGP peer locally causes the next hop to not be updated when advertising this route out to other eBGP peers. To work around this issue, set a “dummy” route map outbound to the eBGP peer or configure the route map to manually set the next hop outbound from the originating eBGP peer. | 3.7.6-3.7.10 | 3.7.11-3.7.16 |
| 2543472 | On switches with the Spectrum ASIC, the underlay hashes VXLAN packets for a given overlay flow randomly. To work around this issue, configure the ECMP hash seed to the same value on the EVPN egress leaf switches. | 3.7.7-4.0.1 | 4.1.0-4.4.5 |
| 2543374 | After a remote VTEP peer link goes down, the tunnel destination IP address might be incorrect in hardware, which might cause loss of overlay communication between VTEPs. | 3.7.8-3.7.16 | 4.0.0-4.4.5 |
| 2543325 | Lenovo switches do not send or receive LLDP on eth0 interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543270 | The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5 |
| 2543211 | In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2543164 | The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2543113 | NCLU restarts FRR when attempting to remove a BGP VRF stanza. This happens regardless of whether the VRF is valid/configured elsewhere on the switch or the removal is successful. To work around this issue, remove the stanza using vtysh. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2543096 | When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543058 | The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces. To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543052 | Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as “inactive” in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR. To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:
You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5 |
| 2543044 | Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up. You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2542979 | On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5 |
| 2542958 | When transitioning from a down state to an up state due to peerlink failure and recovery, MLAG does not start the initDelay timer before trying to bring everything back up. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2542945 | On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags. To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:
| 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542913 | IF-MIB::ifHCInOctets reports significantly lower values than reported by interface counters seen elsewhere. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2542871 | After you issue the NCLU net del bgp vrf command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2542835 | snmpd fails because NCLU does not remove agentaddress @vrf lines when running the net add snmp-server listening-address all command. | 3.7.4-3.7.16 | 4.0.0-4.4.5 |
| 2542823 | On the Broadcom Trident 3 switch, VXLAN encapsulated packets are dropped on the ingress port (tagged layer 2 port) during transit forwarding (the local switch does not terminate the VXLAN tunnel). An example of where this two-layer VXLAN inside VXLAN encapsulation might occur: - VXLAN tunnel (#1) between two servers (different racks) to provide layer 2 extension for containers or VM hosts. - VXLAN tunnel (#2) between the TOR switch in rack 1 to the TOR switch located in the remote rack. To work around this issue, either: - Configure the edge port (facing the servers) to be an access port (instead of a trunk/tagged port) - Change the destination port from 4789 to something else (VXLAN tunnel terminated by the servers) | 3.7.5-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2542767 | If the BMC operating system fails to respond to IPMI, you see a traceback in bmcd and all the sensors might report ABSENT devices in smonctl.To work around this issue, power cycle the switch. | 3.7.6-4.0.1 | 4.1.0-4.4.5 |
| 2542765 | When you configure the switch to send an EAP request with the net add dot1x send-eap-request-id command, the switch ignores re-authentication attempts and does not send back an EAPol. | 3.7.6-3.7.10 | 3.7.11-3.7.16 |
| 2542509 | In EVPN symmetric or centralized configurations with BGP peering over a peer link, VXLAN routed packets transiting an MLAG peer are dropped until the clagd init-delay timer expires during the bring-up sequence following a reboot.The problem is caused by a race condition when programming the anycast IP address (used to terminate VXLAN tunnels), where the hardware is programmed before the software by clagd.To work around this issue, configure the BGP path across the peer link to be less preferred. The example below uses AS path prepending and the MLAG switches are iBGP neighbors. However, other BGP configurations achieve the same result. In the /etc/frr/frr.conf file, make a new AS path access list and route map to apply BGP pre-pending of the local ASN one or more times. For example:
| 3.7.6-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2542384 | When you define a trap destination using @mgmt, snmpd indicates that the network is unreachable even though the IP address is reachable in the management VRF.To work around this issue, remove @mgmt vrf references in the /etc/snmp/snmpd.conf file, stop snmpd, then start snmpd manually in the management VRF with the systemctl start snmpd@mgmt command. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2542310 | hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6. | 3.7.6-3.7.16 | |
| 2542305 | If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542301 | When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2542248 | When you generate a cl-support file, clagd.service prints log messages similar to the following:
| 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2542100 | On the EdgeCore AS7816 switch, PCIE errors cause switchd startup to fail. | 3.7.9-3.7.16 | 4.0.0-4.4.5 |
| 2541212 | The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2541165 | On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, poectl reports that four_pair_mode_enabled is true. However, this configuration is not supported on the port so poectl should report that four_pair_mode_enabled is false. | 3.7.6-3.7.16 | |
| 2541029 | On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped. This issue only affects QinQ configurations. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540950 | On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status. | 3.7.3-4.1.1 | 4.2.0-4.4.5 |
| 2540885 | The Dell N3048EP-ON switch does not support 1G Base-T modules in the SFP ports. | 3.7.7-3.7.16 | |
| 2540863 | On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number. | 3.7.3-3.7.16 | |
| 2540753 | If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
| 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540444 | SNMP incorrectly requires engine ID specification. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540352 | When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2540340 | NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays
Tab completion for the net add vrf command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540274 | On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540204 | When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540192 | The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540155 | On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2540042 | When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540041 | On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540040 | Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540031 | NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2539994 | When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539962 | When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2539670 | On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539124 | The net add interface command adds no ptm-enable for that interface in the frr.conf file.Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539081 | When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2538875 | IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file. | 3.7.2-3.7.16 | |
| 2538790 | NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.To restore connectivity, remove the VLAN ID from the bridge. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538590 | When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538562 | On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538302 | portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap. | 3.7.0-3.7.16 | |
| 2538294 | If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2538256 | On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets. | 3.7.2-4.0.1 | 4.1.0-4.4.5 |
| 2537819 | When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2537699 | There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537544 | When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537536 | When FRR restarts, snmp[err] dev/kmem: Permission denied error messages are recorded in the log file and SNMPd might crash periodically. | 3.7.5-3.7.16 | 4.0.0-4.4.5 |
| 2537378 | NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.To work around this issue, stop snmpd, remove the cache file, then restart snmpd. | 3.7.1-3.7.16 | |
| 2537188 | When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network. | 3.7.2-3.7.16 | |
| 2537104 | When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL. | 3.7.1-3.7.16 | 4.0.0-4.4.5 |
| 2537061 | The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent. | 3.7.1-4.0.1 | 4.1.0-4.4.5 |
| 2536639 | On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.To work around this issue: * If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000). * If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2536616 | CVE-2018-5391 (FragmentSmack) is a network vulnerability where an attacker can trigger time and calculation expensive fragment reassembly with specially crafted packets, leading to a denial of service. On a Cumulus Linux switch, the impact is limited to control plane and management plane traffic. Any control plane traffic coming in the front panel ports will be limited by existing policer ACLs. To work around this issue, create a file called /etc/sysctl.d/ip.conf and add these settings:
| 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2536608 | Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI. | 3.7.0-3.7.16 | |
| 2536559 | When deleting an interface using NCLU, if the /etc/network/interfaces alias is different than the /etc/frr/frr.conf description, the net commit command returns the following error:
Despite this error, the change is made and the description is removed from the frr.conf file. | 3.7.3-3.7.10 | 3.7.11-3.7.16 |
| 2536384 | The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2536230 | On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is no longer set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2536179 | On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535986 | At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535965 | On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535209 | The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. | 3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2534450 | The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2528990 | During a link flap test, you might occasionally see a message similar to: warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use. | 3.7.6-3.7.10 | 3.7.11-3.7.16 |
Fixed Issues in 3.7.10
| Issue ID | Description | Affects |
|---|---|---|
| 2544073 | After upgrading to Cumulus Linux 3.7.9 on a Broadcom switch, CPU generated traffic (such as ICMP, OSPF, ARP, and so on) egresses access ports with a 802.1Q header or interfaces with a bridge-pvid, with a VLAN ID of 0. Equipment from other vendors might drop this traffic. | 3.7.9 |
3.7.9 Release Notes
Open Issues in 3.7.9
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 3410952 | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.12.1 |
| 3376798 | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlanMAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5 |
| 3330705 | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.12.1 |
| 3327477 | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3216921 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-3.7.16, 4.3.0-4.4.5 | |
| 3209699 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.12.1 |
| 2959454 | CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2959444 | CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2957684 | CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2949602 | CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. | 3.7.0-3.7.15 | 3.7.16 |
| 2949586 | CVE-2022-21699: ipython may execute untrusted files in the current working directory Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2949585 | CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog. | 3.7.0-3.7.15 | 3.7.16 |
| 2949584 | CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2941560 | CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u | 3.7.0-3.7.15 | 3.7.16 |
| 2910862 | CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file” Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2910861 | CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13 | 3.7.0-3.7.15 | 3.7.16 |
| 2885241 | CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14 | 3.7.0-3.7.15 | 3.7.16 |
| 2885239 | CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2885238 | The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2866111 | CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. | 3.7.0-3.7.15 | 3.7.16 |
| 2862269 | CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2855881 | A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2855879 | The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2850806 | CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts) Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23 | 3.7.0-3.7.15 | 3.7.16 |
| 2845540 | CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2841003 | CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2835994 | CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2823255 | CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode) Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2821981 | The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions) CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2820758 | The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2813826 | Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop” CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’ Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2813823 | Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19 | 3.7.0-3.7.15 | 3.7.16 |
| 2801126 | CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2801125 | OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15 | 3.7.0-3.7.15 | 3.7.16 |
| 2801124 | GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2798139 | CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2769687 | CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21 | 3.7.0-3.7.15 | 3.7.16 |
| 2769633 | CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2769632 | CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2769631 | CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2743132 | CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6 | 3.7.0-3.7.15 | 3.7.16 |
| 2736247 | CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2736245 | CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2728207 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728206 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728205 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5 |
| 2726776 | CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18 | 3.7.0-3.7.15 | 3.7.16 |
| 2716841 | CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2705169 | CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2705168 | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2702519 | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2684404 | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2679950 | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.4.1-cl4.4.0u1Fixed: 4.4.1-cl4.4.0u2 | 3.7.0-4.3.3 | 4.4.0-4.4.5 |
| 2677063 | CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2677061 | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2677060 | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2668477 | CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2660693 | CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20 | 3.7.0-3.7.15 | 3.7.16 |
| 2660582 | In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure) To recover restart the clagd service with sudo systemctl restart clagd.service | 3.7.8-3.7.15 | 3.7.16 |
| 2658233 | The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2654684 | CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10 | 3.7.0-3.7.15 | 3.7.16 |
| 2653521 | CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2646974 | The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2646968 | CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24 | 3.7.0-3.7.15 | 3.7.16 |
| 2635951 | The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617009 | CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617008 | CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617007 | CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617006 | CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617002 | CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589570 | The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589567 | The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2556233 | Some ECMP next-hops might fail installation into hardware at high ECMP group and route scale. The following log message will be observed when this condition occurs:WARN xx routes reverted to non-ECMP due to NH table capacity | 3.7.9-3.7.14.2 | 3.7.15-3.7.16 |
| 2556037 | After you add an interface to the bridge, an OSPF session flap might occur | 3.7.9-4.2.0 | 4.2.1-4.4.5 |
| 2556019 | After you add an interface to a bridge using the NCLU net add bridge bridge ports command, the bridge can go down and its MAC address changesTo work around this issue, use Linux commands to add an interface to a bridge. | 3.7.9-3.7.13 | 3.7.14-3.7.16 |
| 2553887 | When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:
To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2552739 | Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | |
| 2552528 | Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated. | 3.7.7-4.2.1 | 4.3.0-4.4.5 |
| 2552352 | The following security vulnerabilities have been announced in the nss / libnss3 packages: CVE-2020-6829: Side channel attack on ECDSA signature generation CVE-2020-12400: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function CVE-2020-12401: ECDSA timing attack mitigation bypass Vulnerable: <= 3.26-1+debu8u11 Fixed: 3.26-1+debu8u12 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2552351 | The following vulnerability has been announced in the libx11 packages: CVE-2020-14344: The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method. Vulnerable: <= 1.6.2-3+deb8u2 Fixed: 1.6.2-3+deb8u3 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2551675 | When you restart clagd, the edge port setting on the peer link changes. | 3.7.2-4.2.0 | 4.2.1-4.4.5 |
| 2551288 | When you remove BFD configuration by editing the /etc/frr/frr.conf file and restarting FRR, you see a traceback.To work around this issue, either use NCLU or vtysh commands to remove the BFD configuration, or restart FRR with the new /etc/frr/frr.conf file. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2550600 | The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged. | 3.7.8-3.7.14.2, 4.0.0-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2550478 | VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches. | 3.7.7-4.2.0 | 4.2.1-4.4.5, 4.3.0-4.4.5 |
| 2550375 | CPU utilization may increase when clag-managed bond interfaces are operationally/LACP down but the physical carrier remains up on the bond member switchports. This condition occurs when clag bond redirection is enabled and bond members remain up while the parent bond does not negotiate LACP. This issue is resolved in Cumulus Linux 3.7.14. | 3.7.9-4.2.1 | 4.3.0-4.4.5 |
| 2550323 | After a neighbor is removed, the redistributed neighbor entry is withdrawn from the BGP table, but the prefix might still be selected as the bestpath when the host’s originated prefix is not advertised. To work around this issue, recreate the neighbor entry and flap the interface to the host. Or, if the host is already down, manually create a neighbor entry with an invalid MAC address, which forces redistribute neighbor to re-withdraw the entry. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2548475 | After you add a new VNI and a layer 3 SVI to a set of leafs, certain leafs might not be able to communicate on the layer 3 VNI. To work around this issue, reboot the leaf switch or restart switchd. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2548382 | The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog. | 3.7.5-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2548243 | On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2548111 | When you remove, then re-add an NSX VTEP binding, the VXLAN VTEP interface is not recreated. | 3.7.9-4.0.1 | 4.1.0-4.4.5 |
| 2547769 | syslog might report a high load average with the CPU running a later microcode revision. | 3.7.4-3.7.12 | 3.7.13-3.7.16 |
| 2547663 | When traffic from a double tag interface (facing a different site) is forwarded through VXLAN, the inner tag is not removed. The destination does not know this tag, so it discards it. | 3.7.8-4.0.1 | 4.1.0-4.4.5 |
| 2547573 | On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU. | 3.7.9-3.7.16 | |
| 2547293 | On the Broadcom Trident3 switch with DHCP relay, where the DHCP server is reachable through the EVPN overlay, DHCP discover packets forwarded to the CPU might appear corrupt and might not get forwarded. | 3.7.9-4.0.1 | 4.1.0-4.4.5 |
| 2547068 | Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off”, change it to GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0”2. Run sudo update-grub3. Reboot the system with sudo rebootTo disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci32. Disable C-states by running the command ./cpupower idle-set -d 2C-states are disabled by default in Cumulus Linux 4.3.0 and later. | 3.7.9-4.2.1 | 4.3.0-4.4.5 |
| 2547012 | On the Mellanox Spectrum switch, switchd can sometimes fail when PBR rules are installed or removed from hardware if the rule is setting a next hop learned via a routing protocol. | 3.7.7-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546998 | When you configure Cumulus Linux with a /32 address on a switch port with a configured peer address (for example, to connect to a device using IP unnumbered), the switch sends GARPs for the peer address. | 3.7.5-3.7.11 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546868 | Broadcom Field Alert - SID - MMU 2B Errors A few of the MMU memories on Broadcom switches are grouped together with single parity control. During SER correction when a parity error occurs on one of those groups, other memory in that group might also report a SER error. This occurs when the memory is accessed either by a packet hit or through a schan operation. This issue can cause SER errors in other memory and cause traffic mis-forwarding or a packet drop. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546702 | The FRR cl-support module times out on switches on the ARM platform even when the switch is not under heavy load. To work around this issue, run the cl-support -M command to disable timeouts. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546501 | On the EdgeCore AS7326-56X switch, eth0 and swp1 use the same MAC address. | 3.7.9-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546385 | SNMP ifLastChange reports link transitions when there are none. | 3.7.6-3.7.16 | |
| 2545867 | If you delete, then re-add a PBR policy on an interface, the configured PBR policy is not programmed in the kernel or switchd. | 3.7.9-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545865 | After making a series of PBR configuration changes using NCLU commands, the stale PBR entry is still present in the kernel. | 3.7.9-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545693 | On rare occasions, after rebooting the MLAG secondary switch, one MLAG device might see the peer as down, which can cause traffic disruption to connected hosts. | 3.7.7-3.7.10 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545607 | The protocol daemon bgpd crashes when a link/neighbor flaps if static routes pointing to Null0 are advertising through BGP.To work around this issue, reboot the switch, then remove the static routes or stop advertising these routes. | 3.7.9-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545599 | IPv6 table rules might affect forwarding. For example, if you create the following rule in the /etc/cumulus/acl/policy.d/03-sshd.rules file, the rule counter increments but IPv4 SSH traffic might be dropped.
| 3.7.2-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2545505 | If you change multiple BGP or BFD timers in the /etc/frr/frr.conf file and then reload FRR, a traceback is encountered and the change does not take effect. | 3.7.9-3.7.10 | 3.7.11-3.7.16 |
| 2545405 | The ospfd daemon might crash with the following kernel trace:
| 3.7.6-3.7.10 | 3.7.11-3.7.16 |
| 2545316 | When an interface flap occurs, numbered IPv6 BGP sessions might fail to establish. To work around this issue, run the ip -6 route flush cache command to flush the IPv6 route cache. | 3.7.9-3.7.11 | 3.7.12-3.7.16 |
| 2545235 | On the Edgecore AS6812 switch, you might see rare I2C errors. | 3.7.2-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545193 | switchd does not program multicast routes 224/8 into hardware. | 3.7.9-3.7.16 | 4.0.0-4.4.5 |
| 2545132 | On the Mellanox switch, ACL lookups are performed for VLAN matches when no rules with UNTAGGED match are present. | 3.7.2-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545048 | When networking fails to start properly, an MLAG memory leak occurs, which might cause memory issues. | 3.7.9-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545027 | In the default VRF, VRRP might crash and stay in an initialize state. As a result, VRRP multicast traffic is not generated. | 3.7.8-3.7.10 | 3.7.11-3.7.16 |
| 2544978 | If you delete an undefined bond, then add a bond slave, the net commit command fails. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544968 | FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:
should be:
To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544937 | The neighmgrd service does not ignore neighbors on reserved devices (lo and management devices). This issue is not seen when management VRF is enabled. | 3.7.8-3.7.11 | 3.7.12-3.7.16 |
| 2544904 | After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements. To work around this issue, restart FRR after removing the IPv6 numbered configuration. | 3.7.9-4.1.1 | 4.2.0-4.4.5 |
| 2544846 | You might experience a bgpd memory usage increase and significant update exchanges due to host moves between VTEPs. | 3.7.7-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2544829 | Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump. | 3.7.8-3.7.16 | |
| 2544723 | Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2544671 | Package : sudoCVE ID : CVE-2019-14287Debian Bug : 942322Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID -1 or 4294967295. This could allow a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access Details can be found in the upstream advisory at https://www.sudo.ws/alerts/minus_1_uid.html We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudoVulnerable versions: < 1.8.27-1+deb10u1Fixed versions: >= 1.8.27-1+deb10u1To work around this iisue, disable (comment out) any sudoers entries in /etc/sudoers or files in /etc/sudoers.d that have entries with !root in them. Only root or other users with a uid of 0 that are affected. | 3.7.9-3.7.16 | 4.0.0-4.4.5 |
| 2544624 | VXLAN encapsulated ICMP packets hit the catchall EFP policer instead of the ICMP policer and you might experience partial packet loss. | 3.7.9-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2544609 | BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2544559 | When you install a large number of new rules with nonatomic mode enabled, there is a chance that you install more rules than the number of available slots in the slice, which results in the slice being completely wiped and reinstalled. This causes a large drop increase, including to cpu0, and might cause a major outage by dropping all BGP sessions. | 3.7.8-3.7.16 | 4.0.0-4.4.5 |
| 2544556 | If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:
If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5 |
| 2544463 | Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544456 | The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544401 | Package: openssl CVE ID: CVE-2019-1547 CVE-2019-1549 CVE-2019-1563 Three security issues were discovered in OpenSSL: A timing attack against ECDSA, a padding oracle in PKCS7_dataDecode() and CMS_decrypt_set1_pkey() and it was discovered that a feature of the random number generator (RNG) intended to protect against shared RNG state between parent and child processes in the event of a fork() syscall was not used by default. Fixed version: 1.1.1d-0+deb10u1 We recommend that you upgrade your openssl packages. For the detailed security status of openssl, refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2544385 | The QCT QuantaMesh BMS T7032-IX7 switch may report “failed to request GPIO pin” errors during the boot up. | 3.7.5-3.7.10 | 3.7.11-3.7.16 |
| 2544324 | Package: hostapd CVE ID: CVE-2019-13377 CVE-2019-16275 Two vulnerabilities were found in the WPA protocol implementation found in wpa_supplication (station) and hostapd (access point). CVE-2019-13377 A timing-based side-channel attack against WPA3’s Dragonfly handshake when using Brainpool curves could be used by an attacker to retrieve the password. CVE-2019-16275 Insufficient source address validation for some received Management frames in hostapd could lead to a denial of service for stations associated to an access point. An attacker in radio range of the access point could inject a specially constructed unauthenticated IEEE 802.11 frame to the access point to cause associated stations to be disconnected and require a reconnection to the network. Fixed version: 1:2.8.0-cl4u3 | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2544311 | Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544212 | Cumulus Linux poed generates excessive debug log entries. These will be reduced in a future release. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2544199 | Traffic sent to the SVI IP address of a switch might be lost if all of the following conditions are met: * The switch is a member of an MLAG pair * The traffic is sourced from a layer 2 adjacent host * The host is located within a VRF of the MLAG pair * The traffic from the source crosses the peer link * VXLAN is configured on the MLAG pair This issue does not impact transit traffic or traffic that does not meet all of the described conditions. To workaround this issue, restart switchd. | 3.7.9-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2544182 | NCLU crashes when you run the net add interface storage-optimized pfc command because non-ascii quotes exist in the datapath.conf file.To work around this issue, manually edit the /usr/lib/python2.7/dist-packages/cumulus/__chip_config/mlx/datapath.conf file and replace the non-ascii single quotes with ascii single quotes (standard single quote on the keyboard). | 3.7.9-3.7.10 | 3.7.11-3.7.16 |
| 2544155 | NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544113 | Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link. To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | |
| 2544073 | After upgrading to Cumulus Linux 3.7.9 on a Broadcom switch, CPU generated traffic (such as ICMP, OSPF, ARP, and so on) egresses access ports with a 802.1Q header or interfaces with a bridge-pvid, with a VLAN ID of 0. Equipment from other vendors might drop this traffic. | 3.7.9 | 3.7.10-3.7.16 |
| 2544057 | FRR crashes when adding an IPv6 neighbor with extended-nexthop capability. | 3.7.9-3.7.10 | 3.7.11-3.7.16 |
| 2544012 | After you remove a subinterface, the BGP session stays in a Connect state. | 3.7.8-3.7.11 | 3.7.12-3.7.16 |
| 2543937 | An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2543900 | On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
| 2543875 | On the Mellanox Spectrum switch, a route withdrawal might cause the associated next hop neighbor entry to be deleted in hardware but remain in the kernel. This can cause traffic going through the directly connected route to the removed neighbor entry to be forwarded to the CPU. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2543841 | The net show evpn vni detail json command includes an extra empty dictionary at the end of the output. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
| 2543840 | On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file. | 3.7.6-3.7.16 | |
| 2543835 | The following CVEs were announced that affect the ghostscript package: CVE ID : CVE-2019-14811 CVE-2019-14812 CVE-2019-14813 CVE-2019-14817 It was discovered that various procedures in Ghostscript, the GPL PostScript/PDF interpreter, do not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript | 3.7.0-3.7.10 | 3.7.11-3.7.16 |
| 2543816 | On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages. | 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
| 2543800 | When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface. | 3.7.8-3.7.16 | 4.0.0-4.4.5 |
| 2543792 | On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:
| 3.7.9-4.0.1 | 4.1.0-4.4.5 |
| 2543781 | NCLU does not allow you to configure OSPF NSSAs. For example:
To work around this issue, use FRR instead. For example:
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2543727 | ACL rules, such as the following, fail to install if you use swp+ (interfaces mentioned as wildcards).
You can now install such rules with swp+. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2543724 | If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error:
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2543708 | Cumulus Linux does not map QinQ packets to VXLANs in a configuration with a VLAN-aware bridge and MLAG on the Trident3 platform. | 3.7.9-3.7.16 | 4.0.0-4.4.5 |
| 2543689 | On the Mellanox switch, UFT profiles are unable to support the documented capacity for routes to addresses that are more than 64 bits in length. The listed capacities assume 64-bit destination IP addresses. | 3.7.8-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2543667 | On the EdgeCore AS4610 switch, the ping command fails unless you run the command with sudo.To work around this issue, run the following commands:
Run the following command to verify the workaround:
You should see the following output:
| 3.7.6-3.7.10, 4.1.0-4.1.1 | 3.7.11-3.7.16, 4.2.0-4.4.5 |
| 2543665 | clagd memory consumption increases under certain unknown conditions. | 3.7.8-3.7.16 | 4.0.0-4.4.5 |
| 2543648 | You cannot specify a source and destination MAC address in an ERSPAN ebtables rule. For example, the following rule does not work:
| 3.7.6-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2543647 | ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:
| 3.7.6-4.2.1 | 4.3.0-4.4.5 |
| 2543646 | In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543627 | Tomahawk 40G DACs cannot disable auto-negotiation. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543473 | Configuring an inbound route map to manually change the next hop IP address received from an eBGP peer locally causes the next hop to not be updated when advertising this route out to other eBGP peers. To work around this issue, set a “dummy” route map outbound to the eBGP peer or configure the route map to manually set the next hop outbound from the originating eBGP peer. | 3.7.6-3.7.10 | 3.7.11-3.7.16 |
| 2543472 | On switches with the Spectrum ASIC, the underlay hashes VXLAN packets for a given overlay flow randomly. To work around this issue, configure the ECMP hash seed to the same value on the EVPN egress leaf switches. | 3.7.7-4.0.1 | 4.1.0-4.4.5 |
| 2543374 | After a remote VTEP peer link goes down, the tunnel destination IP address might be incorrect in hardware, which might cause loss of overlay communication between VTEPs. | 3.7.8-3.7.16 | 4.0.0-4.4.5 |
| 2543325 | Lenovo switches do not send or receive LLDP on eth0 interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543270 | The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5 |
| 2543211 | In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2543164 | The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2543113 | NCLU restarts FRR when attempting to remove a BGP VRF stanza. This happens regardless of whether the VRF is valid/configured elsewhere on the switch or the removal is successful. To work around this issue, remove the stanza using vtysh. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2543096 | When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543058 | The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces. To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543052 | Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as “inactive” in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR. To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:
You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5 |
| 2543044 | Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up. You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2542979 | On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5 |
| 2542958 | When transitioning from a down state to an up state due to peerlink failure and recovery, MLAG does not start the initDelay timer before trying to bring everything back up. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2542945 | On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags. To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:
| 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542913 | IF-MIB::ifHCInOctets reports significantly lower values than reported by interface counters seen elsewhere. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2542871 | After you issue the NCLU net del bgp vrf command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2542835 | snmpd fails because NCLU does not remove agentaddress @vrf lines when running the net add snmp-server listening-address all command. | 3.7.4-3.7.16 | 4.0.0-4.4.5 |
| 2542823 | On the Broadcom Trident 3 switch, VXLAN encapsulated packets are dropped on the ingress port (tagged layer 2 port) during transit forwarding (the local switch does not terminate the VXLAN tunnel). An example of where this two-layer VXLAN inside VXLAN encapsulation might occur: - VXLAN tunnel (#1) between two servers (different racks) to provide layer 2 extension for containers or VM hosts. - VXLAN tunnel (#2) between the TOR switch in rack 1 to the TOR switch located in the remote rack. To work around this issue, either: - Configure the edge port (facing the servers) to be an access port (instead of a trunk/tagged port) - Change the destination port from 4789 to something else (VXLAN tunnel terminated by the servers) | 3.7.5-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2542767 | If the BMC operating system fails to respond to IPMI, you see a traceback in bmcd and all the sensors might report ABSENT devices in smonctl.To work around this issue, power cycle the switch. | 3.7.6-4.0.1 | 4.1.0-4.4.5 |
| 2542765 | When you configure the switch to send an EAP request with the net add dot1x send-eap-request-id command, the switch ignores re-authentication attempts and does not send back an EAPol. | 3.7.6-3.7.10 | 3.7.11-3.7.16 |
| 2542509 | In EVPN symmetric or centralized configurations with BGP peering over a peer link, VXLAN routed packets transiting an MLAG peer are dropped until the clagd init-delay timer expires during the bring-up sequence following a reboot.The problem is caused by a race condition when programming the anycast IP address (used to terminate VXLAN tunnels), where the hardware is programmed before the software by clagd.To work around this issue, configure the BGP path across the peer link to be less preferred. The example below uses AS path prepending and the MLAG switches are iBGP neighbors. However, other BGP configurations achieve the same result. In the /etc/frr/frr.conf file, make a new AS path access list and route map to apply BGP pre-pending of the local ASN one or more times. For example:
| 3.7.6-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2542384 | When you define a trap destination using @mgmt, snmpd indicates that the network is unreachable even though the IP address is reachable in the management VRF.To work around this issue, remove @mgmt vrf references in the /etc/snmp/snmpd.conf file, stop snmpd, then start snmpd manually in the management VRF with the systemctl start snmpd@mgmt command. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2542310 | hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6. | 3.7.6-3.7.16 | |
| 2542305 | If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542301 | When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2542248 | When you generate a cl-support file, clagd.service prints log messages similar to the following:
| 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2542100 | On the EdgeCore AS7816 switch, PCIE errors cause switchd startup to fail. | 3.7.9-3.7.16 | 4.0.0-4.4.5 |
| 2541212 | The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2541165 | On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, poectl reports that four_pair_mode_enabled is true. However, this configuration is not supported on the port so poectl should report that four_pair_mode_enabled is false. | 3.7.6-3.7.16 | |
| 2541029 | On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped. This issue only affects QinQ configurations. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540950 | On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status. | 3.7.3-4.1.1 | 4.2.0-4.4.5 |
| 2540885 | The Dell N3048EP-ON switch does not support 1G Base-T modules in the SFP ports. | 3.7.7-3.7.16 | |
| 2540863 | On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number. | 3.7.3-3.7.16 | |
| 2540753 | If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
| 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540444 | SNMP incorrectly requires engine ID specification. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540352 | When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2540340 | NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays
Tab completion for the net add vrf command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540274 | On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540204 | When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540192 | The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540155 | On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2540042 | When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540041 | On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540040 | Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540031 | NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2539994 | When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539962 | When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2539670 | On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539124 | The net add interface command adds no ptm-enable for that interface in the frr.conf file.Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539081 | When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2538875 | IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file. | 3.7.2-3.7.16 | |
| 2538790 | NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.To restore connectivity, remove the VLAN ID from the bridge. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538590 | When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538562 | On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538302 | portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap. | 3.7.0-3.7.16 | |
| 2538294 | If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2538256 | On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets. | 3.7.2-4.0.1 | 4.1.0-4.4.5 |
| 2537819 | When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2537699 | There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537544 | When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537536 | When FRR restarts, snmp[err] dev/kmem: Permission denied error messages are recorded in the log file and SNMPd might crash periodically. | 3.7.5-3.7.16 | 4.0.0-4.4.5 |
| 2537378 | NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.To work around this issue, stop snmpd, remove the cache file, then restart snmpd. | 3.7.1-3.7.16 | |
| 2537188 | When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network. | 3.7.2-3.7.16 | |
| 2537104 | When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL. | 3.7.1-3.7.16 | 4.0.0-4.4.5 |
| 2537061 | The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent. | 3.7.1-4.0.1 | 4.1.0-4.4.5 |
| 2536639 | On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.To work around this issue: * If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000). * If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2536616 | CVE-2018-5391 (FragmentSmack) is a network vulnerability where an attacker can trigger time and calculation expensive fragment reassembly with specially crafted packets, leading to a denial of service. On a Cumulus Linux switch, the impact is limited to control plane and management plane traffic. Any control plane traffic coming in the front panel ports will be limited by existing policer ACLs. To work around this issue, create a file called /etc/sysctl.d/ip.conf and add these settings:
| 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2536608 | Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI. | 3.7.0-3.7.16 | |
| 2536559 | When deleting an interface using NCLU, if the /etc/network/interfaces alias is different than the /etc/frr/frr.conf description, the net commit command returns the following error:
Despite this error, the change is made and the description is removed from the frr.conf file. | 3.7.3-3.7.10 | 3.7.11-3.7.16 |
| 2536384 | The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2536230 | On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is no longer set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2536179 | On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535986 | At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535965 | On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535209 | The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. | 3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2534450 | The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2528990 | During a link flap test, you might occasionally see a message similar to: warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use. | 3.7.6-3.7.10 | 3.7.11-3.7.16 |
Fixed Issues in 3.7.9
| Issue ID | Description | Affects |
|---|---|---|
| 2548190 | A security scanner may detect a version of wpa or hostapd that is not listed as having been fixed for CVE-2019-13377 and/or CVE-2019-16275. Cumulus Linux since 3.7.9 and 4.0.0 has a customized version of wpa and hostapd which includes the fixes for these vulnerabilities. | 3.7.8 |
| 2543546 | {watchfrr calls sudo /usr/sbin/service frr restart bgpd but restarts all FRR daemons which can cause a large outage. This occurs because watchfrr uses an old style service command, which causes all daemons to restart when a daemon fails. | 3.7.7-3.7.8 |
| 2543469 | When using the UFT lpm-equal profile, IPv6 routes are limited to 16K. | 3.7.8 |
| 2543389 | Dynamic route-leaking works as expected until FRR is restarted or the switch is rebooted. After the restart or reboot, the import RT under the VRF where routes are being imported is incorrect. | 3.7.7-3.7.8 |
| 2543329 | The following CVEs were announced in Debian Security Advisory DSA-4499-1 and affect the ghostscript package. ————————————————————————————— Debian Security Advisory DSA-4499-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 12, 2019 https://www.debian.org/security/faq ————————————————————————————— Package: ghostscript CVE ID: CVE-2019-10216 Debian Bug: 934638 Netanel reported that the .buildfont1 procedure in Ghostscript, the GPL PostScript/PDF interpreter, does not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox. For the oldstable distribution (stretch), this problem has been fixed in version 9.26a~dfsg-0+deb9u4. For the stable distribution (buster), this problem has been fixed in version 9.27~dfsg-2+deb10u1. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript | |
| 2543311 | The following CVEs were announced in Debian Security Advisory DSA-4495 and DSA 4497 and affect the linux kernel package. ——————————————————————————————— Debian Security Advisory DSA-4495-1 security@debian.org https://www.debian.org/security/ Ben Hutchings August 10, 2019 https://www.debian.org/security/faq ——————————————————————————————— Package: linux CVE ID: CVE-2018-20836 CVE-2019-1125 CVE-2019-1999 CVE-2019-10207 CVE-2019-10638 CVE-2019-12817 CVE-2019-12984 CVE-2019-13233 CVE-2019-13631 CVE-2019-13648 CVE-2019-14283 CVE-2019-14284 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2015-8553 Jan Beulich discovered that CVE-2015-2150 was not completely addressed. If a PCI physical function is passed through to a Xen guest, the guest is able to access its memory and I/O regions before enabling decoding of those regions. This could result in a denial-of-service (unexpected NMI) on the host. The fix for this is incompatible with qemu versions before 2.5. (CVE ID not yet assigned) Denis Andzakovic reported a missing type check in the IPv4 multicast routing implementation. A user with the CAP_NET_ADMIN capability (in any user namespace) could use this for denial-of-service (memory corruption or crash) or possibly for privilege escalation. CVE-2018-5995 ADLab of VenusTech discovered that the kernel logged the virtual addresses assigned to per-CPU data, which could make it easier to exploit other vulnerabilities. CVE-2018-20836 chenxiang reported a race condition in libsas, the kernel subsystem supporting Serial Attached SCSI (SAS) devices, which could lead to a use-after-free. It is not clear how this might be exploited. CVE-2019-1125 It was discovered that most x86 processors could speculatively skip a conditional SWAPGS instruction used when entering the kernel from user mode, and/or could speculatively execute it when it should be skipped. This is a subtype of Spectre variant 1, which could allow local users to obtain sensitive information from the kernel or other processes. It has been mitigated by using memory barriers to limit speculative execution. Systems using an i386 kernel are not affected as the kernel does not use SWAPGS. CVE-2019-1999 A race condition was discovered in the Android binder driver, which could lead to a use-after-free. If this driver is loaded, a local user might be able to use this for denial-of-service (memory corruption) or for privilege escalation. CVE-2019-1125 It was discovered that most x86 processors could speculatively skip a conditional SWAPGS instruction used when entering the kernel from user mode, and/or could speculatively execute it when it should be skipped. This is a subtype of Spectre variant 1, which could allow local users to obtain sensitive information from the kernel or other processes. It has been mitigated by using memory barriers to limit speculative execution. Systems using an i386 kernel are not affected as the kernel does not use SWAPGS. CVE-2019-3882 It was found that the vfio implementation did not limit the number of DMA mappings to device memory. A local user granted ownership of a vfio device could use this to cause a denial of service (out-of-memory condition). CVE-2019-3900 It was discovered that vhost drivers did not properly control the amount of work done to service requests from guest VMs. A malicious guest could use this to cause a denial-of-service (unbounded CPU usage) on the host. CVE-2019-10207 The syzkaller tool found a potential null dereference in various drivers for UART-attached Bluetooth adapters. A local user with access to a pty device or other suitable tty device could use this for denial-of-service (BU G/oops). CVE-2019-10638 Amit Klein and Benny Pinkas discovered that the generation of IP packet IDs used a weak hash function, “jhash”. This could enable tracking individual computers as they communicate with different remote servers and from different networks. The “siphash” function is now used instead. CVE-2019-10639 Amit Klein and Benny Pinkas discovered that the generation of IP packet IDs used a weak hash function that incorporated a kernel virtual address. This hash function is no longer used for IP IDs, although it is still used for other purposes in the network stack. CVE-2019-12817 It was discovered that on the PowerPC (ppc64el) architecture, the hash page table (HPT) code did not correctly handle fork() in a process with memory mapped at addresses above 512 TiB. This could lead to a use-after-free in the kernel, or unintended sharing of memory between user processes. A local user could use this for privilege escalation. Systems using the radix MMU, or a custom kernel with a 4 KiB page size, are not affected. CVE-2019-12984 It was discovered that the NFC protocol implementation did not properly validate a netlink control message, potentially leading to a null pointer dereference. A local user on a system with an NFC interface could use this for denial-of-service (BUG/oops). CVE-2019-13233 Jann Horn discovered a race condition on the x86 architecture, in use of the LDT. This could lead to a use-after-free. A local user could possibly use this for denial-of-service. CVE-2019-13631 It was discovered that the gtco driver for USB input tablets could overrun a stack buffer with constant data while parsing the device’s descriptor. A physically present user with a specially constructed USB device could use this to cause a denial-of-service (BUG/oops), or possibly for privilege escalation. CVE-2019-13648 Praveen Pandey reported that on PowerPC (ppc64el) systems without Transactional Memory (TM), the kernel would still attempt to restore TM state passed to the sigreturn() system call. A local user could use this for denial-of-service (oops). CVE-2019-14283 The syzkaller tool found a missing bounds check in the floppy disk driver. A local user with access to a floppy disk device, with a disk present, could use this to read kernel memory beyond the I/O buffer, possibly obtaining sensitive information. CVE-2019-14284 The syzkaller tool found a potential division-by-zero in the floppy disk driver. A local user with access to a floppy disk device could use this for denial-of-service (oops). (CVE ID not yet assigned) Denis Andzakovic reported a possible use-after-free in the TCP sockets implementation. A local user could use this for denial-of-service (memory corruption or crash) or possibly for privilege escalation. (CVE ID not yet assigned) The netfilter conntrack subsystem used kernel addresses as user-visible IDs, which could make it easier to exploit other security vulnerabilities. XSA-300 Julien Grall reported that Linux does not limit the amount of memory which a domain will attempt to baloon out, nor limits the amount of “foreign / grant map” memory which any individual guest can consume, leading to denial of service conditions (for host or guests). For the oldstable distribution (stretch), these problems have been fixed in version 4.9.168-1+deb9u5. For the stable distribution (buster), these problems have been fixed in version 4.19.37-5+deb10u2. For the oldstable distribution (stretch), these problems will be fixed soon. We recommend that you upgrade your linux packages. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | |
| 2543008 | The following CVEs were announced in Debian Security Advisory DSA-4489-1. ————————————————————————————— Debian Security Advisory DSA-4489-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 27, 2019 https://www.debian.org/security/faq ————————————————————————————— Package: patch CVE ID: CVE-2019-13636 CVE-2019-13638 Debian Bug: 932401 933140 Imre Rad discovered several vulnerabilities in GNU patch, leading to shell command injection or escape from the working directory and access and overwrite files, if specially crafted patch files are processed. This update includes a bugfix for a regression introduced by the patch to address CVE-2018-1000156 when applying an ed-style patch (#933140). For the oldstable distribution (stretch), these problems have been fixed in version 2.7.5-1+deb9u2. For the stable distribution (buster), these problems have been fixed in version 2.7.6-3+deb10u1. We recommend that you upgrade your patch packages. For the detailed security status of patch please refer to its security tracker page at: https://security-tracker.debian.org/tracker/patch | |
| 2543004 | Cumulus Linux installer images have a shell script that validates checksum integrity. When you run onie-install, this check is run but the installer is still staged even if the checksum validation fails.To work around this issue, perform your own checksum validation before staging a new image with onie-install. | 3.7.7-3.7.8 |
| 2542985 | On a Tomahawk switch, the 5m 40G DACs (40G CR4) do not come up when both sides have auto-negotiation enabled. | 3.7.7-3.7.8 |
| 2542965 | A port that is used as both a double tag interface and a VXLAN access side interface does not forward correctly; VXLAN decapsulation is does not occur. However, do not configure double tagged interfaces on VXLAN uplink ports as this will cause VXLAN routing issues. | |
| 2542938 | When MLAG is re-establishing its peering after a member reboot, the VNIs on the peer briefly go into a protodown state. This can cause complete downtime to dually connected hosts as the member coming back up is still in initDelay. This issue does resolve itself as the VNIs do come back up within ten seconds. | 3.7.8 |
| 2542853 | For interfaces configured with RS FEC, when switchd is restarted, the link goes down but does not automatically come back up. This occurs because the FEC status is not replayed correctly into the kernel.To work around this issue, run the ifreload -a command to bring up the interface after switchd is restarted. | 3.7.6-3.7.8 |
| 2542837 | On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule. | 3.7.6-3.7.8, 4.0.0-4.4.5 |
| 2542819 | On the Trident3 platform, you can only add 50 percent of the total ECMP next hops. A log message indicates that the table is full. | 3.7.7-3.7.8 |
| 2542774 | When moving an IP address from the address line to inet dhcp, then issuing the ifreload -a command, the old address is not removed from the interface. NCLU still reports the old address only and reports it as a DHCP address. | 3.7.6-3.7.8 |
| 2542726 | After configuring switchd hal.bcm.per_vlan_router_mac_lookup to TRUE on a Broadcom switch, layer 2 traffic works over VXLAN but the host is not able to ping the locally connected gateway and loses routing ability to other IPs and subnets. | 3.7.5-3.7.8 |
| 2542711 | BGP update packets are sometimes missing the mandatory nexthop attribute, which causes connections to reset. For example, this issue is seen when using VRF route leaking with a mix of BGP unnumbered and BGP numbered peers. | 3.7.6-3.7.8 |
| 2542480 | When BGP remove-private-AS replace-AS is configured under the BGP IPv4 or IPv6 address family between a pair of switches configured as BGP peers, a BGP route update might cause the BGP session to flap.To work around this issue, do not configure remove-private-AS replace-AS in the BGP IPv4 or IPv6 address family. | 3.7.6-3.7.8 |
| 2542472 | On Broadcom-based VXLAN routing capable platforms, VXLAN traffic received at the egress VTEP might drop because the hardware is mis-programming. This issue is related to timing and is not easily reproduced. This issue might occur after a VXLAN interface (VNI) state transition (the peerlink goes down and puts VNI into a protodown state, then the peerlink comes back and the VNI returns to UP) and is related to how the next-hop information is programmed in hardware. Sometimes the host routes corresponding to this VXLAN segment are mis-programmed with the wrong next hop information. To work around this issue, restart the switchd service with the sudo systemctl restart switchd.service command. | |
| 2542423 | The following CVEs were announced in Debian Security Advisory DSA-4472-1 and affect the expat (libexpat1) package. ————————————————————————————- Debian Security Advisory DSA-4472-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 28, 2019 https://www.debian.org/security/faq ————————————————————————————- Package: expat CVE ID: CVE-2018-20843 Debian Bug: 931031 It was discovered that Expat, an XML parsing C library, did not properly handled XML input including XML names that contain a large number of colons, potentially resulting in denial of service. For the stable distribution (stretch), this problem has been fixed in version 2.2.0-2+deb9u2. We recommend that you upgrade your expat packages. For the detailed security status of expat, refer to its security tracker page at: https://security-tracker.debian.org/tracker/expat | |
| 2542365 | The snmpd service frequently crashes due to double free or corruption. | 3.7.6-3.7.8 |
| 2542341 | The IP neighbor entry for a link-local next hop (169.254.x.x) is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces. To work around this issue, flap the peering to the peer router (which can be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.8 |
| 2542336 | On the Mellanox SN2410 switch, switchd does not start. | 3.7.2-3.7.8 |
| 2542297 | When you run the NCLU net del all command, the exec-timeout setting changes in the /etc/frr.frr.conf file. | 3.7.6-3.7.8 |
| 2542193 | When you configure the link-down yes attribute to a physical SVI, the VRR (-v0) interface is not brought down, and the locally-connected subnet can still be redistributed into routing protocols and advertised to neighbors despite the physical SVI being administratively down.To work around this issue, manually bring down the VRR (-v0) interface with the ip link set dev command. For example:
| 3.7.6-3.7.8 |
| 2542160 | The following CVEs were announced in Debian Security Advisory DSA-4465-1 and affect the linux kernel. ——————————————————————————————- Debian Security Advisory DSA-4465-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 17, 2019 https://www.debian.org/security/faq ——————————————————————————————- Package: linux CVE ID: CVE-2019-3846 CVE-2019-5489 CVE-2019-9500 CVE-2019-9503 CVE-2019-10126 CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 CVE-2019-11486 CVE-2019-11599 CVE-2019-11815 CVE-2019-11833 CVE-2019-11884 Debian Bug: 928989 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2019-3846, CVE-2019-10126 huangwen reported multiple buffer overflows in the Marvell wifi (mwifiex) driver, which a local user could use to cause denial of service or the execution of arbitrary code. CVE-2019-5489 Daniel Gruss, Erik Kraft, Trishita Tiwari, Michael Schwarz, Ari Trachtenberg, Jason Hennessey, Alex Ionescu, and Anders Fogh discovered that local users could use the mincore() system call to obtain sensitive information from other processes that access the same memory-mapped file. CVE-2019-9500, CVE-2019-9503 Hugues Anguelkov discovered a buffer overflow and missing access validation in the Broadcom FullMAC wifi driver (brcmfmac), which a attacker on the same wifi network could use to cause denial of service or the execution of arbitrary code. CVE-2019-11477 Jonathan Looney reported that a specially crafted sequence of TCP selective acknowledgements (SACKs) allows a remotely triggerable kernel panic. CVE-2019-11478 Jonathan Looney reported that a specially crafted sequence of TCP selective acknowledgements (SACKs) will fragment the TCP retransmission queue, allowing an attacker to cause excessive resource usage. CVE-2019-11479 Jonathan Looney reported that an attacker could force the Linux kernel to segment its responses into multiple TCP segments, each of which contains only 8 bytes of data, drastically increasing the bandwidth required to deliver the same amount of data. This update introduces a new sysctl value to control the minimal MSS (net.ipv4.tcp_min_snd_mss), which by default uses the formerly hard-coded value of 48. We recommend raising this to 536 unless you know that your network requires a lower value. CVE-2019-11486 Jann Horn of Google reported numerous race conditions in the Siemens R3964 line discipline. A local user could use these to cause unspecified security impact. This module has therefore been disabled. CVE-2019-11599 Jann Horn of Google reported a race condition in the core dump implementation which could lead to a use-after-free. A local user could use this to read sensitive information, to cause a denial of service (memory corruption), or for privilege escalation. CVE-2019-11815 It was discovered that a use-after-free in the Reliable Datagram Sockets protocol could result in denial of service and potentially privilege escalation. This protocol module (rds) is not auto-loaded on Debian systems, so this issue only affects systems where it is explicitly loaded. CVE-2019-11833 It was discovered that the ext4 filesystem implementation writes uninitialised data from kernel memory to new extent blocks. A local user able to write to an ext4 filesystem and then read the filesystem image, for example using a removable drive, might be able to use this to obtain sensitive information. CVE-2019-11884 It was discovered that the Bluetooth HIDP implementation did not ensure that new connection names were null-terminated. A local user with CAP_NET_ADMIN capability might be able to use this to obtain sensitive information from the kernel stack. For the stable distribution (stretch), these problems have been fixed in version 4.9.168-1+deb9u3. We recommend that you upgrade your linux packages. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 3.7.6-3.7.8 |
| 2542058 | The ifquery command should return a non-zero value if there is a syntax error. However, it currently returns zero. This issue affects automation scripts that validate a file before copying it into place. | 3.7.6-3.7.8 |
| 2542031 | If you configure a sys-mac with a single digit, ifreload -a does not indicate that the MAC address is invalid for the MLAG sys-mac and the clagd process fails silently. | 3.7.6-3.7.8 |
| 2541924 | If the address-virtual MAC address is missing a leading zero in the last octet, the interface bounces. | 3.7.6-3.7.8 |
| 2541604 | The snmpd service exits with a message similar to the following:
This problem might occur during or after network convergence events. For example, when bgpd needs to process a high number of updates and the CPU cannot keep up, bgpd is disconnected and agentx generates a core dump in snmpd due to a memory allocation problem.To work around this issue, disable agentx by commenting out the following lines in the /etc/snmp/snmpd.conf file. Then, restart the snmpd service with the systemctl restart snmpd command.
If you still want to poll the BGP4-MIB information, re-enable the bgp pass persist script by adding the following line in the /etc/snmp/snmpd.conf file:
| 3.7.2-3.7.8 |
| 2541346 | The following CVEs were announced in Debian Security Advisory DSA-4440-1. ————————————————————————————— Debian Security Advisory DSA-4440-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 09, 2019 https://www.debian.org/security/faq ————————————————————————————— Package: bind9 CVE ID: CVE-2018-5743 CVE-2018-5745 CVE-2019-6465 Multiple vulnerabilities were found in the BIND DNS server: CVE-2018-5743 Connection limits were incorrectly enforced. CVE-2018-5745 The “managed-keys” feature was susceptible to denial of service by triggering an assert. CVE-2019-6465 ACLs for zone transfers were incorrectly enforced for dynamically loadable zones (DLZs). For the stable distribution (stretch), these problems have been fixed in version 1:9.10.3.dfsg.P4-12.3+deb9u5. We recommend that you upgrade your bind9 packages. For the detailed security status of bind9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/bind9 | |
| 2541003 | NCLU is unable to delete a BGP neighbor configuration if there is a VRF VNI mapping in the /etc/frr/frr.conf file. For example, the following NCLU command produces an error:
| 3.7.7-3.7.8 |
| 2540684 | On a Dell S5248F (Trident3) switch, packets from switch ports are forwarded to the CPU and are sometimes corrupted. The corruption might result in BGP peerings being down, which can lead to all VXLAN traffic to and from a node to be lost, causing an outage to dually connected hosts in a rack. To work around this issue, restart switchd. | 3.7.3-3.7.8 |
| 2540600 | If the clagd-vxlan-anycast-ip is removed from the /etc/network/interfaces file (either with the NCLU command or by editing the file manually), MLAG still believes it is present until clagd restarts. | 3.7.3-3.7.8 |
| 2540359 | bgpd creates a core dump at zclient_send_interface_radv_req. This is an issue with how FRRouting checks next hops and has been pushed upstream to FRRouting. | 3.7.6-3.7.8 |
| 2538741 | The NCLU command net show bridge spanning-tree does not show the MLAG peer link as part of the STP forwarding instance.To work around this issue, use the mstpctl command to confirm the STP status of the port. | 3.7.2-3.7.8 |
| 2538710 | The following CVEs were announced in Debian Security Advisory DSA-4436-1 and affect the imagemagick packages. ——————————————————————————————- Debian Security Advisory DSA-4371-1 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez January 22, 2019 https://www.debian.org/security/faq ——————————————————————————————- Max Justicz discovered a vulnerability in APT, the high level package manager. The code handling HTTP redirects in the HTTP transport method doesn’t properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicous content in the HTTP connection. This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine. Since the vulnerability is present in the package manager itself, it is recommended to disable redirects in order to prevent exploitation during this upgrade only, using: apt -o Acquire::http::AllowRedirect=false update apt -o Acquire::http::AllowRedirect=false upgrade The code handling HTTP redirects in the HTTP transport method doesn’t properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicous content in the HTTP connection. This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine. Since the vulnerability is present in the package manager itself, it is recommended to disable redirects in order to prevent exploitation during this upgrade only, using: apt -o Acquire::http::AllowRedirect=false update apt -o Acquire::http::AllowRedirect=false upgrade This is known to break some proxies when used against security.debian.org. If that happens, people can switch their security APT source to use deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main For the stable distribution (stretch), this problem has been fixed in version 1.4.9. | |
| 2538480 | Modifying the /etc/netd.conf file to set show_linux_command = True does not take effect. | 3.7.2-3.7.8 |
| 2538321 | On the Trident3 switch, the input chain ACLs drop action forwards packets if the traffic is destined to the CPU on an SVI. | |
| 2538022 | When you remove an interface from a bridge and add it to a VRF in the same commit/ifreload, the IPv6 link-local address is not created automatically. To work around this issue, do the change in two separate commits. First, remove the interface from the bridge, which causes it to be a layer 2 interface. Then, enslave the interface to the VRF. | 3.7.2-3.7.8 |
| 2537799 | The following CVEs were announced in Debian Security Advisory DSA-4347-1. ————————————————————————————————– Debian Security Advisory DSA-4347-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 29, 2018 https://www.debian.org/security/faq ————————————————————————————————– Package: perl CVE ID: CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 Multiple vulnerabilities were discovered in the implementation of the Perl programming language. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-18311 Jayakrishna Menon and Christophe Hauser discovered an integer overflow vulnerability in Perl_my_setenv leading to a heap-basedbuffer overflow with attacker-controlled input. CVE-2018-18312 Eiichi Tsukata discovered that a crafted regular expression could cause a heap-based buffer overflow write during compilation, potentially allowing arbitrary code execution. CVE-2018-18313 Eiichi Tsukata discovered that a crafted regular expression could cause a heap-based buffer overflow read during compilation which leads to information leak. CVE-2018-18314 Jakub Wilk discovered that a specially crafted regular expression could lead to a heap-based buffer overflow. For the stable distribution (stretch), these problems have been fixed in version 5.24.1-3+deb9u5. We recommend that you upgrade your perl packages. For the detailed security status of perl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/perl | |
| 2537753 | The following CVEs were announced in Debian Security Advisory DSA-4372-1. ————————————————————————————————– Debian Security Advisory DSA-4346-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 27, 2018 https://www.debian.org/security/faq ————————————————————————————————– Package: ghostscript CVE ID: CVE-2018-19409 CVE-2018-19475 CVE-2018-19476 CVE-2018-19477 Several vulnerabilities were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service or the execution of arbitrary code if a malformed Postscript file is processed (despite the -dSAFER sandbox being enabled). This update rebases ghostscript for stretch to the upstream version 9.26 which includes additional changes. For the stable distribution (stretch), these problems have been fixed in version 9.26~dfsg-0+deb9u1. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript | |
| 2537153 | In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 |
| 2536650 | Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters). While this issue is fixed for switches with the Spectrum ASIC, this is a [known limitation|https://docs.cumulusnetworks.com/cumulus-linux/Monitoring-and-Troubleshooting/Network-Troubleshooting/Monitoring-System-Statistics-and-Network-Traffic-with-sFlow/#caveats-and-errata] on this Helix4 platform. | 3.7.0-3.7.8 |
| 2536154 | By default, the nginx server used for the HTTP API on port 8080 is enabled, but does not listen to external requests. However, it appears to be listening and answering external requests. | |
| 2535445 | If a VNI is configured before the bridge in /etc/network/interfaces, the switch does not send IGMP queries.To work around this issue, edit the /etc/network/interfaces file to define the bridge before the VNI. For example:
. | |
| 2534887 | The NCLU net show lldp and net show interface commands do not show LLDP information for swp* (eth is unaffected). | |
| 2534730 | The following CVEs were announced in a Debian Security Advisory. ————————————————————————————————– It was discovered that Ghostscript incorrectly handled certain PostScript files. An attacker could possibly use this to cause a denial of server. (CVE-2016-10317) It was discovered that Ghostscript incorrectly handled certain PDF files. An attacker could possibly use this to cause a denial of service. (CVE-2018-10194) Debian CVE links: https://security-tracker.debian.org/tracker/CVE-2016-10317 and https://security-tracker.debian.org/tracker/CVE-2018-10194 | |
| 2533865 | The following CVEs were announced in Debian Security Advisory DSA-4131. ——————————————————————————————- Debian Security Advisory DSA-4131-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 04, 2018 https://www.debian.org/security/faq —————————————————————————————— Package: xen CVE ID: CVE-2018-7540 CVE-2018-7541 CVE-2018-7542 Multiple vulnerabilities have been discovered in the Xen hypervisor: CVE-2018-7540 Jann Horn discovered that missing checks in page table freeing may result in denial of service. CVE-2018-7541 Jan Beulich discovered that incorrect error handling in grant table checks may result in guest-to-host denial of service and potentially privilege escalation. CVE-2018-7542 Ian Jackson discovered that insufficient handling of x86 PVH guests without local APICs may result in guest-to-host denial of service. For the stable distribution (stretch), these problems have been fixed in version 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5. We recommend that you upgrade your xen packages. For the detailed security status of xen please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xen | |
| 2532395 | Drops due to congestion do not appear to be counted on a Mellanox switch. To work around this issue, run the sudo ethtool -S swp1 command to collect interface traffic statistics. |
3.7.8 Release Notes
Open Issues in 3.7.8
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 3410952 | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.12.1 |
| 3376798 | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlanMAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5 |
| 3330705 | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.12.1 |
| 3327477 | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3216921 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-3.7.16, 4.3.0-4.4.5 | |
| 3209699 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.12.1 |
| 2959454 | CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2959444 | CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2957684 | CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2949602 | CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. | 3.7.0-3.7.15 | 3.7.16 |
| 2949586 | CVE-2022-21699: ipython may execute untrusted files in the current working directory Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2949585 | CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog. | 3.7.0-3.7.15 | 3.7.16 |
| 2949584 | CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2941560 | CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u | 3.7.0-3.7.15 | 3.7.16 |
| 2910862 | CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file” Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2910861 | CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13 | 3.7.0-3.7.15 | 3.7.16 |
| 2885241 | CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14 | 3.7.0-3.7.15 | 3.7.16 |
| 2885239 | CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2885238 | The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2866111 | CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. | 3.7.0-3.7.15 | 3.7.16 |
| 2862269 | CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2855881 | A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2855879 | The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2850806 | CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts) Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23 | 3.7.0-3.7.15 | 3.7.16 |
| 2845540 | CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2841003 | CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2835994 | CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2823255 | CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode) Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2821981 | The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions) CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2820758 | The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2813826 | Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop” CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’ Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2813823 | Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19 | 3.7.0-3.7.15 | 3.7.16 |
| 2801126 | CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2801125 | OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15 | 3.7.0-3.7.15 | 3.7.16 |
| 2801124 | GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2798139 | CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2769687 | CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21 | 3.7.0-3.7.15 | 3.7.16 |
| 2769633 | CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2769632 | CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2769631 | CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2743132 | CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6 | 3.7.0-3.7.15 | 3.7.16 |
| 2736247 | CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2736245 | CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2728207 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728206 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728205 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5 |
| 2726776 | CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18 | 3.7.0-3.7.15 | 3.7.16 |
| 2716841 | CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2705169 | CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2705168 | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2702519 | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2684404 | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2679950 | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.4.1-cl4.4.0u1Fixed: 4.4.1-cl4.4.0u2 | 3.7.0-4.3.3 | 4.4.0-4.4.5 |
| 2677063 | CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2677061 | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2677060 | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2668477 | CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2660693 | CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20 | 3.7.0-3.7.15 | 3.7.16 |
| 2660582 | In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure) To recover restart the clagd service with sudo systemctl restart clagd.service | 3.7.8-3.7.15 | 3.7.16 |
| 2658233 | The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2654684 | CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10 | 3.7.0-3.7.15 | 3.7.16 |
| 2653521 | CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2646974 | The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2646968 | CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24 | 3.7.0-3.7.15 | 3.7.16 |
| 2635951 | The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617009 | CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617008 | CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617007 | CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617006 | CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617002 | CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589570 | The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589567 | The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2553887 | When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:
To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2552739 | Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | |
| 2552528 | Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated. | 3.7.7-4.2.1 | 4.3.0-4.4.5 |
| 2552352 | The following security vulnerabilities have been announced in the nss / libnss3 packages: CVE-2020-6829: Side channel attack on ECDSA signature generation CVE-2020-12400: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function CVE-2020-12401: ECDSA timing attack mitigation bypass Vulnerable: <= 3.26-1+debu8u11 Fixed: 3.26-1+debu8u12 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2552351 | The following vulnerability has been announced in the libx11 packages: CVE-2020-14344: The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method. Vulnerable: <= 1.6.2-3+deb8u2 Fixed: 1.6.2-3+deb8u3 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2551675 | When you restart clagd, the edge port setting on the peer link changes. | 3.7.2-4.2.0 | 4.2.1-4.4.5 |
| 2551288 | When you remove BFD configuration by editing the /etc/frr/frr.conf file and restarting FRR, you see a traceback.To work around this issue, either use NCLU or vtysh commands to remove the BFD configuration, or restart FRR with the new /etc/frr/frr.conf file. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2550600 | The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged. | 3.7.8-3.7.14.2, 4.0.0-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 |
| 2550478 | VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches. | 3.7.7-4.2.0 | 4.2.1-4.4.5, 4.3.0-4.4.5 |
| 2550323 | After a neighbor is removed, the redistributed neighbor entry is withdrawn from the BGP table, but the prefix might still be selected as the bestpath when the host’s originated prefix is not advertised. To work around this issue, recreate the neighbor entry and flap the interface to the host. Or, if the host is already down, manually create a neighbor entry with an invalid MAC address, which forces redistribute neighbor to re-withdraw the entry. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2548475 | After you add a new VNI and a layer 3 SVI to a set of leafs, certain leafs might not be able to communicate on the layer 3 VNI. To work around this issue, reboot the leaf switch or restart switchd. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2548382 | The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog. | 3.7.5-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2548243 | On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2548190 | A security scanner may detect a version of wpa or hostapd that is not listed as having been fixed for CVE-2019-13377 and/or CVE-2019-16275. Cumulus Linux since 3.7.9 and 4.0.0 has a customized version of wpa and hostapd which includes the fixes for these vulnerabilities. | 3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2547769 | syslog might report a high load average with the CPU running a later microcode revision. | 3.7.4-3.7.12 | 3.7.13-3.7.16 |
| 2547663 | When traffic from a double tag interface (facing a different site) is forwarded through VXLAN, the inner tag is not removed. The destination does not know this tag, so it discards it. | 3.7.8-4.0.1 | 4.1.0-4.4.5 |
| 2547012 | On the Mellanox Spectrum switch, switchd can sometimes fail when PBR rules are installed or removed from hardware if the rule is setting a next hop learned via a routing protocol. | 3.7.7-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546998 | When you configure Cumulus Linux with a /32 address on a switch port with a configured peer address (for example, to connect to a device using IP unnumbered), the switch sends GARPs for the peer address. | 3.7.5-3.7.11 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546868 | Broadcom Field Alert - SID - MMU 2B Errors A few of the MMU memories on Broadcom switches are grouped together with single parity control. During SER correction when a parity error occurs on one of those groups, other memory in that group might also report a SER error. This occurs when the memory is accessed either by a packet hit or through a schan operation. This issue can cause SER errors in other memory and cause traffic mis-forwarding or a packet drop. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546702 | The FRR cl-support module times out on switches on the ARM platform even when the switch is not under heavy load. To work around this issue, run the cl-support -M command to disable timeouts. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546385 | SNMP ifLastChange reports link transitions when there are none. | 3.7.6-3.7.16 | |
| 2545693 | On rare occasions, after rebooting the MLAG secondary switch, one MLAG device might see the peer as down, which can cause traffic disruption to connected hosts. | 3.7.7-3.7.10 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545599 | IPv6 table rules might affect forwarding. For example, if you create the following rule in the /etc/cumulus/acl/policy.d/03-sshd.rules file, the rule counter increments but IPv4 SSH traffic might be dropped.
| 3.7.2-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2545405 | The ospfd daemon might crash with the following kernel trace:
| 3.7.6-3.7.10 | 3.7.11-3.7.16 |
| 2545235 | On the Edgecore AS6812 switch, you might see rare I2C errors. | 3.7.2-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545132 | On the Mellanox switch, ACL lookups are performed for VLAN matches when no rules with UNTAGGED match are present. | 3.7.2-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545027 | In the default VRF, VRRP might crash and stay in an initialize state. As a result, VRRP multicast traffic is not generated. | 3.7.8-3.7.10 | 3.7.11-3.7.16 |
| 2544937 | The neighmgrd service does not ignore neighbors on reserved devices (lo and management devices). This issue is not seen when management VRF is enabled. | 3.7.8-3.7.11 | 3.7.12-3.7.16 |
| 2544846 | You might experience a bgpd memory usage increase and significant update exchanges due to host moves between VTEPs. | 3.7.7-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2544829 | Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump. | 3.7.8-3.7.16 | |
| 2544723 | Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2544609 | BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2544559 | When you install a large number of new rules with nonatomic mode enabled, there is a chance that you install more rules than the number of available slots in the slice, which results in the slice being completely wiped and reinstalled. This causes a large drop increase, including to cpu0, and might cause a major outage by dropping all BGP sessions. | 3.7.8-3.7.16 | 4.0.0-4.4.5 |
| 2544401 | Package: openssl CVE ID: CVE-2019-1547 CVE-2019-1549 CVE-2019-1563 Three security issues were discovered in OpenSSL: A timing attack against ECDSA, a padding oracle in PKCS7_dataDecode() and CMS_decrypt_set1_pkey() and it was discovered that a feature of the random number generator (RNG) intended to protect against shared RNG state between parent and child processes in the event of a fork() syscall was not used by default. Fixed version: 1.1.1d-0+deb10u1 We recommend that you upgrade your openssl packages. For the detailed security status of openssl, refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2544385 | The QCT QuantaMesh BMS T7032-IX7 switch may report “failed to request GPIO pin” errors during the boot up. | 3.7.5-3.7.10 | 3.7.11-3.7.16 |
| 2544324 | Package: hostapd CVE ID: CVE-2019-13377 CVE-2019-16275 Two vulnerabilities were found in the WPA protocol implementation found in wpa_supplication (station) and hostapd (access point). CVE-2019-13377 A timing-based side-channel attack against WPA3’s Dragonfly handshake when using Brainpool curves could be used by an attacker to retrieve the password. CVE-2019-16275 Insufficient source address validation for some received Management frames in hostapd could lead to a denial of service for stations associated to an access point. An attacker in radio range of the access point could inject a specially constructed unauthenticated IEEE 802.11 frame to the access point to cause associated stations to be disconnected and require a reconnection to the network. Fixed version: 1:2.8.0-cl4u3 | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2544311 | Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544212 | Cumulus Linux poed generates excessive debug log entries. These will be reduced in a future release. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2544155 | NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544012 | After you remove a subinterface, the BGP session stays in a Connect state. | 3.7.8-3.7.11 | 3.7.12-3.7.16 |
| 2543937 | An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2543900 | On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
| 2543875 | On the Mellanox Spectrum switch, a route withdrawal might cause the associated next hop neighbor entry to be deleted in hardware but remain in the kernel. This can cause traffic going through the directly connected route to the removed neighbor entry to be forwarded to the CPU. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2543841 | The net show evpn vni detail json command includes an extra empty dictionary at the end of the output. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
| 2543840 | On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file. | 3.7.6-3.7.16 | |
| 2543835 | The following CVEs were announced that affect the ghostscript package: CVE ID : CVE-2019-14811 CVE-2019-14812 CVE-2019-14813 CVE-2019-14817 It was discovered that various procedures in Ghostscript, the GPL PostScript/PDF interpreter, do not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript | 3.7.0-3.7.10 | 3.7.11-3.7.16 |
| 2543816 | On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages. | 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
| 2543800 | When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface. | 3.7.8-3.7.16 | 4.0.0-4.4.5 |
| 2543781 | NCLU does not allow you to configure OSPF NSSAs. For example:
To work around this issue, use FRR instead. For example:
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2543727 | ACL rules, such as the following, fail to install if you use swp+ (interfaces mentioned as wildcards).
You can now install such rules with swp+. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2543724 | If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error:
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2543689 | On the Mellanox switch, UFT profiles are unable to support the documented capacity for routes to addresses that are more than 64 bits in length. The listed capacities assume 64-bit destination IP addresses. | 3.7.8-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2543667 | On the EdgeCore AS4610 switch, the ping command fails unless you run the command with sudo.To work around this issue, run the following commands:
Run the following command to verify the workaround:
You should see the following output:
| 3.7.6-3.7.10, 4.1.0-4.1.1 | 3.7.11-3.7.16, 4.2.0-4.4.5 |
| 2543665 | clagd memory consumption increases under certain unknown conditions. | 3.7.8-3.7.16 | 4.0.0-4.4.5 |
| 2543648 | You cannot specify a source and destination MAC address in an ERSPAN ebtables rule. For example, the following rule does not work:
| 3.7.6-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2543647 | ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:
| 3.7.6-4.2.1 | 4.3.0-4.4.5 |
| 2543646 | In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543627 | Tomahawk 40G DACs cannot disable auto-negotiation. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543546 | {watchfrr calls sudo /usr/sbin/service frr restart bgpd but restarts all FRR daemons which can cause a large outage. This occurs because watchfrr uses an old style service command, which causes all daemons to restart when a daemon fails. | 3.7.7-3.7.8 | 3.7.9-3.7.16 |
| 2543473 | Configuring an inbound route map to manually change the next hop IP address received from an eBGP peer locally causes the next hop to not be updated when advertising this route out to other eBGP peers. To work around this issue, set a “dummy” route map outbound to the eBGP peer or configure the route map to manually set the next hop outbound from the originating eBGP peer. | 3.7.6-3.7.10 | 3.7.11-3.7.16 |
| 2543472 | On switches with the Spectrum ASIC, the underlay hashes VXLAN packets for a given overlay flow randomly. To work around this issue, configure the ECMP hash seed to the same value on the EVPN egress leaf switches. | 3.7.7-4.0.1 | 4.1.0-4.4.5 |
| 2543469 | When using the UFT lpm-equal profile, IPv6 routes are limited to 16K. | 3.7.8 | 3.7.9-3.7.16 |
| 2543389 | Dynamic route-leaking works as expected until FRR is restarted or the switch is rebooted. After the restart or reboot, the import RT under the VRF where routes are being imported is incorrect. | 3.7.7-3.7.8 | 3.7.9-3.7.16 |
| 2543374 | After a remote VTEP peer link goes down, the tunnel destination IP address might be incorrect in hardware, which might cause loss of overlay communication between VTEPs. | 3.7.8-3.7.16 | 4.0.0-4.4.5 |
| 2543325 | Lenovo switches do not send or receive LLDP on eth0 interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543270 | The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5 |
| 2543211 | In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2543164 | The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2543113 | NCLU restarts FRR when attempting to remove a BGP VRF stanza. This happens regardless of whether the VRF is valid/configured elsewhere on the switch or the removal is successful. To work around this issue, remove the stanza using vtysh. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2543096 | When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543058 | The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces. To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543052 | Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as “inactive” in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR. To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:
You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5 |
| 2543044 | Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up. You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2543004 | Cumulus Linux installer images have a shell script that validates checksum integrity. When you run onie-install, this check is run but the installer is still staged even if the checksum validation fails.To work around this issue, perform your own checksum validation before staging a new image with onie-install. | 3.7.7-3.7.8 | 3.7.9-3.7.16 |
| 2542985 | On a Tomahawk switch, the 5m 40G DACs (40G CR4) do not come up when both sides have auto-negotiation enabled. | 3.7.7-3.7.8 | 3.7.9-3.7.16 |
| 2542979 | On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5 |
| 2542958 | When transitioning from a down state to an up state due to peerlink failure and recovery, MLAG does not start the initDelay timer before trying to bring everything back up. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2542945 | On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags. To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:
| 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542938 | When MLAG is re-establishing its peering after a member reboot, the VNIs on the peer briefly go into a protodown state. This can cause complete downtime to dually connected hosts as the member coming back up is still in initDelay. This issue does resolve itself as the VNIs do come back up within ten seconds. | 3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2542913 | IF-MIB::ifHCInOctets reports significantly lower values than reported by interface counters seen elsewhere. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2542871 | After you issue the NCLU net del bgp vrf command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2542853 | For interfaces configured with RS FEC, when switchd is restarted, the link goes down but does not automatically come back up. This occurs because the FEC status is not replayed correctly into the kernel.To work around this issue, run the ifreload -a command to bring up the interface after switchd is restarted. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542837 | On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule. | 3.7.6-3.7.8, 4.0.0-4.4.5 | 3.7.9-3.7.16 |
| 2542835 | snmpd fails because NCLU does not remove agentaddress @vrf lines when running the net add snmp-server listening-address all command. | 3.7.4-3.7.16 | 4.0.0-4.4.5 |
| 2542823 | On the Broadcom Trident 3 switch, VXLAN encapsulated packets are dropped on the ingress port (tagged layer 2 port) during transit forwarding (the local switch does not terminate the VXLAN tunnel). An example of where this two-layer VXLAN inside VXLAN encapsulation might occur: - VXLAN tunnel (#1) between two servers (different racks) to provide layer 2 extension for containers or VM hosts. - VXLAN tunnel (#2) between the TOR switch in rack 1 to the TOR switch located in the remote rack. To work around this issue, either: - Configure the edge port (facing the servers) to be an access port (instead of a trunk/tagged port) - Change the destination port from 4789 to something else (VXLAN tunnel terminated by the servers) | 3.7.5-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2542819 | On the Trident3 platform, you can only add 50 percent of the total ECMP next hops. A log message indicates that the table is full. | 3.7.7-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2542774 | When moving an IP address from the address line to inet dhcp, then issuing the ifreload -a command, the old address is not removed from the interface. NCLU still reports the old address only and reports it as a DHCP address. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542767 | If the BMC operating system fails to respond to IPMI, you see a traceback in bmcd and all the sensors might report ABSENT devices in smonctl.To work around this issue, power cycle the switch. | 3.7.6-4.0.1 | 4.1.0-4.4.5 |
| 2542765 | When you configure the switch to send an EAP request with the net add dot1x send-eap-request-id command, the switch ignores re-authentication attempts and does not send back an EAPol. | 3.7.6-3.7.10 | 3.7.11-3.7.16 |
| 2542726 | After configuring switchd hal.bcm.per_vlan_router_mac_lookup to TRUE on a Broadcom switch, layer 2 traffic works over VXLAN but the host is not able to ping the locally connected gateway and loses routing ability to other IPs and subnets. | 3.7.5-3.7.8 | 3.7.9-3.7.16 |
| 2542711 | BGP update packets are sometimes missing the mandatory nexthop attribute, which causes connections to reset. For example, this issue is seen when using VRF route leaking with a mix of BGP unnumbered and BGP numbered peers. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542509 | In EVPN symmetric or centralized configurations with BGP peering over a peer link, VXLAN routed packets transiting an MLAG peer are dropped until the clagd init-delay timer expires during the bring-up sequence following a reboot.The problem is caused by a race condition when programming the anycast IP address (used to terminate VXLAN tunnels), where the hardware is programmed before the software by clagd.To work around this issue, configure the BGP path across the peer link to be less preferred. The example below uses AS path prepending and the MLAG switches are iBGP neighbors. However, other BGP configurations achieve the same result. In the /etc/frr/frr.conf file, make a new AS path access list and route map to apply BGP pre-pending of the local ASN one or more times. For example:
| 3.7.6-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2542480 | When BGP remove-private-AS replace-AS is configured under the BGP IPv4 or IPv6 address family between a pair of switches configured as BGP peers, a BGP route update might cause the BGP session to flap.To work around this issue, do not configure remove-private-AS replace-AS in the BGP IPv4 or IPv6 address family. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542384 | When you define a trap destination using @mgmt, snmpd indicates that the network is unreachable even though the IP address is reachable in the management VRF.To work around this issue, remove @mgmt vrf references in the /etc/snmp/snmpd.conf file, stop snmpd, then start snmpd manually in the management VRF with the systemctl start snmpd@mgmt command. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2542365 | The snmpd service frequently crashes due to double free or corruption. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542341 | The IP neighbor entry for a link-local next hop (169.254.x.x) is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces. To work around this issue, flap the peering to the peer router (which can be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.8 | 3.7.9-3.7.16 |
| 2542336 | On the Mellanox SN2410 switch, switchd does not start. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2542310 | hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6. | 3.7.6-3.7.16 | |
| 2542305 | If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542301 | When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2542297 | When you run the NCLU net del all command, the exec-timeout setting changes in the /etc/frr.frr.conf file. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542248 | When you generate a cl-support file, clagd.service prints log messages similar to the following:
| 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2542193 | When you configure the link-down yes attribute to a physical SVI, the VRR (-v0) interface is not brought down, and the locally-connected subnet can still be redistributed into routing protocols and advertised to neighbors despite the physical SVI being administratively down.To work around this issue, manually bring down the VRR (-v0) interface with the ip link set dev command. For example:
| 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542160 | The following CVEs were announced in Debian Security Advisory DSA-4465-1 and affect the linux kernel. ——————————————————————————————- Debian Security Advisory DSA-4465-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 17, 2019 https://www.debian.org/security/faq ——————————————————————————————- Package: linux CVE ID: CVE-2019-3846 CVE-2019-5489 CVE-2019-9500 CVE-2019-9503 CVE-2019-10126 CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 CVE-2019-11486 CVE-2019-11599 CVE-2019-11815 CVE-2019-11833 CVE-2019-11884 Debian Bug: 928989 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2019-3846, CVE-2019-10126 huangwen reported multiple buffer overflows in the Marvell wifi (mwifiex) driver, which a local user could use to cause denial of service or the execution of arbitrary code. CVE-2019-5489 Daniel Gruss, Erik Kraft, Trishita Tiwari, Michael Schwarz, Ari Trachtenberg, Jason Hennessey, Alex Ionescu, and Anders Fogh discovered that local users could use the mincore() system call to obtain sensitive information from other processes that access the same memory-mapped file. CVE-2019-9500, CVE-2019-9503 Hugues Anguelkov discovered a buffer overflow and missing access validation in the Broadcom FullMAC wifi driver (brcmfmac), which a attacker on the same wifi network could use to cause denial of service or the execution of arbitrary code. CVE-2019-11477 Jonathan Looney reported that a specially crafted sequence of TCP selective acknowledgements (SACKs) allows a remotely triggerable kernel panic. CVE-2019-11478 Jonathan Looney reported that a specially crafted sequence of TCP selective acknowledgements (SACKs) will fragment the TCP retransmission queue, allowing an attacker to cause excessive resource usage. CVE-2019-11479 Jonathan Looney reported that an attacker could force the Linux kernel to segment its responses into multiple TCP segments, each of which contains only 8 bytes of data, drastically increasing the bandwidth required to deliver the same amount of data. This update introduces a new sysctl value to control the minimal MSS (net.ipv4.tcp_min_snd_mss), which by default uses the formerly hard-coded value of 48. We recommend raising this to 536 unless you know that your network requires a lower value. CVE-2019-11486 Jann Horn of Google reported numerous race conditions in the Siemens R3964 line discipline. A local user could use these to cause unspecified security impact. This module has therefore been disabled. CVE-2019-11599 Jann Horn of Google reported a race condition in the core dump implementation which could lead to a use-after-free. A local user could use this to read sensitive information, to cause a denial of service (memory corruption), or for privilege escalation. CVE-2019-11815 It was discovered that a use-after-free in the Reliable Datagram Sockets protocol could result in denial of service and potentially privilege escalation. This protocol module (rds) is not auto-loaded on Debian systems, so this issue only affects systems where it is explicitly loaded. CVE-2019-11833 It was discovered that the ext4 filesystem implementation writes uninitialised data from kernel memory to new extent blocks. A local user able to write to an ext4 filesystem and then read the filesystem image, for example using a removable drive, might be able to use this to obtain sensitive information. CVE-2019-11884 It was discovered that the Bluetooth HIDP implementation did not ensure that new connection names were null-terminated. A local user with CAP_NET_ADMIN capability might be able to use this to obtain sensitive information from the kernel stack. For the stable distribution (stretch), these problems have been fixed in version 4.9.168-1+deb9u3. We recommend that you upgrade your linux packages. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542058 | The ifquery command should return a non-zero value if there is a syntax error. However, it currently returns zero. This issue affects automation scripts that validate a file before copying it into place. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542031 | If you configure a sys-mac with a single digit, ifreload -a does not indicate that the MAC address is invalid for the MLAG sys-mac and the clagd process fails silently. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2541924 | If the address-virtual MAC address is missing a leading zero in the last octet, the interface bounces. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2541604 | The snmpd service exits with a message similar to the following:
This problem might occur during or after network convergence events. For example, when bgpd needs to process a high number of updates and the CPU cannot keep up, bgpd is disconnected and agentx generates a core dump in snmpd due to a memory allocation problem.To work around this issue, disable agentx by commenting out the following lines in the /etc/snmp/snmpd.conf file. Then, restart the snmpd service with the systemctl restart snmpd command.
If you still want to poll the BGP4-MIB information, re-enable the bgp pass persist script by adding the following line in the /etc/snmp/snmpd.conf file:
| 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2541212 | The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2541165 | On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, poectl reports that four_pair_mode_enabled is true. However, this configuration is not supported on the port so poectl should report that four_pair_mode_enabled is false. | 3.7.6-3.7.16 | |
| 2541029 | On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped. This issue only affects QinQ configurations. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2541003 | NCLU is unable to delete a BGP neighbor configuration if there is a VRF VNI mapping in the /etc/frr/frr.conf file. For example, the following NCLU command produces an error:
| 3.7.7-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2540950 | On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status. | 3.7.3-4.1.1 | 4.2.0-4.4.5 |
| 2540885 | The Dell N3048EP-ON switch does not support 1G Base-T modules in the SFP ports. | 3.7.7-3.7.16 | |
| 2540863 | On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number. | 3.7.3-3.7.16 | |
| 2540753 | If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
| 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540684 | On a Dell S5248F (Trident3) switch, packets from switch ports are forwarded to the CPU and are sometimes corrupted. The corruption might result in BGP peerings being down, which can lead to all VXLAN traffic to and from a node to be lost, causing an outage to dually connected hosts in a rack. To work around this issue, restart switchd. | 3.7.3-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2540600 | If the clagd-vxlan-anycast-ip is removed from the /etc/network/interfaces file (either with the NCLU command or by editing the file manually), MLAG still believes it is present until clagd restarts. | 3.7.3-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2540444 | SNMP incorrectly requires engine ID specification. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540359 | bgpd creates a core dump at zclient_send_interface_radv_req. This is an issue with how FRRouting checks next hops and has been pushed upstream to FRRouting. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2540352 | When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2540340 | NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays
Tab completion for the net add vrf command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540274 | On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540204 | When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540192 | The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540155 | On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2540042 | When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540041 | On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540040 | Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540031 | NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2539994 | When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539962 | When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2539670 | On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539124 | The net add interface command adds no ptm-enable for that interface in the frr.conf file.Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539081 | When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2538875 | IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file. | 3.7.2-3.7.16 | |
| 2538790 | NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.To restore connectivity, remove the VLAN ID from the bridge. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538741 | The NCLU command net show bridge spanning-tree does not show the MLAG peer link as part of the STP forwarding instance.To work around this issue, use the mstpctl command to confirm the STP status of the port. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2538590 | When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538562 | On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538480 | Modifying the /etc/netd.conf file to set show_linux_command = True does not take effect. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2538302 | portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap. | 3.7.0-3.7.16 | |
| 2538294 | If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2538256 | On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets. | 3.7.2-4.0.1 | 4.1.0-4.4.5 |
| 2538022 | When you remove an interface from a bridge and add it to a VRF in the same commit/ifreload, the IPv6 link-local address is not created automatically. To work around this issue, do the change in two separate commits. First, remove the interface from the bridge, which causes it to be a layer 2 interface. Then, enslave the interface to the VRF. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2537819 | When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2537699 | There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537544 | When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537536 | When FRR restarts, snmp[err] dev/kmem: Permission denied error messages are recorded in the log file and SNMPd might crash periodically. | 3.7.5-3.7.16 | 4.0.0-4.4.5 |
| 2537378 | NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.To work around this issue, stop snmpd, remove the cache file, then restart snmpd. | 3.7.1-3.7.16 | |
| 2537188 | When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network. | 3.7.2-3.7.16 | |
| 2537153 | In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2537104 | When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL. | 3.7.1-3.7.16 | 4.0.0-4.4.5 |
| 2537061 | The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent. | 3.7.1-4.0.1 | 4.1.0-4.4.5 |
| 2536650 | Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters). While this issue is fixed for switches with the Spectrum ASIC, this is a [known limitation|https://docs.cumulusnetworks.com/cumulus-linux/Monitoring-and-Troubleshooting/Network-Troubleshooting/Monitoring-System-Statistics-and-Network-Traffic-with-sFlow/#caveats-and-errata] on this Helix4 platform. | 3.7.0-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2536639 | On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.To work around this issue: * If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000). * If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2536616 | CVE-2018-5391 (FragmentSmack) is a network vulnerability where an attacker can trigger time and calculation expensive fragment reassembly with specially crafted packets, leading to a denial of service. On a Cumulus Linux switch, the impact is limited to control plane and management plane traffic. Any control plane traffic coming in the front panel ports will be limited by existing policer ACLs. To work around this issue, create a file called /etc/sysctl.d/ip.conf and add these settings:
| 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2536608 | Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI. | 3.7.0-3.7.16 | |
| 2536559 | When deleting an interface using NCLU, if the /etc/network/interfaces alias is different than the /etc/frr/frr.conf description, the net commit command returns the following error:
Despite this error, the change is made and the description is removed from the frr.conf file. | 3.7.3-3.7.10 | 3.7.11-3.7.16 |
| 2536384 | The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2536230 | On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is no longer set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2536179 | On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535986 | At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535965 | On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535209 | The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. | 3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2534450 | The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2528990 | During a link flap test, you might occasionally see a message similar to: warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use. | 3.7.6-3.7.10 | 3.7.11-3.7.16 |
Fixed Issues in 3.7.8
| Issue ID | Description | Affects |
|---|---|---|
| 2543061 | When you run the hostnamectl status command or start the systemd-hostnamed process, you see constant unregister_netdevice kernel messages in syslog and on the console. This causes syslog to become filled with these messages and makes troubleshooting difficult. | 3.7.7 |
3.7.7 Release Notes
Open Issues in 3.7.7
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 3410952 | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.12.1 |
| 3376798 | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlanMAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5 |
| 3330705 | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.12.1 |
| 3327477 | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3216921 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-3.7.16, 4.3.0-4.4.5 | |
| 3209699 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.12.1 |
| 2959454 | CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2959444 | CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2957684 | CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2949602 | CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. | 3.7.0-3.7.15 | 3.7.16 |
| 2949586 | CVE-2022-21699: ipython may execute untrusted files in the current working directory Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2949585 | CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog. | 3.7.0-3.7.15 | 3.7.16 |
| 2949584 | CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2941560 | CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u | 3.7.0-3.7.15 | 3.7.16 |
| 2910862 | CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file” Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2910861 | CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13 | 3.7.0-3.7.15 | 3.7.16 |
| 2885241 | CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14 | 3.7.0-3.7.15 | 3.7.16 |
| 2885239 | CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2885238 | The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2866111 | CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. | 3.7.0-3.7.15 | 3.7.16 |
| 2862269 | CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2855881 | A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2855879 | The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2850806 | CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts) Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23 | 3.7.0-3.7.15 | 3.7.16 |
| 2845540 | CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2841003 | CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2835994 | CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2823255 | CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode) Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2821981 | The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions) CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2820758 | The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2813826 | Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop” CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’ Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2813823 | Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19 | 3.7.0-3.7.15 | 3.7.16 |
| 2801126 | CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2801125 | OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15 | 3.7.0-3.7.15 | 3.7.16 |
| 2801124 | GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2798139 | CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2769687 | CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21 | 3.7.0-3.7.15 | 3.7.16 |
| 2769633 | CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2769632 | CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2769631 | CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2743132 | CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6 | 3.7.0-3.7.15 | 3.7.16 |
| 2736247 | CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2736245 | CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2728207 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728206 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728205 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5 |
| 2726776 | CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18 | 3.7.0-3.7.15 | 3.7.16 |
| 2716841 | CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2705169 | CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2705168 | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2702519 | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2684404 | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2679950 | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.4.1-cl4.4.0u1Fixed: 4.4.1-cl4.4.0u2 | 3.7.0-4.3.3 | 4.4.0-4.4.5 |
| 2677063 | CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2677061 | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2677060 | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2668477 | CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2660693 | CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20 | 3.7.0-3.7.15 | 3.7.16 |
| 2658233 | The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2654684 | CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10 | 3.7.0-3.7.15 | 3.7.16 |
| 2653521 | CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2646974 | The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2646968 | CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24 | 3.7.0-3.7.15 | 3.7.16 |
| 2635951 | The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617009 | CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617008 | CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617007 | CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617006 | CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617002 | CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589570 | The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589567 | The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2553887 | When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:
To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2552739 | Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | |
| 2552528 | Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated. | 3.7.7-4.2.1 | 4.3.0-4.4.5 |
| 2552352 | The following security vulnerabilities have been announced in the nss / libnss3 packages: CVE-2020-6829: Side channel attack on ECDSA signature generation CVE-2020-12400: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function CVE-2020-12401: ECDSA timing attack mitigation bypass Vulnerable: <= 3.26-1+debu8u11 Fixed: 3.26-1+debu8u12 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2552351 | The following vulnerability has been announced in the libx11 packages: CVE-2020-14344: The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method. Vulnerable: <= 1.6.2-3+deb8u2 Fixed: 1.6.2-3+deb8u3 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2551675 | When you restart clagd, the edge port setting on the peer link changes. | 3.7.2-4.2.0 | 4.2.1-4.4.5 |
| 2551288 | When you remove BFD configuration by editing the /etc/frr/frr.conf file and restarting FRR, you see a traceback.To work around this issue, either use NCLU or vtysh commands to remove the BFD configuration, or restart FRR with the new /etc/frr/frr.conf file. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2550478 | VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches. | 3.7.7-4.2.0 | 4.2.1-4.4.5, 4.3.0-4.4.5 |
| 2550323 | After a neighbor is removed, the redistributed neighbor entry is withdrawn from the BGP table, but the prefix might still be selected as the bestpath when the host’s originated prefix is not advertised. To work around this issue, recreate the neighbor entry and flap the interface to the host. Or, if the host is already down, manually create a neighbor entry with an invalid MAC address, which forces redistribute neighbor to re-withdraw the entry. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2548475 | After you add a new VNI and a layer 3 SVI to a set of leafs, certain leafs might not be able to communicate on the layer 3 VNI. To work around this issue, reboot the leaf switch or restart switchd. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2548382 | The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog. | 3.7.5-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2548243 | On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2547769 | syslog might report a high load average with the CPU running a later microcode revision. | 3.7.4-3.7.12 | 3.7.13-3.7.16 |
| 2547012 | On the Mellanox Spectrum switch, switchd can sometimes fail when PBR rules are installed or removed from hardware if the rule is setting a next hop learned via a routing protocol. | 3.7.7-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546998 | When you configure Cumulus Linux with a /32 address on a switch port with a configured peer address (for example, to connect to a device using IP unnumbered), the switch sends GARPs for the peer address. | 3.7.5-3.7.11 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546868 | Broadcom Field Alert - SID - MMU 2B Errors A few of the MMU memories on Broadcom switches are grouped together with single parity control. During SER correction when a parity error occurs on one of those groups, other memory in that group might also report a SER error. This occurs when the memory is accessed either by a packet hit or through a schan operation. This issue can cause SER errors in other memory and cause traffic mis-forwarding or a packet drop. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546702 | The FRR cl-support module times out on switches on the ARM platform even when the switch is not under heavy load. To work around this issue, run the cl-support -M command to disable timeouts. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546385 | SNMP ifLastChange reports link transitions when there are none. | 3.7.6-3.7.16 | |
| 2545693 | On rare occasions, after rebooting the MLAG secondary switch, one MLAG device might see the peer as down, which can cause traffic disruption to connected hosts. | 3.7.7-3.7.10 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545599 | IPv6 table rules might affect forwarding. For example, if you create the following rule in the /etc/cumulus/acl/policy.d/03-sshd.rules file, the rule counter increments but IPv4 SSH traffic might be dropped.
| 3.7.2-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2545405 | The ospfd daemon might crash with the following kernel trace:
| 3.7.6-3.7.10 | 3.7.11-3.7.16 |
| 2545235 | On the Edgecore AS6812 switch, you might see rare I2C errors. | 3.7.2-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545132 | On the Mellanox switch, ACL lookups are performed for VLAN matches when no rules with UNTAGGED match are present. | 3.7.2-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2544846 | You might experience a bgpd memory usage increase and significant update exchanges due to host moves between VTEPs. | 3.7.7-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2544723 | Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2544609 | BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2544401 | Package: openssl CVE ID: CVE-2019-1547 CVE-2019-1549 CVE-2019-1563 Three security issues were discovered in OpenSSL: A timing attack against ECDSA, a padding oracle in PKCS7_dataDecode() and CMS_decrypt_set1_pkey() and it was discovered that a feature of the random number generator (RNG) intended to protect against shared RNG state between parent and child processes in the event of a fork() syscall was not used by default. Fixed version: 1.1.1d-0+deb10u1 We recommend that you upgrade your openssl packages. For the detailed security status of openssl, refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2544385 | The QCT QuantaMesh BMS T7032-IX7 switch may report “failed to request GPIO pin” errors during the boot up. | 3.7.5-3.7.10 | 3.7.11-3.7.16 |
| 2544324 | Package: hostapd CVE ID: CVE-2019-13377 CVE-2019-16275 Two vulnerabilities were found in the WPA protocol implementation found in wpa_supplication (station) and hostapd (access point). CVE-2019-13377 A timing-based side-channel attack against WPA3’s Dragonfly handshake when using Brainpool curves could be used by an attacker to retrieve the password. CVE-2019-16275 Insufficient source address validation for some received Management frames in hostapd could lead to a denial of service for stations associated to an access point. An attacker in radio range of the access point could inject a specially constructed unauthenticated IEEE 802.11 frame to the access point to cause associated stations to be disconnected and require a reconnection to the network. Fixed version: 1:2.8.0-cl4u3 | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2544311 | Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544212 | Cumulus Linux poed generates excessive debug log entries. These will be reduced in a future release. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2544155 | NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2543875 | On the Mellanox Spectrum switch, a route withdrawal might cause the associated next hop neighbor entry to be deleted in hardware but remain in the kernel. This can cause traffic going through the directly connected route to the removed neighbor entry to be forwarded to the CPU. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2543840 | On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file. | 3.7.6-3.7.16 | |
| 2543835 | The following CVEs were announced that affect the ghostscript package: CVE ID : CVE-2019-14811 CVE-2019-14812 CVE-2019-14813 CVE-2019-14817 It was discovered that various procedures in Ghostscript, the GPL PostScript/PDF interpreter, do not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript | 3.7.0-3.7.10 | 3.7.11-3.7.16 |
| 2543816 | On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages. | 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
| 2543781 | NCLU does not allow you to configure OSPF NSSAs. For example:
To work around this issue, use FRR instead. For example:
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2543727 | ACL rules, such as the following, fail to install if you use swp+ (interfaces mentioned as wildcards).
You can now install such rules with swp+. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2543724 | If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error:
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2543667 | On the EdgeCore AS4610 switch, the ping command fails unless you run the command with sudo.To work around this issue, run the following commands:
Run the following command to verify the workaround:
You should see the following output:
| 3.7.6-3.7.10, 4.1.0-4.1.1 | 3.7.11-3.7.16, 4.2.0-4.4.5 |
| 2543648 | You cannot specify a source and destination MAC address in an ERSPAN ebtables rule. For example, the following rule does not work:
| 3.7.6-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2543647 | ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:
| 3.7.6-4.2.1 | 4.3.0-4.4.5 |
| 2543646 | In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543627 | Tomahawk 40G DACs cannot disable auto-negotiation. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543546 | {watchfrr calls sudo /usr/sbin/service frr restart bgpd but restarts all FRR daemons which can cause a large outage. This occurs because watchfrr uses an old style service command, which causes all daemons to restart when a daemon fails. | 3.7.7-3.7.8 | 3.7.9-3.7.16 |
| 2543473 | Configuring an inbound route map to manually change the next hop IP address received from an eBGP peer locally causes the next hop to not be updated when advertising this route out to other eBGP peers. To work around this issue, set a “dummy” route map outbound to the eBGP peer or configure the route map to manually set the next hop outbound from the originating eBGP peer. | 3.7.6-3.7.10 | 3.7.11-3.7.16 |
| 2543472 | On switches with the Spectrum ASIC, the underlay hashes VXLAN packets for a given overlay flow randomly. To work around this issue, configure the ECMP hash seed to the same value on the EVPN egress leaf switches. | 3.7.7-4.0.1 | 4.1.0-4.4.5 |
| 2543389 | Dynamic route-leaking works as expected until FRR is restarted or the switch is rebooted. After the restart or reboot, the import RT under the VRF where routes are being imported is incorrect. | 3.7.7-3.7.8 | 3.7.9-3.7.16 |
| 2543325 | Lenovo switches do not send or receive LLDP on eth0 interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543211 | In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2543164 | The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | |
| 2543113 | NCLU restarts FRR when attempting to remove a BGP VRF stanza. This happens regardless of whether the VRF is valid/configured elsewhere on the switch or the removal is successful. To work around this issue, remove the stanza using vtysh. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2543096 | When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543061 | When you run the hostnamectl status command or start the systemd-hostnamed process, you see constant unregister_netdevice kernel messages in syslog and on the console. This causes syslog to become filled with these messages and makes troubleshooting difficult. | 3.7.7 | 3.7.8-3.7.16 |
| 2543058 | The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces. To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2543052 | Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as “inactive” in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR. To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:
You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5 |
| 2543044 | Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up. You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2543004 | Cumulus Linux installer images have a shell script that validates checksum integrity. When you run onie-install, this check is run but the installer is still staged even if the checksum validation fails.To work around this issue, perform your own checksum validation before staging a new image with onie-install. | 3.7.7-3.7.8 | 3.7.9-3.7.16 |
| 2542985 | On a Tomahawk switch, the 5m 40G DACs (40G CR4) do not come up when both sides have auto-negotiation enabled. | 3.7.7-3.7.8 | 3.7.9-3.7.16 |
| 2542979 | On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5 |
| 2542958 | When transitioning from a down state to an up state due to peerlink failure and recovery, MLAG does not start the initDelay timer before trying to bring everything back up. | 3.7.7-3.7.16 | 4.0.0-4.4.5 |
| 2542945 | On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags. To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:
| 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542913 | IF-MIB::ifHCInOctets reports significantly lower values than reported by interface counters seen elsewhere. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2542871 | After you issue the NCLU net del bgp vrf command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2542853 | For interfaces configured with RS FEC, when switchd is restarted, the link goes down but does not automatically come back up. This occurs because the FEC status is not replayed correctly into the kernel.To work around this issue, run the ifreload -a command to bring up the interface after switchd is restarted. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542837 | On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule. | 3.7.6-3.7.8, 4.0.0-4.4.5 | 3.7.9-3.7.16 |
| 2542835 | snmpd fails because NCLU does not remove agentaddress @vrf lines when running the net add snmp-server listening-address all command. | 3.7.4-3.7.16 | 4.0.0-4.4.5 |
| 2542823 | On the Broadcom Trident 3 switch, VXLAN encapsulated packets are dropped on the ingress port (tagged layer 2 port) during transit forwarding (the local switch does not terminate the VXLAN tunnel). An example of where this two-layer VXLAN inside VXLAN encapsulation might occur: - VXLAN tunnel (#1) between two servers (different racks) to provide layer 2 extension for containers or VM hosts. - VXLAN tunnel (#2) between the TOR switch in rack 1 to the TOR switch located in the remote rack. To work around this issue, either: - Configure the edge port (facing the servers) to be an access port (instead of a trunk/tagged port) - Change the destination port from 4789 to something else (VXLAN tunnel terminated by the servers) | 3.7.5-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2542819 | On the Trident3 platform, you can only add 50 percent of the total ECMP next hops. A log message indicates that the table is full. | 3.7.7-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2542774 | When moving an IP address from the address line to inet dhcp, then issuing the ifreload -a command, the old address is not removed from the interface. NCLU still reports the old address only and reports it as a DHCP address. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542767 | If the BMC operating system fails to respond to IPMI, you see a traceback in bmcd and all the sensors might report ABSENT devices in smonctl.To work around this issue, power cycle the switch. | 3.7.6-4.0.1 | 4.1.0-4.4.5 |
| 2542765 | When you configure the switch to send an EAP request with the net add dot1x send-eap-request-id command, the switch ignores re-authentication attempts and does not send back an EAPol. | 3.7.6-3.7.10 | 3.7.11-3.7.16 |
| 2542726 | After configuring switchd hal.bcm.per_vlan_router_mac_lookup to TRUE on a Broadcom switch, layer 2 traffic works over VXLAN but the host is not able to ping the locally connected gateway and loses routing ability to other IPs and subnets. | 3.7.5-3.7.8 | 3.7.9-3.7.16 |
| 2542711 | BGP update packets are sometimes missing the mandatory nexthop attribute, which causes connections to reset. For example, this issue is seen when using VRF route leaking with a mix of BGP unnumbered and BGP numbered peers. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542509 | In EVPN symmetric or centralized configurations with BGP peering over a peer link, VXLAN routed packets transiting an MLAG peer are dropped until the clagd init-delay timer expires during the bring-up sequence following a reboot.The problem is caused by a race condition when programming the anycast IP address (used to terminate VXLAN tunnels), where the hardware is programmed before the software by clagd.To work around this issue, configure the BGP path across the peer link to be less preferred. The example below uses AS path prepending and the MLAG switches are iBGP neighbors. However, other BGP configurations achieve the same result. In the /etc/frr/frr.conf file, make a new AS path access list and route map to apply BGP pre-pending of the local ASN one or more times. For example:
| 3.7.6-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2542480 | When BGP remove-private-AS replace-AS is configured under the BGP IPv4 or IPv6 address family between a pair of switches configured as BGP peers, a BGP route update might cause the BGP session to flap.To work around this issue, do not configure remove-private-AS replace-AS in the BGP IPv4 or IPv6 address family. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542384 | When you define a trap destination using @mgmt, snmpd indicates that the network is unreachable even though the IP address is reachable in the management VRF.To work around this issue, remove @mgmt vrf references in the /etc/snmp/snmpd.conf file, stop snmpd, then start snmpd manually in the management VRF with the systemctl start snmpd@mgmt command. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2542365 | The snmpd service frequently crashes due to double free or corruption. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542341 | The IP neighbor entry for a link-local next hop (169.254.x.x) is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces. To work around this issue, flap the peering to the peer router (which can be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.8 | 3.7.9-3.7.16 |
| 2542336 | On the Mellanox SN2410 switch, switchd does not start. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2542310 | hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6. | 3.7.6-3.7.16 | |
| 2542305 | If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542301 | When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2542297 | When you run the NCLU net del all command, the exec-timeout setting changes in the /etc/frr.frr.conf file. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542248 | When you generate a cl-support file, clagd.service prints log messages similar to the following:
| 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2542193 | When you configure the link-down yes attribute to a physical SVI, the VRR (-v0) interface is not brought down, and the locally-connected subnet can still be redistributed into routing protocols and advertised to neighbors despite the physical SVI being administratively down.To work around this issue, manually bring down the VRR (-v0) interface with the ip link set dev command. For example:
| 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542160 | The following CVEs were announced in Debian Security Advisory DSA-4465-1 and affect the linux kernel. ——————————————————————————————- Debian Security Advisory DSA-4465-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 17, 2019 https://www.debian.org/security/faq ——————————————————————————————- Package: linux CVE ID: CVE-2019-3846 CVE-2019-5489 CVE-2019-9500 CVE-2019-9503 CVE-2019-10126 CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 CVE-2019-11486 CVE-2019-11599 CVE-2019-11815 CVE-2019-11833 CVE-2019-11884 Debian Bug: 928989 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2019-3846, CVE-2019-10126 huangwen reported multiple buffer overflows in the Marvell wifi (mwifiex) driver, which a local user could use to cause denial of service or the execution of arbitrary code. CVE-2019-5489 Daniel Gruss, Erik Kraft, Trishita Tiwari, Michael Schwarz, Ari Trachtenberg, Jason Hennessey, Alex Ionescu, and Anders Fogh discovered that local users could use the mincore() system call to obtain sensitive information from other processes that access the same memory-mapped file. CVE-2019-9500, CVE-2019-9503 Hugues Anguelkov discovered a buffer overflow and missing access validation in the Broadcom FullMAC wifi driver (brcmfmac), which a attacker on the same wifi network could use to cause denial of service or the execution of arbitrary code. CVE-2019-11477 Jonathan Looney reported that a specially crafted sequence of TCP selective acknowledgements (SACKs) allows a remotely triggerable kernel panic. CVE-2019-11478 Jonathan Looney reported that a specially crafted sequence of TCP selective acknowledgements (SACKs) will fragment the TCP retransmission queue, allowing an attacker to cause excessive resource usage. CVE-2019-11479 Jonathan Looney reported that an attacker could force the Linux kernel to segment its responses into multiple TCP segments, each of which contains only 8 bytes of data, drastically increasing the bandwidth required to deliver the same amount of data. This update introduces a new sysctl value to control the minimal MSS (net.ipv4.tcp_min_snd_mss), which by default uses the formerly hard-coded value of 48. We recommend raising this to 536 unless you know that your network requires a lower value. CVE-2019-11486 Jann Horn of Google reported numerous race conditions in the Siemens R3964 line discipline. A local user could use these to cause unspecified security impact. This module has therefore been disabled. CVE-2019-11599 Jann Horn of Google reported a race condition in the core dump implementation which could lead to a use-after-free. A local user could use this to read sensitive information, to cause a denial of service (memory corruption), or for privilege escalation. CVE-2019-11815 It was discovered that a use-after-free in the Reliable Datagram Sockets protocol could result in denial of service and potentially privilege escalation. This protocol module (rds) is not auto-loaded on Debian systems, so this issue only affects systems where it is explicitly loaded. CVE-2019-11833 It was discovered that the ext4 filesystem implementation writes uninitialised data from kernel memory to new extent blocks. A local user able to write to an ext4 filesystem and then read the filesystem image, for example using a removable drive, might be able to use this to obtain sensitive information. CVE-2019-11884 It was discovered that the Bluetooth HIDP implementation did not ensure that new connection names were null-terminated. A local user with CAP_NET_ADMIN capability might be able to use this to obtain sensitive information from the kernel stack. For the stable distribution (stretch), these problems have been fixed in version 4.9.168-1+deb9u3. We recommend that you upgrade your linux packages. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542058 | The ifquery command should return a non-zero value if there is a syntax error. However, it currently returns zero. This issue affects automation scripts that validate a file before copying it into place. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542031 | If you configure a sys-mac with a single digit, ifreload -a does not indicate that the MAC address is invalid for the MLAG sys-mac and the clagd process fails silently. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2541924 | If the address-virtual MAC address is missing a leading zero in the last octet, the interface bounces. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2541604 | The snmpd service exits with a message similar to the following:
This problem might occur during or after network convergence events. For example, when bgpd needs to process a high number of updates and the CPU cannot keep up, bgpd is disconnected and agentx generates a core dump in snmpd due to a memory allocation problem.To work around this issue, disable agentx by commenting out the following lines in the /etc/snmp/snmpd.conf file. Then, restart the snmpd service with the systemctl restart snmpd command.
If you still want to poll the BGP4-MIB information, re-enable the bgp pass persist script by adding the following line in the /etc/snmp/snmpd.conf file:
| 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2541212 | The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2541165 | On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, poectl reports that four_pair_mode_enabled is true. However, this configuration is not supported on the port so poectl should report that four_pair_mode_enabled is false. | 3.7.6-3.7.16 | |
| 2541029 | On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped. This issue only affects QinQ configurations. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2541003 | NCLU is unable to delete a BGP neighbor configuration if there is a VRF VNI mapping in the /etc/frr/frr.conf file. For example, the following NCLU command produces an error:
| 3.7.7-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2540950 | On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status. | 3.7.3-4.1.1 | 4.2.0-4.4.5 |
| 2540885 | The Dell N3048EP-ON switch does not support 1G Base-T modules in the SFP ports. | 3.7.7-3.7.16 | |
| 2540863 | On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number. | 3.7.3-3.7.16 | |
| 2540753 | If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
| 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540684 | On a Dell S5248F (Trident3) switch, packets from switch ports are forwarded to the CPU and are sometimes corrupted. The corruption might result in BGP peerings being down, which can lead to all VXLAN traffic to and from a node to be lost, causing an outage to dually connected hosts in a rack. To work around this issue, restart switchd. | 3.7.3-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2540600 | If the clagd-vxlan-anycast-ip is removed from the /etc/network/interfaces file (either with the NCLU command or by editing the file manually), MLAG still believes it is present until clagd restarts. | 3.7.3-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2540444 | SNMP incorrectly requires engine ID specification. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540359 | bgpd creates a core dump at zclient_send_interface_radv_req. This is an issue with how FRRouting checks next hops and has been pushed upstream to FRRouting. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2540352 | When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2540340 | NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays
Tab completion for the net add vrf command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540274 | On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540204 | When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540192 | The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540155 | On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2540042 | When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540041 | On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540040 | Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540031 | NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2539994 | When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539962 | When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2539670 | On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539124 | The net add interface command adds no ptm-enable for that interface in the frr.conf file.Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539081 | When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2538875 | IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file. | 3.7.2-3.7.16 | |
| 2538790 | NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.To restore connectivity, remove the VLAN ID from the bridge. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538741 | The NCLU command net show bridge spanning-tree does not show the MLAG peer link as part of the STP forwarding instance.To work around this issue, use the mstpctl command to confirm the STP status of the port. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2538590 | When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538562 | On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538480 | Modifying the /etc/netd.conf file to set show_linux_command = True does not take effect. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2538302 | portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap. | 3.7.0-3.7.16 | |
| 2538294 | If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2538256 | On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets. | 3.7.2-4.0.1 | 4.1.0-4.4.5 |
| 2538022 | When you remove an interface from a bridge and add it to a VRF in the same commit/ifreload, the IPv6 link-local address is not created automatically. To work around this issue, do the change in two separate commits. First, remove the interface from the bridge, which causes it to be a layer 2 interface. Then, enslave the interface to the VRF. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2537819 | When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2537699 | There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537544 | When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537536 | When FRR restarts, snmp[err] dev/kmem: Permission denied error messages are recorded in the log file and SNMPd might crash periodically. | 3.7.5-3.7.16 | 4.0.0-4.4.5 |
| 2537378 | NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.To work around this issue, stop snmpd, remove the cache file, then restart snmpd. | 3.7.1-3.7.16 | |
| 2537188 | When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network. | 3.7.2-3.7.16 | |
| 2537153 | In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2537104 | When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL. | 3.7.1-3.7.16 | 4.0.0-4.4.5 |
| 2537061 | The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent. | 3.7.1-4.0.1 | 4.1.0-4.4.5 |
| 2536650 | Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters). While this issue is fixed for switches with the Spectrum ASIC, this is a [known limitation|https://docs.cumulusnetworks.com/cumulus-linux/Monitoring-and-Troubleshooting/Network-Troubleshooting/Monitoring-System-Statistics-and-Network-Traffic-with-sFlow/#caveats-and-errata] on this Helix4 platform. | 3.7.0-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2536639 | On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.To work around this issue: * If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000). * If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2536616 | CVE-2018-5391 (FragmentSmack) is a network vulnerability where an attacker can trigger time and calculation expensive fragment reassembly with specially crafted packets, leading to a denial of service. On a Cumulus Linux switch, the impact is limited to control plane and management plane traffic. Any control plane traffic coming in the front panel ports will be limited by existing policer ACLs. To work around this issue, create a file called /etc/sysctl.d/ip.conf and add these settings:
| 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2536608 | Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI. | 3.7.0-3.7.16 | |
| 2536559 | When deleting an interface using NCLU, if the /etc/network/interfaces alias is different than the /etc/frr/frr.conf description, the net commit command returns the following error:
Despite this error, the change is made and the description is removed from the frr.conf file. | 3.7.3-3.7.10 | 3.7.11-3.7.16 |
| 2536384 | The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2536230 | On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is no longer set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2536179 | On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535986 | At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535965 | On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535209 | The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. | 3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2534450 | The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2528990 | During a link flap test, you might occasionally see a message similar to: warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use. | 3.7.6-3.7.10 | 3.7.11-3.7.16 |
Fixed Issues in 3.7.7
| Issue ID | Description | Affects |
|---|---|---|
| 2552382 | The following security vulnerability has been announced in net-snmp: CVE-2020-15681: A privilege escalation vulnerability was discovered in Net-SNMP due to incorrect symlink handling. Vulnerable: <= 5.8.0-cl3u10 Fixed: 5.8.0-cl3u11, 5.8.0-cl4u4 | 3.7.6 |
| 2542338 | In a typical CLOS network, each leaf is connected to all spine nodes; VXLAN packets follow leaf-spine links. However certain failure scenarios or maintenance activity might result in the MLAG primary switch being isolated from the spine layer (the only available network path is now across the peer link). As a result, the MLAG primary switch fails to transmit VXLAN encapsulated packets out on the peer link. It is also possible for the MLAG secondary switch to be isolated from the spine layer and then the problem is seen on the MLAG secondary switch. The issue occurs because the Broadcom Trident3 switch does not perform VLAN translation for VXLAN encapsulated packets where the tunnel is not terminated. To work around this issue, configure the BGP peering on a new VLAN interface (for example, vlan4093) instead of the peer link sub-interface (peerlink.4094). | 3.7.6 |
| 2542309 | When all ports are split into 4X on the EdgeCore AS7726 switch, switchd fails to start up and a crash is seen in syslog. | 3.7.5-3.7.6 |
| 2542123 | The following CVEs were announced in Debian Security Advisory DSA-4462-1 and affect the dbus package. ———————————————————————————————- Debian Security Advisory DSA-4462-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 13, 2019 https://www.debian.org/security/faq ———————————————————————————————- Package : dbus CVE ID : CVE-2019-12749 Debian Bug : 930375 Joe Vennix discovered an authentication bypass vulnerability in dbus, an asynchronous inter-process communication system. The implementation of the DBUS_COOKIE_SHA1 authentication mechanism was susceptible to a symbolic link attack. A local attacker could take advantage of this flaw to bypass authentication and connect to a DBusServer with elevated privileges. The standard system and session dbus-daemons in their default configuration are not affected by this vulnerability. The vulnerability was addressed by upgrading dbus to a new upstream version 1.10.28 which includes additional fixes. For the stable distribution (stretch), this problem has been fixed in version 1.10.28-0+deb9u1. We recommend that you upgrade your dbus packages. For the detailed security status of dbus, refer to its security tracker page at: https://security-tracker.debian.org/tracker/dbus | |
| 2541869 | SNMP shows 0 for all swp interfaces in the ifSpeed field (bond interfaces, lo and eth0 are not affected and show a value). | 3.7.6 |
| 2541805 | The clear bgp command does not support multiple address families. For example, the following command clears IPv6 unicast and ignores IPv4 unicast:
To clear IPv4 unicast, use the clear ip bgp command. For example, the following command clears IPv4 unicast and ignores IPv6 unicast:
| |
| 2541791 | In Cumulus Linux 3.7.6 and earlier, ifupdown2 does a string comparison to see if two addresses are the same. In Cumulus Linux 3.7.7, ifupdown2 does an integer comparison. For example, in Cumulus Linux 3.7.6 and earlier, hwaddress 00:00:5e:62:f8:02 and hwaddress 00:00:5e:62:f8:2 are not considered to be equal. In Cumulus Linux 3.7.7 and later, they are considered equal since 2 implies a leading zero. | 3.7.5-3.7.6 |
| 2541761 | A TACACS privilege level 15 user mapped to tacacs15 cannot use net commands even though the user is part of the netedit and/or netshow user group. | 3.7.2-3.7.6 |
| 2541749 | In a highly-scaled environment, while BGP is undergoing initial convergence, watchfrr times out and bgpd stops responding. | 3.7.5-3.7.6 |
| 2541685 | If you have a configuration with more than 128 VRFs, BGP routes stop advertising. | 3.7.6 |
| 2541654 | On the Dell N3048EP switch, the I2C bus might lock and when you log into the console, you see the following message.bcm-iproc-i2c 1803b000.i2c: bus is busyAs a result, temperatures cannot be monitored. However, traffic is not affected (links do not go down). | 3.7.6 |
| 2541645 | Received EVPN type-5 routes are not installed into the kernel VRF routing table even though the route appears to be correct. The failure to install the default route makes the rack unreachable from the external world. | 3.7.5-3.7.6 |
| 2541505 | The vtep-ctl list-ports returns ports with the fully qualified domain name of the switch instead of the short hostname. | 3.7.6 |
| 2541494 | Under certain circumstances (when you reboot or restart the switchd service), a race condition might occur which causes a synchronization issue resulting in hardware misprogramming of the VXLAN tunnel endpoint interface (VTEP). Packets destined out this tunnel are dropped in the egress direction. Packets arriving on this tunnel are dropped in the ingress direction. This is due to a race condition between ASIC and kernel programming that causes the kernel to incorrectly process the link state of a VXLAN interface.To work around this issue, you can bounce the layer 3 SVI for the affected VRF. For example:
Run the net show vrf vni command to show a mapping of the layer 3 VNI to layer 3 SVI for the VRF.Note: This workaround is not guaranteed because the race condition cannot be always be avoided. | 3.7.4-3.7.6 |
| 2541382 | The following CVEs were announced in Debian Security Advisory DSA-4442-1 and affect the ghostscript package. ———————————————————————————————- Debian Security Advisory DSA-4442-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 12, 2019 https://www.debian.org/security/faq ———————————————————————————————- Package : ghostscript CVE ID : CVE-2019-3839 A vulnerability was discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service or the execution of arbitrary code if a malformed Postscript file is processed (despite the - -dSAFER sandbox being enabled). For the stable distribution (stretch), this problem has been fixed in version 9.26a~dfsg-0+deb9u3. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript | |
| 2541362 | If you configure bridge-learning off on a host-facing link in a VXLAN/EVPN environment and are using static FDB entries instead, when you turn bridge-learning on and delete those static entries, they are re-learned as expected in the bridge FDB table, however they are not installed into FRR and a log message is recorded in /var/log/frr/frr.log. | 3.7.5 |
| 2541294 | In an EVPN configuration, the old MAC/IP route is present in the routing table after an IP mobility event. | 3.7.5-3.7.6 |
| 2541262 | The following CVEs were announced in Debian Security Advisory DSA-4438-1 and affect the atftp package. ———————————————————————————————- Debian Security Advisory DSA-4438-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 07, 2019 https://www.debian.org/security/faq ———————————————————————————————- Package: atftp CVE ID: CVE-2019-11365 CVE-2019-11366 Debian Bug: 927553 Denis Andzakovic discovered two vulnerabilities in atftp, the advanced TFTP server which could result in denial of service by sending malformed packets. For the stable distribution (stretch), these problems have been fixed in version 0.7.git20120829-3.1~deb9u1. We recommend that you upgrade your atftp packages. For the detailed security status of atftp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/atftp | |
| 2541213 | On Trident2 switches, egress double-tagged frames incorrectly use 802.1Q outer ethertype instead of 802.1AD. | 3.7.5-3.7.6 |
| 2541134 | On the Broadcom switch, TPID programming is not reset when there is a configuration change. As a result, you see unexpected packet drops. | |
| 2541107 | The poectl -j command output does not show the correct port numbering in JSON; it is off by one. | 3.7.6 |
| 2541095 | The RADIUS AAA client does the source IP address bind first, then the setsockopt VRF, which causes a failure due to a kernel check for an address mismatch with the VRF. | 3.7.4-3.7.6 |
| 2541090 | The dhcrelay service crashes when the DHCP relay packet comes back from the server. To work around this issue, remove the –nl flag from the dhcrelay service. | 3.7.3-3.7.6 |
| 2541043 | The following CVEs were announced in Debian Security Advisory DSA-4436-1 and affect the imagemagick packages. ——————————————————————————————- Debian Security Advisory DSA-4436-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 28, 2019 https://www.debian.org/security/faq —————————————————————————————— This update fixes two vulnerabilities in Imagemagick: Memory handling problems and missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed TIFF or Postscript files are processed. For the stable distribution (stretch), these problems have been fixed in version 8:6.9.7.4+dfsg-11+deb9u7. We recommend that you upgrade your imagemagick packages. For the detailed security status of imagemagick, refer to its security tracker page at: https://security-tracker.debian.org/tracker/imagemagick | |
| 2540980 | After upgrading the BIOS to 3.21.0.0-6, when you run the reboot, shutdown or init commands with certain options, the switch powers off. To determine the BIOS version of the switch, run:
| 3.7.5-3.7.6 |
| 2540895 | On the EdgeCore AS4610-54P switch, at any moment and without warning, your PoE devices might all go down as PoEd crashes and an error message might be logged. There is no functional impact after a restart. | 3.7.6 |
| 2540843 | On the Dell S3048 switch, ports with FEC disabled show as BaseR on boot up. | 3.7.3-3.7.6 |
| 2540830 | On the Dell S5248F switch, packets forwarded to the CPU are corrupted. | 3.7.3-3.7.6 |
| 2540823 | On the EdgeCore 7326-54X switch, switchd does not start on initial install because the decode-syseeprom command fails. However in ONIE, onie-syseeprom has no issues. | 3.7.5-3.7.6 |
| 2540801 | The following CVEs were announced in Debian Security Advisory DSA-4433-1 and affect the ruby2.3 package. ——————————————————————————————- Debian Security Advisory DSA-4433-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 16, 2019 https://www.debian.org/security/faq ——————————————————————————————- Package : ruby2.3 CVE ID : CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325 Several vulnerabilities have been discovered in the Rubygems included in the interpreter for the Ruby language, which may result in denial of service or the execution of arbitrary code. For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u6. We recommend that you upgrade your ruby2.3 packages. For the detailed security status of ruby2.3, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby2.3 | |
| 2540800 | The following CVEs were announced in Debian Security Advisory DSA-4432-1 and affect the ghostscript package. ——————————————————————————————- Debian Security Advisory DSA-4432-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 16, 2019 https://www.debian.org/security/faq ——————————————————————————————- Package : ghostscript CVE ID : CVE-2019-3835 CVE-2019-3838 Debian Bug : 925256 925257 Cedric Buissart discovered two vulnerabilities in Ghostscript, the GPL PostScript/PDF interpreter, which could result in bypass of file system restrictions of the dSAFER sandbox. For the stable distribution (stretch), these problems have been fixed in version 9.26a~dfsg-0+deb9u2. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript | |
| 2540737 | When you commit a configuration change to a VXLAN layer 2 VNI in an MLAG configuration, the peer link on the MLAG secondary switch goes into an STP blocking state. | 3.7.2-3.7.6 |
| 2540721 | If you modify BFD timers in the /etc/frr/frr.conf file, then run the systemctl reload frr command, the neighbor connections flap. | 3.7.4-3.7.6 |
| 2540567 | The following CVEs were announced in Debian Security Advisory DSA-4428-1 and affect the systemd package. ——————————————————————————————- Debian Security Advisory DSA-4428-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 08, 2019 https://www.debian.org/security/faq ——————————————————————————————- Package : systemd CVE ID : CVE-2019-3842 Jann Horn discovered that the PAM module in systemd insecurely uses the environment and lacks seat verification permitting spoofing an active session to PolicyKit. A remote attacker with SSH access can take advantage of this issue to gain PolicyKit privileges that are normally only granted to clients in an active session on the local console. For the stable distribution (stretch), this problem has been fixed in version 232-25+deb9u11. This update includes updates previously scheduled to be released in the stretch 9.9 point release. We recommend that you upgrade your systemd packages. For the detailed security status of systemd, refer to its security tracker page at: https://security-tracker.debian.org/tracker/systemd | |
| 2540557 | On Trident3 switches, transit packets larger than 1500 bytes(DF) routed between SVIs is unexpectedly forwarded to the CPU even when the MTU is greater than 9000. This severely limits throughput for routed jumbo frames as packets arriving at a high interval are dropped to the CPU. | 3.7.0-3.7.6 |
| 2540526 | The following CVEs were announced in Debian Security Advisory DSA-4425-1 and affect the wget package. ——————————————————————————————- Debian Security Advisory DSA-4425-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 05, 2019 https://www.debian.org/security/faq ——————————————————————————————- Package : wget CVE ID : CVE-2019-5953 Debian Bug : 926389 Kusano Kazuhiko discovered a buffer overflow vulnerability in the handling of Internationalized Resource Identifiers (IRI) in wget, a network utility to retrieve files from the web, which could result in the execution of arbitrary code or denial of service when recursively downloading from an untrusted server. For the stable distribution (stretch), this problem has been fixed in version 1.18-5+deb9u3. We recommend that you upgrade your wget packages. For the detailed security status of wget, refer to its security tracker page at: https://security-tracker.debian.org/tracker/wget | |
| 2540464 | If you have dynamic route leaking configured between any two VRFs and the BGP instance for the default VRF is not defined, removing an import vrf statement crashes bgpd. This occurs even if neither of the leaking VRFs are the default VRF. | 3.7.4-3.7.6 |
| 2540268 | An incorrect readout of the optical transceiver high temperature alarm threshold (read as 17 degrees centigrade), disables a 100G optical module on Mellanox Spectrum switches. | 3.7.2-3.7.6 |
| 2540219 | The following CVEs were announced in Debian Security Advisory DSA-4416-1 and affect the wireshark package. ——————————————————————————————- Debian Security Advisory DSA-4416-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 24, 2019 https://www.debian.org/security/faq ——————————————————————————————- Package: wireshark CVE ID: CVE-2019-5716 CVE-2019-5717 CVE-2019-5718 CVE-2019-5719 CVE-2019-9208 CVE-2019-9209 CVE-2019-9214 Debian Bug: 923611 It was discovered that Wireshark, a network traffic analyzer, contained several vulnerabilities in the dissectors for 6LoWPAN, P_MUL, RTSE, ISAKMP, TCAP, ASN.1 BER and RPCAP, which could result in denial of service. For the stable distribution (stretch), these problems have been fixed in version 2.6.7-1~deb9u1. We recommend that you upgrade your wireshark packages. For the detailed security status of wireshark, refer to its security tracker page at: https://security-tracker.debian.org/tracker/wireshark | |
| 2540017 | The net commit command fails when you try to add a static voice VLAN or delete dot1x configuration for an interface when the port is already authorized. | 3.7.4-3.7.6 |
| 2539928 | When you delete or add 802.1X configuration on a port in a traditional mode bridge, all the ports are removed from the bridge. | 3.7.4-3.7.6 |
| 2539686 | The Cumulus Linux switch sometimes sends out ARP request packets with the sender IP address set to 0.0.0.0. | 3.7.2-3.7.6 |
| 2539433 | If multiple files reference the same module, ifupdown2 user-defined policy overrides do not apply. | 3.7.0-3.7.6 |
| 2539422 | In FRR, you can remove the default BGP instance even if there are other instances that depend on it, which causes configuration issues. | 3.7.3-3.7.6 |
| 2539218 | On the Mellanox SN2700 switch, the 100G-LR4 port might have problems establishing a link over a long distance (around 500 miles) through a telco service provider after a flap. If the laser is forced up by the link provider’s equipment, the circuit comes up. However, the circuit cannot survive a flap and the link remains down after a flap event. However, you might have to explicitly disable auto-negotiation and FEC in this scenario. | 3.7.2-3.7.6 |
| 2539169 | On the QuantaMesh T1048-LY4R, smonctl reports that all power supplies are absent:
| 3.7.3-3.7.6 |
| 2538980 | A dummy interface does not inherit the MTU from a defaults file in /etc/network/ifupdown2/policy.d. A dummy interface is typically used to keep SVI interfaces up when there are no switch ports up that are associated with that VLAN. | 3.7.2-3.7.6 |
| 2538910 | In a layer 2 VXLAN configuration, where each ECMP path is a layer 3 LACP bond with multiple port members, ECMP hash appears fine for data traffic over VXLAN from one VTEP to another, but the LACP hash is unbalanced. | 3.7.1-3.7.6 |
| 2538756 | When you flap a VNI with ifdown vni and ifup vni, the value of all MTUs for the SVI lowers to 1500 regardless of the default value set in the /etc/network/ifupdown2/policy.d/mtu.json file. This behavior does not occur if you flap the link with ip link set vni down. | 3.7.2-3.7.6 |
| 2537806 | Bridging ISIS traffic fails because layer 2 cache rules forward ISIS traffic to the CPU, where it is then dropped. To work around this issue, contact Customer Support. | 3.7.2-3.7.6 |
| 2536266 | When a VXLAN SVI transitions to a non-VXLAN SVI, the associated VRRP MAC addresses are not removed. After the transition happens, the removal fails as the VXLAN context is lost and you see the following switchd error:
| 3.7.5-3.7.6 |
| 2535795 | The Trident3 switch does not send out sflow flow samples; only counter samples are sent. | 3.7.6 |
| 2534134 | During system boot, Cumulus Linux reads the /etc/cumulus/ports.conf file to obtain the port speed. The port speed is programmed into the ASIC and synchronized to the kernel. After system boot, the kernel speed shows correctly as it matches the ASIC speed that is derived from the /etc/cumulus/ports.conf file and the cable type. However, if you restart switchd without rebooting the system, switchd synchronizes the speed from the kernel and uses it to program the ASIC. When you change the port speed in the /etc/cumulus/ports.conf file to ether a higher or lower speed (for example from 100G to 40G or from 40G to 100G) and the attached cable can support both speeds, the pre-existing speed is synchronized from the kernel. Consequently, the kernel speed remains at the pre-existing (incorrect) speed. | |
| 2534100 | The clagd process might occasionally leak memory, eventually crash, and then restart. During this time, traffic flows over this switch are impacted temporarily. The /var/log/clagd.log file shows a message similar to the following:
| |
| 2532924 | The NetQ agent is bundled with Cumulus VX 3.4.3 and later; however, the NetQ agent is not bundled with Cumulus Linux 3.4.3 and later. The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bundled with Cumulus Linux in a future release. | 3.7.0-3.7.6 |
| 2528678 | On Dell S6000 switches, switchd CPU utilization is high (50% and above) even when there is no configuration and it is idle. | |
| 2526630 | When link pause or priority flow control (PFC) is enabled on a Broadcom Tomahawk-based switch and there is over-subscription on a link, the ASIC sends pause frames aggressively, causing the upstream switch to not throttle enough. If you need link pause or PFC functionality, you must use a switch that does not use the Tomahawk ASIC. |
3.7.6 Release Notes
Open Issues in 3.7.6
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 3410952 | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.12.1 |
| 3376798 | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlanMAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5 |
| 3330705 | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.12.1 |
| 3327477 | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3216921 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-3.7.16, 4.3.0-4.4.5 | |
| 3209699 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.12.1 |
| 2959454 | CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2959444 | CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2957684 | CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2949602 | CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. | 3.7.0-3.7.15 | 3.7.16 |
| 2949586 | CVE-2022-21699: ipython may execute untrusted files in the current working directory Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2949585 | CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog. | 3.7.0-3.7.15 | 3.7.16 |
| 2949584 | CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2941560 | CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u | 3.7.0-3.7.15 | 3.7.16 |
| 2910862 | CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file” Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2910861 | CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13 | 3.7.0-3.7.15 | 3.7.16 |
| 2885241 | CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14 | 3.7.0-3.7.15 | 3.7.16 |
| 2885239 | CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2885238 | The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2866111 | CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. | 3.7.0-3.7.15 | 3.7.16 |
| 2862269 | CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2855881 | A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2855879 | The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2850806 | CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts) Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23 | 3.7.0-3.7.15 | 3.7.16 |
| 2845540 | CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2841003 | CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2835994 | CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2823255 | CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode) Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2821981 | The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions) CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2820758 | The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2813826 | Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop” CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’ Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2813823 | Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19 | 3.7.0-3.7.15 | 3.7.16 |
| 2801126 | CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2801125 | OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15 | 3.7.0-3.7.15 | 3.7.16 |
| 2801124 | GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2798139 | CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2769687 | CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21 | 3.7.0-3.7.15 | 3.7.16 |
| 2769633 | CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2769632 | CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2769631 | CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2743132 | CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6 | 3.7.0-3.7.15 | 3.7.16 |
| 2736247 | CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2736245 | CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2728207 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728206 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728205 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5 |
| 2726776 | CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18 | 3.7.0-3.7.15 | 3.7.16 |
| 2716841 | CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2705169 | CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2705168 | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2702519 | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2684404 | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2679950 | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.4.1-cl4.4.0u1Fixed: 4.4.1-cl4.4.0u2 | 3.7.0-4.3.3 | 4.4.0-4.4.5 |
| 2677063 | CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2677061 | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2677060 | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2668477 | CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2660693 | CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20 | 3.7.0-3.7.15 | 3.7.16 |
| 2658233 | The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2654684 | CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10 | 3.7.0-3.7.15 | 3.7.16 |
| 2653521 | CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2646974 | The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2646968 | CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24 | 3.7.0-3.7.15 | 3.7.16 |
| 2635951 | The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617009 | CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617008 | CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617007 | CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617006 | CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617002 | CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589570 | The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589567 | The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2552739 | Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | |
| 2552382 | The following security vulnerability has been announced in net-snmp: CVE-2020-15681: A privilege escalation vulnerability was discovered in Net-SNMP due to incorrect symlink handling. Vulnerable: <= 5.8.0-cl3u10 Fixed: 5.8.0-cl3u11, 5.8.0-cl4u4 | 3.7.6 | 3.7.7-3.7.16, 4.0.0-4.4.5 |
| 2552352 | The following security vulnerabilities have been announced in the nss / libnss3 packages: CVE-2020-6829: Side channel attack on ECDSA signature generation CVE-2020-12400: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function CVE-2020-12401: ECDSA timing attack mitigation bypass Vulnerable: <= 3.26-1+debu8u11 Fixed: 3.26-1+debu8u12 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2552351 | The following vulnerability has been announced in the libx11 packages: CVE-2020-14344: The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method. Vulnerable: <= 1.6.2-3+deb8u2 Fixed: 1.6.2-3+deb8u3 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2551675 | When you restart clagd, the edge port setting on the peer link changes. | 3.7.2-4.2.0 | 4.2.1-4.4.5 |
| 2550323 | After a neighbor is removed, the redistributed neighbor entry is withdrawn from the BGP table, but the prefix might still be selected as the bestpath when the host’s originated prefix is not advertised. To work around this issue, recreate the neighbor entry and flap the interface to the host. Or, if the host is already down, manually create a neighbor entry with an invalid MAC address, which forces redistribute neighbor to re-withdraw the entry. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2548475 | After you add a new VNI and a layer 3 SVI to a set of leafs, certain leafs might not be able to communicate on the layer 3 VNI. To work around this issue, reboot the leaf switch or restart switchd. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2548382 | The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog. | 3.7.5-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2548243 | On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2547769 | syslog might report a high load average with the CPU running a later microcode revision. | 3.7.4-3.7.12 | 3.7.13-3.7.16 |
| 2546998 | When you configure Cumulus Linux with a /32 address on a switch port with a configured peer address (for example, to connect to a device using IP unnumbered), the switch sends GARPs for the peer address. | 3.7.5-3.7.11 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546868 | Broadcom Field Alert - SID - MMU 2B Errors A few of the MMU memories on Broadcom switches are grouped together with single parity control. During SER correction when a parity error occurs on one of those groups, other memory in that group might also report a SER error. This occurs when the memory is accessed either by a packet hit or through a schan operation. This issue can cause SER errors in other memory and cause traffic mis-forwarding or a packet drop. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546702 | The FRR cl-support module times out on switches on the ARM platform even when the switch is not under heavy load. To work around this issue, run the cl-support -M command to disable timeouts. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546385 | SNMP ifLastChange reports link transitions when there are none. | 3.7.6-3.7.16 | |
| 2545599 | IPv6 table rules might affect forwarding. For example, if you create the following rule in the /etc/cumulus/acl/policy.d/03-sshd.rules file, the rule counter increments but IPv4 SSH traffic might be dropped.
| 3.7.2-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2545405 | The ospfd daemon might crash with the following kernel trace:
| 3.7.6-3.7.10 | 3.7.11-3.7.16 |
| 2545235 | On the Edgecore AS6812 switch, you might see rare I2C errors. | 3.7.2-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545132 | On the Mellanox switch, ACL lookups are performed for VLAN matches when no rules with UNTAGGED match are present. | 3.7.2-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2544723 | Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2544401 | Package: openssl CVE ID: CVE-2019-1547 CVE-2019-1549 CVE-2019-1563 Three security issues were discovered in OpenSSL: A timing attack against ECDSA, a padding oracle in PKCS7_dataDecode() and CMS_decrypt_set1_pkey() and it was discovered that a feature of the random number generator (RNG) intended to protect against shared RNG state between parent and child processes in the event of a fork() syscall was not used by default. Fixed version: 1.1.1d-0+deb10u1 We recommend that you upgrade your openssl packages. For the detailed security status of openssl, refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2544385 | The QCT QuantaMesh BMS T7032-IX7 switch may report “failed to request GPIO pin” errors during the boot up. | 3.7.5-3.7.10 | 3.7.11-3.7.16 |
| 2544324 | Package: hostapd CVE ID: CVE-2019-13377 CVE-2019-16275 Two vulnerabilities were found in the WPA protocol implementation found in wpa_supplication (station) and hostapd (access point). CVE-2019-13377 A timing-based side-channel attack against WPA3’s Dragonfly handshake when using Brainpool curves could be used by an attacker to retrieve the password. CVE-2019-16275 Insufficient source address validation for some received Management frames in hostapd could lead to a denial of service for stations associated to an access point. An attacker in radio range of the access point could inject a specially constructed unauthenticated IEEE 802.11 frame to the access point to cause associated stations to be disconnected and require a reconnection to the network. Fixed version: 1:2.8.0-cl4u3 | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2544311 | Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544212 | Cumulus Linux poed generates excessive debug log entries. These will be reduced in a future release. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2544155 | NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2543875 | On the Mellanox Spectrum switch, a route withdrawal might cause the associated next hop neighbor entry to be deleted in hardware but remain in the kernel. This can cause traffic going through the directly connected route to the removed neighbor entry to be forwarded to the CPU. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2543840 | On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file. | 3.7.6-3.7.16 | |
| 2543835 | The following CVEs were announced that affect the ghostscript package: CVE ID : CVE-2019-14811 CVE-2019-14812 CVE-2019-14813 CVE-2019-14817 It was discovered that various procedures in Ghostscript, the GPL PostScript/PDF interpreter, do not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript | 3.7.0-3.7.10 | 3.7.11-3.7.16 |
| 2543816 | On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages. | 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
| 2543727 | ACL rules, such as the following, fail to install if you use swp+ (interfaces mentioned as wildcards).
You can now install such rules with swp+. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2543667 | On the EdgeCore AS4610 switch, the ping command fails unless you run the command with sudo.To work around this issue, run the following commands:
Run the following command to verify the workaround:
You should see the following output:
| 3.7.6-3.7.10, 4.1.0-4.1.1 | 3.7.11-3.7.16, 4.2.0-4.4.5 |
| 2543648 | You cannot specify a source and destination MAC address in an ERSPAN ebtables rule. For example, the following rule does not work:
| 3.7.6-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2543647 | ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:
| 3.7.6-4.2.1 | 4.3.0-4.4.5 |
| 2543646 | In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543473 | Configuring an inbound route map to manually change the next hop IP address received from an eBGP peer locally causes the next hop to not be updated when advertising this route out to other eBGP peers. To work around this issue, set a “dummy” route map outbound to the eBGP peer or configure the route map to manually set the next hop outbound from the originating eBGP peer. | 3.7.6-3.7.10 | 3.7.11-3.7.16 |
| 2543211 | In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2543113 | NCLU restarts FRR when attempting to remove a BGP VRF stanza. This happens regardless of whether the VRF is valid/configured elsewhere on the switch or the removal is successful. To work around this issue, remove the stanza using vtysh. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2543096 | When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2543052 | Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as “inactive” in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR. To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:
You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5 |
| 2543044 | Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up. You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2542945 | On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags. To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:
| 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542913 | IF-MIB::ifHCInOctets reports significantly lower values than reported by interface counters seen elsewhere. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2542871 | After you issue the NCLU net del bgp vrf command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2542853 | For interfaces configured with RS FEC, when switchd is restarted, the link goes down but does not automatically come back up. This occurs because the FEC status is not replayed correctly into the kernel.To work around this issue, run the ifreload -a command to bring up the interface after switchd is restarted. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542837 | On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule. | 3.7.6-3.7.8, 4.0.0-4.4.5 | 3.7.9-3.7.16 |
| 2542835 | snmpd fails because NCLU does not remove agentaddress @vrf lines when running the net add snmp-server listening-address all command. | 3.7.4-3.7.16 | 4.0.0-4.4.5 |
| 2542823 | On the Broadcom Trident 3 switch, VXLAN encapsulated packets are dropped on the ingress port (tagged layer 2 port) during transit forwarding (the local switch does not terminate the VXLAN tunnel). An example of where this two-layer VXLAN inside VXLAN encapsulation might occur: - VXLAN tunnel (#1) between two servers (different racks) to provide layer 2 extension for containers or VM hosts. - VXLAN tunnel (#2) between the TOR switch in rack 1 to the TOR switch located in the remote rack. To work around this issue, either: - Configure the edge port (facing the servers) to be an access port (instead of a trunk/tagged port) - Change the destination port from 4789 to something else (VXLAN tunnel terminated by the servers) | 3.7.5-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2542774 | When moving an IP address from the address line to inet dhcp, then issuing the ifreload -a command, the old address is not removed from the interface. NCLU still reports the old address only and reports it as a DHCP address. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542767 | If the BMC operating system fails to respond to IPMI, you see a traceback in bmcd and all the sensors might report ABSENT devices in smonctl.To work around this issue, power cycle the switch. | 3.7.6-4.0.1 | 4.1.0-4.4.5 |
| 2542765 | When you configure the switch to send an EAP request with the net add dot1x send-eap-request-id command, the switch ignores re-authentication attempts and does not send back an EAPol. | 3.7.6-3.7.10 | 3.7.11-3.7.16 |
| 2542726 | After configuring switchd hal.bcm.per_vlan_router_mac_lookup to TRUE on a Broadcom switch, layer 2 traffic works over VXLAN but the host is not able to ping the locally connected gateway and loses routing ability to other IPs and subnets. | 3.7.5-3.7.8 | 3.7.9-3.7.16 |
| 2542711 | BGP update packets are sometimes missing the mandatory nexthop attribute, which causes connections to reset. For example, this issue is seen when using VRF route leaking with a mix of BGP unnumbered and BGP numbered peers. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542509 | In EVPN symmetric or centralized configurations with BGP peering over a peer link, VXLAN routed packets transiting an MLAG peer are dropped until the clagd init-delay timer expires during the bring-up sequence following a reboot.The problem is caused by a race condition when programming the anycast IP address (used to terminate VXLAN tunnels), where the hardware is programmed before the software by clagd.To work around this issue, configure the BGP path across the peer link to be less preferred. The example below uses AS path prepending and the MLAG switches are iBGP neighbors. However, other BGP configurations achieve the same result. In the /etc/frr/frr.conf file, make a new AS path access list and route map to apply BGP pre-pending of the local ASN one or more times. For example:
| 3.7.6-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2542480 | When BGP remove-private-AS replace-AS is configured under the BGP IPv4 or IPv6 address family between a pair of switches configured as BGP peers, a BGP route update might cause the BGP session to flap.To work around this issue, do not configure remove-private-AS replace-AS in the BGP IPv4 or IPv6 address family. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542384 | When you define a trap destination using @mgmt, snmpd indicates that the network is unreachable even though the IP address is reachable in the management VRF.To work around this issue, remove @mgmt vrf references in the /etc/snmp/snmpd.conf file, stop snmpd, then start snmpd manually in the management VRF with the systemctl start snmpd@mgmt command. | 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2542365 | The snmpd service frequently crashes due to double free or corruption. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542338 | In a typical CLOS network, each leaf is connected to all spine nodes; VXLAN packets follow leaf-spine links. However certain failure scenarios or maintenance activity might result in the MLAG primary switch being isolated from the spine layer (the only available network path is now across the peer link). As a result, the MLAG primary switch fails to transmit VXLAN encapsulated packets out on the peer link. It is also possible for the MLAG secondary switch to be isolated from the spine layer and then the problem is seen on the MLAG secondary switch. The issue occurs because the Broadcom Trident3 switch does not perform VLAN translation for VXLAN encapsulated packets where the tunnel is not terminated. To work around this issue, configure the BGP peering on a new VLAN interface (for example, vlan4093) instead of the peer link sub-interface (peerlink.4094). | 3.7.6 | 3.7.7-3.7.16, 4.0.0-4.4.5 |
| 2542336 | On the Mellanox SN2410 switch, switchd does not start. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2542310 | hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6. | 3.7.6-3.7.16 | |
| 2542309 | When all ports are split into 4X on the EdgeCore AS7726 switch, switchd fails to start up and a crash is seen in syslog. | 3.7.5-3.7.6 | 3.7.7-3.7.16 |
| 2542305 | If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically. | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
| 2542301 | When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2542297 | When you run the NCLU net del all command, the exec-timeout setting changes in the /etc/frr.frr.conf file. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542248 | When you generate a cl-support file, clagd.service prints log messages similar to the following:
| 3.7.6-3.7.16 | 4.0.0-4.4.5 |
| 2542193 | When you configure the link-down yes attribute to a physical SVI, the VRR (-v0) interface is not brought down, and the locally-connected subnet can still be redistributed into routing protocols and advertised to neighbors despite the physical SVI being administratively down.To work around this issue, manually bring down the VRR (-v0) interface with the ip link set dev command. For example:
| 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542160 | The following CVEs were announced in Debian Security Advisory DSA-4465-1 and affect the linux kernel. ——————————————————————————————- Debian Security Advisory DSA-4465-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 17, 2019 https://www.debian.org/security/faq ——————————————————————————————- Package: linux CVE ID: CVE-2019-3846 CVE-2019-5489 CVE-2019-9500 CVE-2019-9503 CVE-2019-10126 CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 CVE-2019-11486 CVE-2019-11599 CVE-2019-11815 CVE-2019-11833 CVE-2019-11884 Debian Bug: 928989 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2019-3846, CVE-2019-10126 huangwen reported multiple buffer overflows in the Marvell wifi (mwifiex) driver, which a local user could use to cause denial of service or the execution of arbitrary code. CVE-2019-5489 Daniel Gruss, Erik Kraft, Trishita Tiwari, Michael Schwarz, Ari Trachtenberg, Jason Hennessey, Alex Ionescu, and Anders Fogh discovered that local users could use the mincore() system call to obtain sensitive information from other processes that access the same memory-mapped file. CVE-2019-9500, CVE-2019-9503 Hugues Anguelkov discovered a buffer overflow and missing access validation in the Broadcom FullMAC wifi driver (brcmfmac), which a attacker on the same wifi network could use to cause denial of service or the execution of arbitrary code. CVE-2019-11477 Jonathan Looney reported that a specially crafted sequence of TCP selective acknowledgements (SACKs) allows a remotely triggerable kernel panic. CVE-2019-11478 Jonathan Looney reported that a specially crafted sequence of TCP selective acknowledgements (SACKs) will fragment the TCP retransmission queue, allowing an attacker to cause excessive resource usage. CVE-2019-11479 Jonathan Looney reported that an attacker could force the Linux kernel to segment its responses into multiple TCP segments, each of which contains only 8 bytes of data, drastically increasing the bandwidth required to deliver the same amount of data. This update introduces a new sysctl value to control the minimal MSS (net.ipv4.tcp_min_snd_mss), which by default uses the formerly hard-coded value of 48. We recommend raising this to 536 unless you know that your network requires a lower value. CVE-2019-11486 Jann Horn of Google reported numerous race conditions in the Siemens R3964 line discipline. A local user could use these to cause unspecified security impact. This module has therefore been disabled. CVE-2019-11599 Jann Horn of Google reported a race condition in the core dump implementation which could lead to a use-after-free. A local user could use this to read sensitive information, to cause a denial of service (memory corruption), or for privilege escalation. CVE-2019-11815 It was discovered that a use-after-free in the Reliable Datagram Sockets protocol could result in denial of service and potentially privilege escalation. This protocol module (rds) is not auto-loaded on Debian systems, so this issue only affects systems where it is explicitly loaded. CVE-2019-11833 It was discovered that the ext4 filesystem implementation writes uninitialised data from kernel memory to new extent blocks. A local user able to write to an ext4 filesystem and then read the filesystem image, for example using a removable drive, might be able to use this to obtain sensitive information. CVE-2019-11884 It was discovered that the Bluetooth HIDP implementation did not ensure that new connection names were null-terminated. A local user with CAP_NET_ADMIN capability might be able to use this to obtain sensitive information from the kernel stack. For the stable distribution (stretch), these problems have been fixed in version 4.9.168-1+deb9u3. We recommend that you upgrade your linux packages. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542058 | The ifquery command should return a non-zero value if there is a syntax error. However, it currently returns zero. This issue affects automation scripts that validate a file before copying it into place. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2542031 | If you configure a sys-mac with a single digit, ifreload -a does not indicate that the MAC address is invalid for the MLAG sys-mac and the clagd process fails silently. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2541924 | If the address-virtual MAC address is missing a leading zero in the last octet, the interface bounces. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2541869 | SNMP shows 0 for all swp interfaces in the ifSpeed field (bond interfaces, lo and eth0 are not affected and show a value). | 3.7.6-3.7.16 | |
| 2541791 | In Cumulus Linux 3.7.6 and earlier, ifupdown2 does a string comparison to see if two addresses are the same. In Cumulus Linux 3.7.7, ifupdown2 does an integer comparison. For example, in Cumulus Linux 3.7.6 and earlier, hwaddress 00:00:5e:62:f8:02 and hwaddress 00:00:5e:62:f8:2 are not considered to be equal. In Cumulus Linux 3.7.7 and later, they are considered equal since 2 implies a leading zero. | 3.7.5-3.7.6 | 3.7.7-3.7.16 |
| 2541761 | A TACACS privilege level 15 user mapped to tacacs15 cannot use net commands even though the user is part of the netedit and/or netshow user group. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2541749 | In a highly-scaled environment, while BGP is undergoing initial convergence, watchfrr times out and bgpd stops responding. | 3.7.5-3.7.6 | 3.7.7-3.7.16 |
| 2541685 | If you have a configuration with more than 128 VRFs, BGP routes stop advertising. | 3.7.6 | 3.7.7-3.7.16 |
| 2541654 | On the Dell N3048EP switch, the I2C bus might lock and when you log into the console, you see the following message.bcm-iproc-i2c 1803b000.i2c: bus is busyAs a result, temperatures cannot be monitored. However, traffic is not affected (links do not go down). | 3.7.6 | 3.7.7-3.7.16 |
| 2541645 | Received EVPN type-5 routes are not installed into the kernel VRF routing table even though the route appears to be correct. The failure to install the default route makes the rack unreachable from the external world. | 3.7.5-3.7.16 | |
| 2541604 | The snmpd service exits with a message similar to the following:
This problem might occur during or after network convergence events. For example, when bgpd needs to process a high number of updates and the CPU cannot keep up, bgpd is disconnected and agentx generates a core dump in snmpd due to a memory allocation problem.To work around this issue, disable agentx by commenting out the following lines in the /etc/snmp/snmpd.conf file. Then, restart the snmpd service with the systemctl restart snmpd command.
If you still want to poll the BGP4-MIB information, re-enable the bgp pass persist script by adding the following line in the /etc/snmp/snmpd.conf file:
| 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2541505 | The vtep-ctl list-ports returns ports with the fully qualified domain name of the switch instead of the short hostname. | 3.7.6 | 3.7.7-3.7.16 |
| 2541494 | Under certain circumstances (when you reboot or restart the switchd service), a race condition might occur which causes a synchronization issue resulting in hardware misprogramming of the VXLAN tunnel endpoint interface (VTEP). Packets destined out this tunnel are dropped in the egress direction. Packets arriving on this tunnel are dropped in the ingress direction. This is due to a race condition between ASIC and kernel programming that causes the kernel to incorrectly process the link state of a VXLAN interface.To work around this issue, you can bounce the layer 3 SVI for the affected VRF. For example:
Run the net show vrf vni command to show a mapping of the layer 3 VNI to layer 3 SVI for the VRF.Note: This workaround is not guaranteed because the race condition cannot be always be avoided. | 3.7.4-3.7.16 | |
| 2541294 | In an EVPN configuration, the old MAC/IP route is present in the routing table after an IP mobility event. | 3.7.5-3.7.16 | |
| 2541213 | On Trident2 switches, egress double-tagged frames incorrectly use 802.1Q outer ethertype instead of 802.1AD. | 3.7.5-3.7.6 | 3.7.7-3.7.16 |
| 2541212 | The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2541165 | On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, poectl reports that four_pair_mode_enabled is true. However, this configuration is not supported on the port so poectl should report that four_pair_mode_enabled is false. | 3.7.6-3.7.16 | |
| 2541107 | The poectl -j command output does not show the correct port numbering in JSON; it is off by one. | 3.7.6 | 3.7.7-3.7.16 |
| 2541095 | The RADIUS AAA client does the source IP address bind first, then the setsockopt VRF, which causes a failure due to a kernel check for an address mismatch with the VRF. | 3.7.4-3.7.6 | 3.7.7-3.7.16 |
| 2541090 | The dhcrelay service crashes when the DHCP relay packet comes back from the server. To work around this issue, remove the –nl flag from the dhcrelay service. | 3.7.3-3.7.6 | 3.7.7-3.7.16 |
| 2541029 | On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped. This issue only affects QinQ configurations. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540980 | After upgrading the BIOS to 3.21.0.0-6, when you run the reboot, shutdown or init commands with certain options, the switch powers off. To determine the BIOS version of the switch, run:
| 3.7.5-3.7.6 | 3.7.7-3.7.16 |
| 2540950 | On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status. | 3.7.3-4.1.1 | 4.2.0-4.4.5 |
| 2540895 | On the EdgeCore AS4610-54P switch, at any moment and without warning, your PoE devices might all go down as PoEd crashes and an error message might be logged. There is no functional impact after a restart. | 3.7.6 | 3.7.7-3.7.16 |
| 2540863 | On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number. | 3.7.3-3.7.16 | |
| 2540843 | On the Dell S3048 switch, ports with FEC disabled show as BaseR on boot up. | 3.7.3-3.7.6 | 3.7.7-3.7.16 |
| 2540830 | On the Dell S5248F switch, packets forwarded to the CPU are corrupted. | 3.7.3-3.7.16 | |
| 2540823 | On the EdgeCore 7326-54X switch, switchd does not start on initial install because the decode-syseeprom command fails. However in ONIE, onie-syseeprom has no issues. | 3.7.5-3.7.6 | 3.7.7-3.7.16 |
| 2540753 | If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
| 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540737 | When you commit a configuration change to a VXLAN layer 2 VNI in an MLAG configuration, the peer link on the MLAG secondary switch goes into an STP blocking state. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2540721 | If you modify BFD timers in the /etc/frr/frr.conf file, then run the systemctl reload frr command, the neighbor connections flap. | 3.7.4-3.7.6 | 3.7.7-3.7.16 |
| 2540684 | On a Dell S5248F (Trident3) switch, packets from switch ports are forwarded to the CPU and are sometimes corrupted. The corruption might result in BGP peerings being down, which can lead to all VXLAN traffic to and from a node to be lost, causing an outage to dually connected hosts in a rack. To work around this issue, restart switchd. | 3.7.3-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2540600 | If the clagd-vxlan-anycast-ip is removed from the /etc/network/interfaces file (either with the NCLU command or by editing the file manually), MLAG still believes it is present until clagd restarts. | 3.7.3-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2540557 | On Trident3 switches, transit packets larger than 1500 bytes(DF) routed between SVIs is unexpectedly forwarded to the CPU even when the MTU is greater than 9000. This severely limits throughput for routed jumbo frames as packets arriving at a high interval are dropped to the CPU. | 3.7.0-3.7.16 | |
| 2540464 | If you have dynamic route leaking configured between any two VRFs and the BGP instance for the default VRF is not defined, removing an import vrf statement crashes bgpd. This occurs even if neither of the leaking VRFs are the default VRF. | 3.7.4-3.7.6 | 3.7.7-3.7.16 |
| 2540444 | SNMP incorrectly requires engine ID specification. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540359 | bgpd creates a core dump at zclient_send_interface_radv_req. This is an issue with how FRRouting checks next hops and has been pushed upstream to FRRouting. | 3.7.6-3.7.8 | 3.7.9-3.7.16 |
| 2540352 | When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2540340 | NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays
Tab completion for the net add vrf command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540274 | On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540268 | An incorrect readout of the optical transceiver high temperature alarm threshold (read as 17 degrees centigrade), disables a 100G optical module on Mellanox Spectrum switches. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2540204 | When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540192 | The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540155 | On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2540042 | When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540041 | On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540040 | Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540031 | NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2540017 | The net commit command fails when you try to add a static voice VLAN or delete dot1x configuration for an interface when the port is already authorized. | 3.7.4-3.7.6 | 3.7.7-3.7.16 |
| 2539994 | When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539962 | When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2539928 | When you delete or add 802.1X configuration on a port in a traditional mode bridge, all the ports are removed from the bridge. | 3.7.4-3.7.6 | 3.7.7-3.7.16 |
| 2539686 | The Cumulus Linux switch sometimes sends out ARP request packets with the sender IP address set to 0.0.0.0. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2539670 | On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539433 | If multiple files reference the same module, ifupdown2 user-defined policy overrides do not apply. | 3.7.0-3.7.6 | 3.7.7-3.7.16 |
| 2539422 | In FRR, you can remove the default BGP instance even if there are other instances that depend on it, which causes configuration issues. | 3.7.3-3.7.6 | 3.7.7-3.7.16 |
| 2539218 | On the Mellanox SN2700 switch, the 100G-LR4 port might have problems establishing a link over a long distance (around 500 miles) through a telco service provider after a flap. If the laser is forced up by the link provider’s equipment, the circuit comes up. However, the circuit cannot survive a flap and the link remains down after a flap event. However, you might have to explicitly disable auto-negotiation and FEC in this scenario. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2539169 | On the QuantaMesh T1048-LY4R, smonctl reports that all power supplies are absent:
| 3.7.3-3.7.6 | 3.7.7-3.7.16 |
| 2539124 | The net add interface command adds no ptm-enable for that interface in the frr.conf file.Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539081 | When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2538980 | A dummy interface does not inherit the MTU from a defaults file in /etc/network/ifupdown2/policy.d. A dummy interface is typically used to keep SVI interfaces up when there are no switch ports up that are associated with that VLAN. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2538910 | In a layer 2 VXLAN configuration, where each ECMP path is a layer 3 LACP bond with multiple port members, ECMP hash appears fine for data traffic over VXLAN from one VTEP to another, but the LACP hash is unbalanced. | 3.7.1-3.7.6 | 3.7.7-3.7.16 |
| 2538875 | IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file. | 3.7.2-3.7.16 | |
| 2538790 | NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.To restore connectivity, remove the VLAN ID from the bridge. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538756 | When you flap a VNI with ifdown vni and ifup vni, the value of all MTUs for the SVI lowers to 1500 regardless of the default value set in the /etc/network/ifupdown2/policy.d/mtu.json file. This behavior does not occur if you flap the link with ip link set vni down. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2538741 | The NCLU command net show bridge spanning-tree does not show the MLAG peer link as part of the STP forwarding instance.To work around this issue, use the mstpctl command to confirm the STP status of the port. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2538590 | When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538562 | On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538480 | Modifying the /etc/netd.conf file to set show_linux_command = True does not take effect. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2538302 | portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap. | 3.7.0-3.7.16 | |
| 2538294 | If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2538256 | On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets. | 3.7.2-4.0.1 | 4.1.0-4.4.5 |
| 2538022 | When you remove an interface from a bridge and add it to a VRF in the same commit/ifreload, the IPv6 link-local address is not created automatically. To work around this issue, do the change in two separate commits. First, remove the interface from the bridge, which causes it to be a layer 2 interface. Then, enslave the interface to the VRF. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2537819 | When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2537806 | Bridging ISIS traffic fails because layer 2 cache rules forward ISIS traffic to the CPU, where it is then dropped. To work around this issue, contact Customer Support. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2537699 | There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537544 | When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537536 | When FRR restarts, snmp[err] dev/kmem: Permission denied error messages are recorded in the log file and SNMPd might crash periodically. | 3.7.5-3.7.16 | 4.0.0-4.4.5 |
| 2537378 | NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.To work around this issue, stop snmpd, remove the cache file, then restart snmpd. | 3.7.1-3.7.16 | |
| 2537188 | When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network. | 3.7.2-3.7.16 | |
| 2537153 | In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2537104 | When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL. | 3.7.1-3.7.16 | 4.0.0-4.4.5 |
| 2537061 | The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent. | 3.7.1-4.0.1 | 4.1.0-4.4.5 |
| 2536650 | Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters). While this issue is fixed for switches with the Spectrum ASIC, this is a [known limitation|https://docs.cumulusnetworks.com/cumulus-linux/Monitoring-and-Troubleshooting/Network-Troubleshooting/Monitoring-System-Statistics-and-Network-Traffic-with-sFlow/#caveats-and-errata] on this Helix4 platform. | 3.7.0-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2536639 | On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.To work around this issue: * If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000). * If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2536616 | CVE-2018-5391 (FragmentSmack) is a network vulnerability where an attacker can trigger time and calculation expensive fragment reassembly with specially crafted packets, leading to a denial of service. On a Cumulus Linux switch, the impact is limited to control plane and management plane traffic. Any control plane traffic coming in the front panel ports will be limited by existing policer ACLs. To work around this issue, create a file called /etc/sysctl.d/ip.conf and add these settings:
| 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2536608 | Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI. | 3.7.0-3.7.16 | |
| 2536559 | When deleting an interface using NCLU, if the /etc/network/interfaces alias is different than the /etc/frr/frr.conf description, the net commit command returns the following error:
Despite this error, the change is made and the description is removed from the frr.conf file. | 3.7.3-3.7.10 | 3.7.11-3.7.16 |
| 2536384 | The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2536266 | When a VXLAN SVI transitions to a non-VXLAN SVI, the associated VRRP MAC addresses are not removed. After the transition happens, the removal fails as the VXLAN context is lost and you see the following switchd error:
| 3.7.5-3.7.6 | 3.7.7-3.7.16 |
| 2536230 | On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is no longer set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2536179 | On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535986 | At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535965 | On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535795 | The Trident3 switch does not send out sflow flow samples; only counter samples are sent. | 3.7.6 | 3.7.7-3.7.16 |
| 2535209 | The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. | 3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2534450 | The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2532924 | The NetQ agent is bundled with Cumulus VX 3.4.3 and later; however, the NetQ agent is not bundled with Cumulus Linux 3.4.3 and later. The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bundled with Cumulus Linux in a future release. | 3.7.0-3.7.6 | 3.7.7-3.7.16 |
| 2528990 | During a link flap test, you might occasionally see a message similar to: warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use. | 3.7.6-3.7.10 | 3.7.11-3.7.16 |
Fixed Issues in 3.7.6
| Issue ID | Description | Affects |
|---|---|---|
| 2541362 | If you configure bridge-learning off on a host-facing link in a VXLAN/EVPN environment and are using static FDB entries instead, when you turn bridge-learning on and delete those static entries, they are re-learned as expected in the bridge FDB table, however they are not installed into FRR and a log message is recorded in /var/log/frr/frr.log. | 3.7.5 |
| 2540873 | On the EdgeCore AS7726 and AS7326 switches, physical links might stay operationally down (no-carrier) after a reboot. The problem is caused by a hardware initialization script that is not executed properly when the system boots up and is timing related. | 3.7.5 |
| 2540845 | On the Dell Z9100-ON switch, smond reports various sensors going from OK to BAD or OK to ABSENT; then the sensors recover. | 3.7.1-3.7.5 |
| 2540827 | The platform json file for the Dell S5048-ON switch is improperly populated. This creates an issue when trying to poll the inventory statistics with NetQ. | 3.7.3-3.7.5 |
| 2540798 | The EdgeCore 7326-54X switch reports a platform hardware initialization error similar to the following:
The SFP28 module in the port might fail to initialize at startup. | 3.7.5 |
| 2540510 | When traffic is routed by the VRR IP of an SVI, forward chain traffic is erroneously matched to input chain ACLs. | 3.7.3-3.7.5 |
| 2540486 | Routes configured in the non-default VRF are not installed in hardware. Restarting switchd or rebooting the switch does not resolve the issue. This issue was discovered on the Helix4 switch but applies to all switches.In Cumulus Linux 3.7.5 and earlier, do not include the string eth in non-management interface names; routes associated with those interfaces might not be installed in hardware. | 3.7.3-3.7.5 |
| 2540288 | The switchd service crashes when you add a route with a nexhop label. | 3.7.3-3.7.5 |
| 2540254 | In an EVPN centralized routing deployment, the border leaf sends out incorrect packets when flapping the VLAN interface. | 3.7.2-3.7.5 |
| 2540247 | On the Celestica SmallstoneXP switch, the QSFP links do not come up after you migrate to Cumulus Linux from a different network operating system and you see invalid SFF identifier errors similar to the following:
| |
| 2540122 | The snmpd daemon sometimes crashes with the error Unknown operation 6 in agentx_got_response. | 3.7.2-3.7.5 |
| 2540045 | After adding or removing a VLAN from a VLAN-aware bridge or from a trunk either using the NCLU command or manually editing the /etc/network/interfaces file and running ifreload -a, an SVI bound to a different VLAN loses its IPv4 address defined in the /etc/network/interfaces file. | 3.7.3-3.7.5 |
| 2537415 | FRR ignores a BGP password configured in a peer group that is associated with the bgp listen range. In the following example, the password cumulus has no effect on neighbors that connect in the 10.30.40.0/24 range. If the neighbor has neighbor password cumulus configured, the peering does not come up.
| |
| 2536996 | In a VXLAN/EVPN environment, when an unrelated interface either goes down or comes up, traffic traversing through the other underlay interface stops working for about two milliseconds. | |
| 2519945 | In testing, it was determined that the MD5 password configured against a BGP listen-range peer-group (used to accept and create dynamic BGP neighbors) is not enforced (connections are accepted from peers that do not specify a password). |
3.7.5 Release Notes
Open Issues in 3.7.5
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 3410952 | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.12.1 |
| 3376798 | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlanMAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5 |
| 3330705 | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.12.1 |
| 3327477 | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3216921 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-3.7.16, 4.3.0-4.4.5 | |
| 3209699 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.12.1 |
| 2959454 | CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2959444 | CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2957684 | CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2949602 | CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. | 3.7.0-3.7.15 | 3.7.16 |
| 2949586 | CVE-2022-21699: ipython may execute untrusted files in the current working directory Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2949585 | CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog. | 3.7.0-3.7.15 | 3.7.16 |
| 2949584 | CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2941560 | CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u | 3.7.0-3.7.15 | 3.7.16 |
| 2910862 | CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file” Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2910861 | CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13 | 3.7.0-3.7.15 | 3.7.16 |
| 2885241 | CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14 | 3.7.0-3.7.15 | 3.7.16 |
| 2885239 | CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2885238 | The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2866111 | CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. | 3.7.0-3.7.15 | 3.7.16 |
| 2862269 | CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2855881 | A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2855879 | The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2850806 | CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts) Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23 | 3.7.0-3.7.15 | 3.7.16 |
| 2845540 | CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2841003 | CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2835994 | CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2823255 | CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode) Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2821981 | The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions) CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2820758 | The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2813826 | Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop” CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’ Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2813823 | Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19 | 3.7.0-3.7.15 | 3.7.16 |
| 2801126 | CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2801125 | OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15 | 3.7.0-3.7.15 | 3.7.16 |
| 2801124 | GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2798139 | CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2769687 | CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21 | 3.7.0-3.7.15 | 3.7.16 |
| 2769633 | CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2769632 | CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2769631 | CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2743132 | CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6 | 3.7.0-3.7.15 | 3.7.16 |
| 2736247 | CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2736245 | CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2728207 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728206 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728205 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5 |
| 2726776 | CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18 | 3.7.0-3.7.15 | 3.7.16 |
| 2716841 | CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2705169 | CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2705168 | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2702519 | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2684404 | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2679950 | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.4.1-cl4.4.0u1Fixed: 4.4.1-cl4.4.0u2 | 3.7.0-4.3.3 | 4.4.0-4.4.5 |
| 2677063 | CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2677061 | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2677060 | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2668477 | CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2660693 | CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20 | 3.7.0-3.7.15 | 3.7.16 |
| 2658233 | The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2654684 | CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10 | 3.7.0-3.7.15 | 3.7.16 |
| 2653521 | CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2646974 | The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2646968 | CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24 | 3.7.0-3.7.15 | 3.7.16 |
| 2635951 | The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617009 | CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617008 | CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617007 | CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617006 | CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617002 | CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589570 | The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589567 | The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2552739 | Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | |
| 2552352 | The following security vulnerabilities have been announced in the nss / libnss3 packages: CVE-2020-6829: Side channel attack on ECDSA signature generation CVE-2020-12400: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function CVE-2020-12401: ECDSA timing attack mitigation bypass Vulnerable: <= 3.26-1+debu8u11 Fixed: 3.26-1+debu8u12 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2552351 | The following vulnerability has been announced in the libx11 packages: CVE-2020-14344: The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method. Vulnerable: <= 1.6.2-3+deb8u2 Fixed: 1.6.2-3+deb8u3 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2551675 | When you restart clagd, the edge port setting on the peer link changes. | 3.7.2-4.2.0 | 4.2.1-4.4.5 |
| 2550323 | After a neighbor is removed, the redistributed neighbor entry is withdrawn from the BGP table, but the prefix might still be selected as the bestpath when the host’s originated prefix is not advertised. To work around this issue, recreate the neighbor entry and flap the interface to the host. Or, if the host is already down, manually create a neighbor entry with an invalid MAC address, which forces redistribute neighbor to re-withdraw the entry. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2548382 | The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog. | 3.7.5-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5 |
| 2548243 | On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2547769 | syslog might report a high load average with the CPU running a later microcode revision. | 3.7.4-3.7.12 | 3.7.13-3.7.16 |
| 2546998 | When you configure Cumulus Linux with a /32 address on a switch port with a configured peer address (for example, to connect to a device using IP unnumbered), the switch sends GARPs for the peer address. | 3.7.5-3.7.11 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546868 | Broadcom Field Alert - SID - MMU 2B Errors A few of the MMU memories on Broadcom switches are grouped together with single parity control. During SER correction when a parity error occurs on one of those groups, other memory in that group might also report a SER error. This occurs when the memory is accessed either by a packet hit or through a schan operation. This issue can cause SER errors in other memory and cause traffic mis-forwarding or a packet drop. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546702 | The FRR cl-support module times out on switches on the ARM platform even when the switch is not under heavy load. To work around this issue, run the cl-support -M command to disable timeouts. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2545599 | IPv6 table rules might affect forwarding. For example, if you create the following rule in the /etc/cumulus/acl/policy.d/03-sshd.rules file, the rule counter increments but IPv4 SSH traffic might be dropped.
| 3.7.2-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2545235 | On the Edgecore AS6812 switch, you might see rare I2C errors. | 3.7.2-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545132 | On the Mellanox switch, ACL lookups are performed for VLAN matches when no rules with UNTAGGED match are present. | 3.7.2-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2544401 | Package: openssl CVE ID: CVE-2019-1547 CVE-2019-1549 CVE-2019-1563 Three security issues were discovered in OpenSSL: A timing attack against ECDSA, a padding oracle in PKCS7_dataDecode() and CMS_decrypt_set1_pkey() and it was discovered that a feature of the random number generator (RNG) intended to protect against shared RNG state between parent and child processes in the event of a fork() syscall was not used by default. Fixed version: 1.1.1d-0+deb10u1 We recommend that you upgrade your openssl packages. For the detailed security status of openssl, refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2544385 | The QCT QuantaMesh BMS T7032-IX7 switch may report “failed to request GPIO pin” errors during the boot up. | 3.7.5-3.7.10 | 3.7.11-3.7.16 |
| 2544324 | Package: hostapd CVE ID: CVE-2019-13377 CVE-2019-16275 Two vulnerabilities were found in the WPA protocol implementation found in wpa_supplication (station) and hostapd (access point). CVE-2019-13377 A timing-based side-channel attack against WPA3’s Dragonfly handshake when using Brainpool curves could be used by an attacker to retrieve the password. CVE-2019-16275 Insufficient source address validation for some received Management frames in hostapd could lead to a denial of service for stations associated to an access point. An attacker in radio range of the access point could inject a specially constructed unauthenticated IEEE 802.11 frame to the access point to cause associated stations to be disconnected and require a reconnection to the network. Fixed version: 1:2.8.0-cl4u3 | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2544311 | Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2544212 | Cumulus Linux poed generates excessive debug log entries. These will be reduced in a future release. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2544155 | NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2543835 | The following CVEs were announced that affect the ghostscript package: CVE ID : CVE-2019-14811 CVE-2019-14812 CVE-2019-14813 CVE-2019-14817 It was discovered that various procedures in Ghostscript, the GPL PostScript/PDF interpreter, do not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript | 3.7.0-3.7.10 | 3.7.11-3.7.16 |
| 2543727 | ACL rules, such as the following, fail to install if you use swp+ (interfaces mentioned as wildcards).
You can now install such rules with swp+. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2543211 | In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2543113 | NCLU restarts FRR when attempting to remove a BGP VRF stanza. This happens regardless of whether the VRF is valid/configured elsewhere on the switch or the removal is successful. To work around this issue, remove the stanza using vtysh. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2543052 | Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as “inactive” in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR. To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:
You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5 |
| 2543044 | Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up. You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2542871 | After you issue the NCLU net del bgp vrf command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2542835 | snmpd fails because NCLU does not remove agentaddress @vrf lines when running the net add snmp-server listening-address all command. | 3.7.4-3.7.16 | 4.0.0-4.4.5 |
| 2542823 | On the Broadcom Trident 3 switch, VXLAN encapsulated packets are dropped on the ingress port (tagged layer 2 port) during transit forwarding (the local switch does not terminate the VXLAN tunnel). An example of where this two-layer VXLAN inside VXLAN encapsulation might occur: - VXLAN tunnel (#1) between two servers (different racks) to provide layer 2 extension for containers or VM hosts. - VXLAN tunnel (#2) between the TOR switch in rack 1 to the TOR switch located in the remote rack. To work around this issue, either: - Configure the edge port (facing the servers) to be an access port (instead of a trunk/tagged port) - Change the destination port from 4789 to something else (VXLAN tunnel terminated by the servers) | 3.7.5-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2542726 | After configuring switchd hal.bcm.per_vlan_router_mac_lookup to TRUE on a Broadcom switch, layer 2 traffic works over VXLAN but the host is not able to ping the locally connected gateway and loses routing ability to other IPs and subnets. | 3.7.5-3.7.8 | 3.7.9-3.7.16 |
| 2542336 | On the Mellanox SN2410 switch, switchd does not start. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2542309 | When all ports are split into 4X on the EdgeCore AS7726 switch, switchd fails to start up and a crash is seen in syslog. | 3.7.5-3.7.6 | 3.7.7-3.7.16 |
| 2542301 | When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2541791 | In Cumulus Linux 3.7.6 and earlier, ifupdown2 does a string comparison to see if two addresses are the same. In Cumulus Linux 3.7.7, ifupdown2 does an integer comparison. For example, in Cumulus Linux 3.7.6 and earlier, hwaddress 00:00:5e:62:f8:02 and hwaddress 00:00:5e:62:f8:2 are not considered to be equal. In Cumulus Linux 3.7.7 and later, they are considered equal since 2 implies a leading zero. | 3.7.5-3.7.6 | 3.7.7-3.7.16 |
| 2541761 | A TACACS privilege level 15 user mapped to tacacs15 cannot use net commands even though the user is part of the netedit and/or netshow user group. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2541749 | In a highly-scaled environment, while BGP is undergoing initial convergence, watchfrr times out and bgpd stops responding. | 3.7.5-3.7.6 | 3.7.7-3.7.16 |
| 2541645 | Received EVPN type-5 routes are not installed into the kernel VRF routing table even though the route appears to be correct. The failure to install the default route makes the rack unreachable from the external world. | 3.7.5-3.7.16 | |
| 2541604 | The snmpd service exits with a message similar to the following:
This problem might occur during or after network convergence events. For example, when bgpd needs to process a high number of updates and the CPU cannot keep up, bgpd is disconnected and agentx generates a core dump in snmpd due to a memory allocation problem.To work around this issue, disable agentx by commenting out the following lines in the /etc/snmp/snmpd.conf file. Then, restart the snmpd service with the systemctl restart snmpd command.
If you still want to poll the BGP4-MIB information, re-enable the bgp pass persist script by adding the following line in the /etc/snmp/snmpd.conf file:
| 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2541494 | Under certain circumstances (when you reboot or restart the switchd service), a race condition might occur which causes a synchronization issue resulting in hardware misprogramming of the VXLAN tunnel endpoint interface (VTEP). Packets destined out this tunnel are dropped in the egress direction. Packets arriving on this tunnel are dropped in the ingress direction. This is due to a race condition between ASIC and kernel programming that causes the kernel to incorrectly process the link state of a VXLAN interface.To work around this issue, you can bounce the layer 3 SVI for the affected VRF. For example:
Run the net show vrf vni command to show a mapping of the layer 3 VNI to layer 3 SVI for the VRF.Note: This workaround is not guaranteed because the race condition cannot be always be avoided. | 3.7.4-3.7.16 | |
| 2541362 | If you configure bridge-learning off on a host-facing link in a VXLAN/EVPN environment and are using static FDB entries instead, when you turn bridge-learning on and delete those static entries, they are re-learned as expected in the bridge FDB table, however they are not installed into FRR and a log message is recorded in /var/log/frr/frr.log. | 3.7.5 | 3.7.6-3.7.16 |
| 2541294 | In an EVPN configuration, the old MAC/IP route is present in the routing table after an IP mobility event. | 3.7.5-3.7.16 | |
| 2541213 | On Trident2 switches, egress double-tagged frames incorrectly use 802.1Q outer ethertype instead of 802.1AD. | 3.7.5-3.7.6 | 3.7.7-3.7.16 |
| 2541212 | The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2541095 | The RADIUS AAA client does the source IP address bind first, then the setsockopt VRF, which causes a failure due to a kernel check for an address mismatch with the VRF. | 3.7.4-3.7.6 | 3.7.7-3.7.16 |
| 2541090 | The dhcrelay service crashes when the DHCP relay packet comes back from the server. To work around this issue, remove the –nl flag from the dhcrelay service. | 3.7.3-3.7.6 | 3.7.7-3.7.16 |
| 2541029 | On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped. This issue only affects QinQ configurations. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540980 | After upgrading the BIOS to 3.21.0.0-6, when you run the reboot, shutdown or init commands with certain options, the switch powers off. To determine the BIOS version of the switch, run:
| 3.7.5-3.7.6 | 3.7.7-3.7.16 |
| 2540950 | On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status. | 3.7.3-4.1.1 | 4.2.0-4.4.5 |
| 2540873 | On the EdgeCore AS7726 and AS7326 switches, physical links might stay operationally down (no-carrier) after a reboot. The problem is caused by a hardware initialization script that is not executed properly when the system boots up and is timing related. | 3.7.5 | 3.7.6-3.7.16 |
| 2540863 | On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number. | 3.7.3-3.7.16 | |
| 2540845 | On the Dell Z9100-ON switch, smond reports various sensors going from OK to BAD or OK to ABSENT; then the sensors recover. | 3.7.1-3.7.5 | 3.7.6-3.7.16 |
| 2540843 | On the Dell S3048 switch, ports with FEC disabled show as BaseR on boot up. | 3.7.3-3.7.6 | 3.7.7-3.7.16 |
| 2540830 | On the Dell S5248F switch, packets forwarded to the CPU are corrupted. | 3.7.3-3.7.16 | |
| 2540827 | The platform json file for the Dell S5048-ON switch is improperly populated. This creates an issue when trying to poll the inventory statistics with NetQ. | 3.7.3-3.7.5 | 3.7.6-3.7.16 |
| 2540823 | On the EdgeCore 7326-54X switch, switchd does not start on initial install because the decode-syseeprom command fails. However in ONIE, onie-syseeprom has no issues. | 3.7.5-3.7.6 | 3.7.7-3.7.16 |
| 2540798 | The EdgeCore 7326-54X switch reports a platform hardware initialization error similar to the following:
The SFP28 module in the port might fail to initialize at startup. | 3.7.5 | 3.7.6-3.7.16 |
| 2540753 | If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
| 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540737 | When you commit a configuration change to a VXLAN layer 2 VNI in an MLAG configuration, the peer link on the MLAG secondary switch goes into an STP blocking state. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2540721 | If you modify BFD timers in the /etc/frr/frr.conf file, then run the systemctl reload frr command, the neighbor connections flap. | 3.7.4-3.7.6 | 3.7.7-3.7.16 |
| 2540684 | On a Dell S5248F (Trident3) switch, packets from switch ports are forwarded to the CPU and are sometimes corrupted. The corruption might result in BGP peerings being down, which can lead to all VXLAN traffic to and from a node to be lost, causing an outage to dually connected hosts in a rack. To work around this issue, restart switchd. | 3.7.3-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2540600 | If the clagd-vxlan-anycast-ip is removed from the /etc/network/interfaces file (either with the NCLU command or by editing the file manually), MLAG still believes it is present until clagd restarts. | 3.7.3-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2540557 | On Trident3 switches, transit packets larger than 1500 bytes(DF) routed between SVIs is unexpectedly forwarded to the CPU even when the MTU is greater than 9000. This severely limits throughput for routed jumbo frames as packets arriving at a high interval are dropped to the CPU. | 3.7.0-3.7.16 | |
| 2540510 | When traffic is routed by the VRR IP of an SVI, forward chain traffic is erroneously matched to input chain ACLs. | 3.7.3-3.7.5 | 3.7.6-3.7.16 |
| 2540486 | Routes configured in the non-default VRF are not installed in hardware. Restarting switchd or rebooting the switch does not resolve the issue. This issue was discovered on the Helix4 switch but applies to all switches.In Cumulus Linux 3.7.5 and earlier, do not include the string eth in non-management interface names; routes associated with those interfaces might not be installed in hardware. | 3.7.3-3.7.5 | 3.7.6-3.7.16 |
| 2540464 | If you have dynamic route leaking configured between any two VRFs and the BGP instance for the default VRF is not defined, removing an import vrf statement crashes bgpd. This occurs even if neither of the leaking VRFs are the default VRF. | 3.7.4-3.7.6 | 3.7.7-3.7.16 |
| 2540444 | SNMP incorrectly requires engine ID specification. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540352 | When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2540340 | NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays
Tab completion for the net add vrf command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540288 | The switchd service crashes when you add a route with a nexhop label. | 3.7.3-3.7.5 | 3.7.6-3.7.16 |
| 2540274 | On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
| 2540268 | An incorrect readout of the optical transceiver high temperature alarm threshold (read as 17 degrees centigrade), disables a 100G optical module on Mellanox Spectrum switches. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2540254 | In an EVPN centralized routing deployment, the border leaf sends out incorrect packets when flapping the VLAN interface. | 3.7.2-3.7.5 | 3.7.6-3.7.16 |
| 2540204 | When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540192 | The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540155 | On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2540122 | The snmpd daemon sometimes crashes with the error Unknown operation 6 in agentx_got_response. | 3.7.2-3.7.5 | 3.7.6-3.7.16 |
| 2540045 | After adding or removing a VLAN from a VLAN-aware bridge or from a trunk either using the NCLU command or manually editing the /etc/network/interfaces file and running ifreload -a, an SVI bound to a different VLAN loses its IPv4 address defined in the /etc/network/interfaces file. | 3.7.3-3.7.5 | 3.7.6-3.7.16 |
| 2540042 | When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540041 | On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540040 | Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540031 | NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2540017 | The net commit command fails when you try to add a static voice VLAN or delete dot1x configuration for an interface when the port is already authorized. | 3.7.4-3.7.6 | 3.7.7-3.7.16 |
| 2539994 | When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539962 | When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2539928 | When you delete or add 802.1X configuration on a port in a traditional mode bridge, all the ports are removed from the bridge. | 3.7.4-3.7.6 | 3.7.7-3.7.16 |
| 2539686 | The Cumulus Linux switch sometimes sends out ARP request packets with the sender IP address set to 0.0.0.0. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2539670 | On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539433 | If multiple files reference the same module, ifupdown2 user-defined policy overrides do not apply. | 3.7.0-3.7.6 | 3.7.7-3.7.16 |
| 2539422 | In FRR, you can remove the default BGP instance even if there are other instances that depend on it, which causes configuration issues. | 3.7.3-3.7.6 | 3.7.7-3.7.16 |
| 2539218 | On the Mellanox SN2700 switch, the 100G-LR4 port might have problems establishing a link over a long distance (around 500 miles) through a telco service provider after a flap. If the laser is forced up by the link provider’s equipment, the circuit comes up. However, the circuit cannot survive a flap and the link remains down after a flap event. However, you might have to explicitly disable auto-negotiation and FEC in this scenario. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2539169 | On the QuantaMesh T1048-LY4R, smonctl reports that all power supplies are absent:
| 3.7.3-3.7.6 | 3.7.7-3.7.16 |
| 2539124 | The net add interface command adds no ptm-enable for that interface in the frr.conf file.Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539081 | When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2538980 | A dummy interface does not inherit the MTU from a defaults file in /etc/network/ifupdown2/policy.d. A dummy interface is typically used to keep SVI interfaces up when there are no switch ports up that are associated with that VLAN. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2538910 | In a layer 2 VXLAN configuration, where each ECMP path is a layer 3 LACP bond with multiple port members, ECMP hash appears fine for data traffic over VXLAN from one VTEP to another, but the LACP hash is unbalanced. | 3.7.1-3.7.6 | 3.7.7-3.7.16 |
| 2538875 | IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file. | 3.7.2-3.7.16 | |
| 2538790 | NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.To restore connectivity, remove the VLAN ID from the bridge. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538756 | When you flap a VNI with ifdown vni and ifup vni, the value of all MTUs for the SVI lowers to 1500 regardless of the default value set in the /etc/network/ifupdown2/policy.d/mtu.json file. This behavior does not occur if you flap the link with ip link set vni down. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2538741 | The NCLU command net show bridge spanning-tree does not show the MLAG peer link as part of the STP forwarding instance.To work around this issue, use the mstpctl command to confirm the STP status of the port. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2538590 | When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538562 | On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538480 | Modifying the /etc/netd.conf file to set show_linux_command = True does not take effect. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2538302 | portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap. | 3.7.0-3.7.16 | |
| 2538294 | If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2538256 | On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets. | 3.7.2-4.0.1 | 4.1.0-4.4.5 |
| 2538022 | When you remove an interface from a bridge and add it to a VRF in the same commit/ifreload, the IPv6 link-local address is not created automatically. To work around this issue, do the change in two separate commits. First, remove the interface from the bridge, which causes it to be a layer 2 interface. Then, enslave the interface to the VRF. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2537819 | When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2537806 | Bridging ISIS traffic fails because layer 2 cache rules forward ISIS traffic to the CPU, where it is then dropped. To work around this issue, contact Customer Support. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2537699 | There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537544 | When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537536 | When FRR restarts, snmp[err] dev/kmem: Permission denied error messages are recorded in the log file and SNMPd might crash periodically. | 3.7.5-3.7.16 | 4.0.0-4.4.5 |
| 2537378 | NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.To work around this issue, stop snmpd, remove the cache file, then restart snmpd. | 3.7.1-3.7.16 | |
| 2537188 | When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network. | 3.7.2-3.7.16 | |
| 2537153 | In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2537104 | When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL. | 3.7.1-3.7.16 | 4.0.0-4.4.5 |
| 2537061 | The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent. | 3.7.1-4.0.1 | 4.1.0-4.4.5 |
| 2536650 | Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters). While this issue is fixed for switches with the Spectrum ASIC, this is a [known limitation|https://docs.cumulusnetworks.com/cumulus-linux/Monitoring-and-Troubleshooting/Network-Troubleshooting/Monitoring-System-Statistics-and-Network-Traffic-with-sFlow/#caveats-and-errata] on this Helix4 platform. | 3.7.0-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2536639 | On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.To work around this issue: * If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000). * If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2536616 | CVE-2018-5391 (FragmentSmack) is a network vulnerability where an attacker can trigger time and calculation expensive fragment reassembly with specially crafted packets, leading to a denial of service. On a Cumulus Linux switch, the impact is limited to control plane and management plane traffic. Any control plane traffic coming in the front panel ports will be limited by existing policer ACLs. To work around this issue, create a file called /etc/sysctl.d/ip.conf and add these settings:
| 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2536608 | Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI. | 3.7.0-3.7.16 | |
| 2536559 | When deleting an interface using NCLU, if the /etc/network/interfaces alias is different than the /etc/frr/frr.conf description, the net commit command returns the following error:
Despite this error, the change is made and the description is removed from the frr.conf file. | 3.7.3-3.7.10 | 3.7.11-3.7.16 |
| 2536384 | The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2536266 | When a VXLAN SVI transitions to a non-VXLAN SVI, the associated VRRP MAC addresses are not removed. After the transition happens, the removal fails as the VXLAN context is lost and you see the following switchd error:
| 3.7.5-3.7.6 | 3.7.7-3.7.16 |
| 2536230 | On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is no longer set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2536179 | On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535986 | At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535965 | On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535209 | The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. | 3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
| 2534450 | The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2532924 | The NetQ agent is bundled with Cumulus VX 3.4.3 and later; however, the NetQ agent is not bundled with Cumulus Linux 3.4.3 and later. The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bundled with Cumulus Linux in a future release. | 3.7.0-3.7.6 | 3.7.7-3.7.16 |
Fixed Issues in 3.7.5
| Issue ID | Description | Affects |
|---|---|---|
| 2540711 | The following CVEs were announced in Debian Security Advisory DSA-4431-1 and affect the libssh2 package. ————————————————————————————— Debian Security Advisory DSA-4431-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 13, 2019 https://www.debian.org/security/faq ————————————————————————————— Package: libssh2 CVE ID: CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862 CVE-2019-3863 Debian Bug: 924965 Chris Coulson discovered several vulnerabilities in libssh2, a SSH2 client-side library, which could result in denial of service, information leaks or the execution of arbitrary code. For the stable distribution (stretch), these problems have been fixed in version 1.7.0-1+deb9u1. We recommend that you upgrade your libssh2 packages. For the detailed security status of libssh2, refer to its security tracker page at: https://security-tracker.debian.org/tracker/libssh2 | |
| 2540520 | When IGMP snooping is enabled on a Broadcom switch, after multiple PIM join and leave messages are sent, switchd crashes and reports log messages similar to the following:
| 3.7.4 |
| 2540496 | Tomahawk or Tomahawk+ switches drop traffic when using EVPN centralized routing. | 3.7.4 |
| 2539681 | The following CVEs were announced in Debian Security Advisory DSA-4400-1 and affect the openssl package. ————————————————————————————— Debian Security Advisory DSA-4400-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 28, 2019 https://www.debian.org/security/faq —————————————————————————————- Package : openssl1.0 CVE ID : CVE-2019-1559 Juraj Somorovsky, Robert Merget and Nimrod Aviram discovered a padding oracle attack in OpenSSL. For the stable distribution (stretch), this problem has been fixed in version 1.0.2r-1~deb9u1. We recommend that you upgrade your openssl1.0 packages. For the detailed security status of openssl1.0, refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl1.0 https://security-tracker.debian.org/tracker/CVE-2019-1559 | |
| 2539128 | The following CVEs were announced in Debian Security Advisory DSA-4387-1 and affect the openssh package. ————————————————————————————— Debian Security Advisory DSA-4387-1 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez February 09, 2019 https://www.debian.org/security/faq —————————————————————————————- Package: openssh CVE ID: CVE-2018-20685 CVE-2019-6109 CVE-2019-6111 Debian Bug: 793412 919101 Harry Sintonen from F-Secure Corporation discovered multiple vulnerabilities in OpenSSH, an implementation of the SSH protocol suite. All the vulnerabilities are in found in the scp client implementing the SCP protocol. CVE-2018-20685 Due to improper directory name validation, the scp client allows servers tovmodify permissions of the target directory by using empty or dotvdirectory name. CVE-2019-6109 Due to missing character encoding in the progress display, the object name can be used to manipulate the client output, for example to employ ANSI codes to hide additional files being transferred. CVE-2019-6111 Due to scp client insufficient input validation in path names sent by server, a malicious server can do arbitrary file overwrites in target directory. If the recursive (-r) option is provided, the server can also manipulate subdirectories as well. The check added in this version can lead to regression if the client and the server have differences in wildcard expansion rules. If the server is trusted for that purpose, the check can be disabled with a new -T option to the scp client. For the stable distribution (stretch), these problems have been fixed in version 1:7.4p1-10+deb9u5. We recommend that you upgrade your openssh packages. For the detailed security status of openssh please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssh |
3.7.4 Release Notes
Open Issues in 3.7.4
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 3410952 | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.12.1 |
| 3376798 | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlanMAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5 |
| 3330705 | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.12.1 |
| 3327477 | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3216921 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-3.7.16, 4.3.0-4.4.5 | |
| 3209699 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.12.1 |
| 2959454 | CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2959444 | CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2957684 | CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2949602 | CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. | 3.7.0-3.7.15 | 3.7.16 |
| 2949586 | CVE-2022-21699: ipython may execute untrusted files in the current working directory Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2949585 | CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog. | 3.7.0-3.7.15 | 3.7.16 |
| 2949584 | CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2941560 | CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u | 3.7.0-3.7.15 | 3.7.16 |
| 2910862 | CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file” Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2910861 | CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13 | 3.7.0-3.7.15 | 3.7.16 |
| 2885241 | CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14 | 3.7.0-3.7.15 | 3.7.16 |
| 2885239 | CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2885238 | The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2866111 | CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. | 3.7.0-3.7.15 | 3.7.16 |
| 2862269 | CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2855881 | A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2855879 | The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2850806 | CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts) Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23 | 3.7.0-3.7.15 | 3.7.16 |
| 2845540 | CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2841003 | CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2835994 | CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2823255 | CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode) Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2821981 | The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions) CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2820758 | The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2813826 | Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop” CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’ Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2813823 | Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19 | 3.7.0-3.7.15 | 3.7.16 |
| 2801126 | CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2801125 | OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15 | 3.7.0-3.7.15 | 3.7.16 |
| 2801124 | GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2798139 | CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2769687 | CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21 | 3.7.0-3.7.15 | 3.7.16 |
| 2769633 | CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2769632 | CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2769631 | CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2743132 | CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6 | 3.7.0-3.7.15 | 3.7.16 |
| 2736247 | CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2736245 | CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2728207 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728206 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728205 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5 |
| 2726776 | CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18 | 3.7.0-3.7.15 | 3.7.16 |
| 2716841 | CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2705169 | CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2705168 | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2702519 | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2684404 | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2679950 | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.4.1-cl4.4.0u1Fixed: 4.4.1-cl4.4.0u2 | 3.7.0-4.3.3 | 4.4.0-4.4.5 |
| 2677063 | CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2677061 | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2677060 | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2668477 | CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2660693 | CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20 | 3.7.0-3.7.15 | 3.7.16 |
| 2658233 | The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2654684 | CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10 | 3.7.0-3.7.15 | 3.7.16 |
| 2653521 | CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2646974 | The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2646968 | CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24 | 3.7.0-3.7.15 | 3.7.16 |
| 2635951 | The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617009 | CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617008 | CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617007 | CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617006 | CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617002 | CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589570 | The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589567 | The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2552739 | Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | |
| 2552352 | The following security vulnerabilities have been announced in the nss / libnss3 packages: CVE-2020-6829: Side channel attack on ECDSA signature generation CVE-2020-12400: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function CVE-2020-12401: ECDSA timing attack mitigation bypass Vulnerable: <= 3.26-1+debu8u11 Fixed: 3.26-1+debu8u12 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2552351 | The following vulnerability has been announced in the libx11 packages: CVE-2020-14344: The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method. Vulnerable: <= 1.6.2-3+deb8u2 Fixed: 1.6.2-3+deb8u3 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2551675 | When you restart clagd, the edge port setting on the peer link changes. | 3.7.2-4.2.0 | 4.2.1-4.4.5 |
| 2550323 | After a neighbor is removed, the redistributed neighbor entry is withdrawn from the BGP table, but the prefix might still be selected as the bestpath when the host’s originated prefix is not advertised. To work around this issue, recreate the neighbor entry and flap the interface to the host. Or, if the host is already down, manually create a neighbor entry with an invalid MAC address, which forces redistribute neighbor to re-withdraw the entry. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2548243 | On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2547769 | syslog might report a high load average with the CPU running a later microcode revision. | 3.7.4-3.7.12 | 3.7.13-3.7.16 |
| 2546868 | Broadcom Field Alert - SID - MMU 2B Errors A few of the MMU memories on Broadcom switches are grouped together with single parity control. During SER correction when a parity error occurs on one of those groups, other memory in that group might also report a SER error. This occurs when the memory is accessed either by a packet hit or through a schan operation. This issue can cause SER errors in other memory and cause traffic mis-forwarding or a packet drop. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546702 | The FRR cl-support module times out on switches on the ARM platform even when the switch is not under heavy load. To work around this issue, run the cl-support -M command to disable timeouts. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2545599 | IPv6 table rules might affect forwarding. For example, if you create the following rule in the /etc/cumulus/acl/policy.d/03-sshd.rules file, the rule counter increments but IPv4 SSH traffic might be dropped.
| 3.7.2-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2545235 | On the Edgecore AS6812 switch, you might see rare I2C errors. | 3.7.2-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545132 | On the Mellanox switch, ACL lookups are performed for VLAN matches when no rules with UNTAGGED match are present. | 3.7.2-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2544401 | Package: openssl CVE ID: CVE-2019-1547 CVE-2019-1549 CVE-2019-1563 Three security issues were discovered in OpenSSL: A timing attack against ECDSA, a padding oracle in PKCS7_dataDecode() and CMS_decrypt_set1_pkey() and it was discovered that a feature of the random number generator (RNG) intended to protect against shared RNG state between parent and child processes in the event of a fork() syscall was not used by default. Fixed version: 1.1.1d-0+deb10u1 We recommend that you upgrade your openssl packages. For the detailed security status of openssl, refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2544324 | Package: hostapd CVE ID: CVE-2019-13377 CVE-2019-16275 Two vulnerabilities were found in the WPA protocol implementation found in wpa_supplication (station) and hostapd (access point). CVE-2019-13377 A timing-based side-channel attack against WPA3’s Dragonfly handshake when using Brainpool curves could be used by an attacker to retrieve the password. CVE-2019-16275 Insufficient source address validation for some received Management frames in hostapd could lead to a denial of service for stations associated to an access point. An attacker in radio range of the access point could inject a specially constructed unauthenticated IEEE 802.11 frame to the access point to cause associated stations to be disconnected and require a reconnection to the network. Fixed version: 1:2.8.0-cl4u3 | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2544212 | Cumulus Linux poed generates excessive debug log entries. These will be reduced in a future release. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2543835 | The following CVEs were announced that affect the ghostscript package: CVE ID : CVE-2019-14811 CVE-2019-14812 CVE-2019-14813 CVE-2019-14817 It was discovered that various procedures in Ghostscript, the GPL PostScript/PDF interpreter, do not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript | 3.7.0-3.7.10 | 3.7.11-3.7.16 |
| 2543727 | ACL rules, such as the following, fail to install if you use swp+ (interfaces mentioned as wildcards).
You can now install such rules with swp+. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2543211 | In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2543113 | NCLU restarts FRR when attempting to remove a BGP VRF stanza. This happens regardless of whether the VRF is valid/configured elsewhere on the switch or the removal is successful. To work around this issue, remove the stanza using vtysh. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2543044 | Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up. You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2542871 | After you issue the NCLU net del bgp vrf command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2542835 | snmpd fails because NCLU does not remove agentaddress @vrf lines when running the net add snmp-server listening-address all command. | 3.7.4-3.7.16 | 4.0.0-4.4.5 |
| 2542336 | On the Mellanox SN2410 switch, switchd does not start. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2542301 | When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2541761 | A TACACS privilege level 15 user mapped to tacacs15 cannot use net commands even though the user is part of the netedit and/or netshow user group. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2541604 | The snmpd service exits with a message similar to the following:
This problem might occur during or after network convergence events. For example, when bgpd needs to process a high number of updates and the CPU cannot keep up, bgpd is disconnected and agentx generates a core dump in snmpd due to a memory allocation problem.To work around this issue, disable agentx by commenting out the following lines in the /etc/snmp/snmpd.conf file. Then, restart the snmpd service with the systemctl restart snmpd command.
If you still want to poll the BGP4-MIB information, re-enable the bgp pass persist script by adding the following line in the /etc/snmp/snmpd.conf file:
| 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2541494 | Under certain circumstances (when you reboot or restart the switchd service), a race condition might occur which causes a synchronization issue resulting in hardware misprogramming of the VXLAN tunnel endpoint interface (VTEP). Packets destined out this tunnel are dropped in the egress direction. Packets arriving on this tunnel are dropped in the ingress direction. This is due to a race condition between ASIC and kernel programming that causes the kernel to incorrectly process the link state of a VXLAN interface.To work around this issue, you can bounce the layer 3 SVI for the affected VRF. For example:
Run the net show vrf vni command to show a mapping of the layer 3 VNI to layer 3 SVI for the VRF.Note: This workaround is not guaranteed because the race condition cannot be always be avoided. | 3.7.4-3.7.16 | |
| 2541095 | The RADIUS AAA client does the source IP address bind first, then the setsockopt VRF, which causes a failure due to a kernel check for an address mismatch with the VRF. | 3.7.4-3.7.6 | 3.7.7-3.7.16 |
| 2541090 | The dhcrelay service crashes when the DHCP relay packet comes back from the server. To work around this issue, remove the –nl flag from the dhcrelay service. | 3.7.3-3.7.6 | 3.7.7-3.7.16 |
| 2540950 | On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status. | 3.7.3-4.1.1 | 4.2.0-4.4.5 |
| 2540863 | On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number. | 3.7.3-3.7.16 | |
| 2540845 | On the Dell Z9100-ON switch, smond reports various sensors going from OK to BAD or OK to ABSENT; then the sensors recover. | 3.7.1-3.7.5 | 3.7.6-3.7.16 |
| 2540843 | On the Dell S3048 switch, ports with FEC disabled show as BaseR on boot up. | 3.7.3-3.7.6 | 3.7.7-3.7.16 |
| 2540830 | On the Dell S5248F switch, packets forwarded to the CPU are corrupted. | 3.7.3-3.7.16 | |
| 2540827 | The platform json file for the Dell S5048-ON switch is improperly populated. This creates an issue when trying to poll the inventory statistics with NetQ. | 3.7.3-3.7.5 | 3.7.6-3.7.16 |
| 2540737 | When you commit a configuration change to a VXLAN layer 2 VNI in an MLAG configuration, the peer link on the MLAG secondary switch goes into an STP blocking state. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2540721 | If you modify BFD timers in the /etc/frr/frr.conf file, then run the systemctl reload frr command, the neighbor connections flap. | 3.7.4-3.7.6 | 3.7.7-3.7.16 |
| 2540684 | On a Dell S5248F (Trident3) switch, packets from switch ports are forwarded to the CPU and are sometimes corrupted. The corruption might result in BGP peerings being down, which can lead to all VXLAN traffic to and from a node to be lost, causing an outage to dually connected hosts in a rack. To work around this issue, restart switchd. | 3.7.3-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2540600 | If the clagd-vxlan-anycast-ip is removed from the /etc/network/interfaces file (either with the NCLU command or by editing the file manually), MLAG still believes it is present until clagd restarts. | 3.7.3-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2540557 | On Trident3 switches, transit packets larger than 1500 bytes(DF) routed between SVIs is unexpectedly forwarded to the CPU even when the MTU is greater than 9000. This severely limits throughput for routed jumbo frames as packets arriving at a high interval are dropped to the CPU. | 3.7.0-3.7.16 | |
| 2540520 | When IGMP snooping is enabled on a Broadcom switch, after multiple PIM join and leave messages are sent, switchd crashes and reports log messages similar to the following:
| 3.7.4 | 3.7.5-3.7.16 |
| 2540510 | When traffic is routed by the VRR IP of an SVI, forward chain traffic is erroneously matched to input chain ACLs. | 3.7.3-3.7.5 | 3.7.6-3.7.16 |
| 2540496 | Tomahawk or Tomahawk+ switches drop traffic when using EVPN centralized routing. | 3.7.4 | 3.7.5-3.7.16 |
| 2540486 | Routes configured in the non-default VRF are not installed in hardware. Restarting switchd or rebooting the switch does not resolve the issue. This issue was discovered on the Helix4 switch but applies to all switches.In Cumulus Linux 3.7.5 and earlier, do not include the string eth in non-management interface names; routes associated with those interfaces might not be installed in hardware. | 3.7.3-3.7.5 | 3.7.6-3.7.16 |
| 2540464 | If you have dynamic route leaking configured between any two VRFs and the BGP instance for the default VRF is not defined, removing an import vrf statement crashes bgpd. This occurs even if neither of the leaking VRFs are the default VRF. | 3.7.4-3.7.6 | 3.7.7-3.7.16 |
| 2540444 | SNMP incorrectly requires engine ID specification. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540352 | When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2540340 | NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays
Tab completion for the net add vrf command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540288 | The switchd service crashes when you add a route with a nexhop label. | 3.7.3-3.7.5 | 3.7.6-3.7.16 |
| 2540268 | An incorrect readout of the optical transceiver high temperature alarm threshold (read as 17 degrees centigrade), disables a 100G optical module on Mellanox Spectrum switches. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2540254 | In an EVPN centralized routing deployment, the border leaf sends out incorrect packets when flapping the VLAN interface. | 3.7.2-3.7.5 | 3.7.6-3.7.16 |
| 2540204 | When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540192 | The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540155 | On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2540122 | The snmpd daemon sometimes crashes with the error Unknown operation 6 in agentx_got_response. | 3.7.2-3.7.5 | 3.7.6-3.7.16 |
| 2540045 | After adding or removing a VLAN from a VLAN-aware bridge or from a trunk either using the NCLU command or manually editing the /etc/network/interfaces file and running ifreload -a, an SVI bound to a different VLAN loses its IPv4 address defined in the /etc/network/interfaces file. | 3.7.3-3.7.5 | 3.7.6-3.7.16 |
| 2540042 | When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540041 | On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540040 | Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
| 3.7.4-3.7.16, 4.0.0-4.4.5 | |
| 2540031 | NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2540017 | The net commit command fails when you try to add a static voice VLAN or delete dot1x configuration for an interface when the port is already authorized. | 3.7.4-3.7.6 | 3.7.7-3.7.16 |
| 2539994 | When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539962 | When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2539928 | When you delete or add 802.1X configuration on a port in a traditional mode bridge, all the ports are removed from the bridge. | 3.7.4-3.7.6 | 3.7.7-3.7.16 |
| 2539686 | The Cumulus Linux switch sometimes sends out ARP request packets with the sender IP address set to 0.0.0.0. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2539670 | On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539433 | If multiple files reference the same module, ifupdown2 user-defined policy overrides do not apply. | 3.7.0-3.7.6 | 3.7.7-3.7.16 |
| 2539422 | In FRR, you can remove the default BGP instance even if there are other instances that depend on it, which causes configuration issues. | 3.7.3-3.7.6 | 3.7.7-3.7.16 |
| 2539218 | On the Mellanox SN2700 switch, the 100G-LR4 port might have problems establishing a link over a long distance (around 500 miles) through a telco service provider after a flap. If the laser is forced up by the link provider’s equipment, the circuit comes up. However, the circuit cannot survive a flap and the link remains down after a flap event. However, you might have to explicitly disable auto-negotiation and FEC in this scenario. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2539169 | On the QuantaMesh T1048-LY4R, smonctl reports that all power supplies are absent:
| 3.7.3-3.7.6 | 3.7.7-3.7.16 |
| 2539124 | The net add interface command adds no ptm-enable for that interface in the frr.conf file.Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539081 | When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2538980 | A dummy interface does not inherit the MTU from a defaults file in /etc/network/ifupdown2/policy.d. A dummy interface is typically used to keep SVI interfaces up when there are no switch ports up that are associated with that VLAN. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2538910 | In a layer 2 VXLAN configuration, where each ECMP path is a layer 3 LACP bond with multiple port members, ECMP hash appears fine for data traffic over VXLAN from one VTEP to another, but the LACP hash is unbalanced. | 3.7.1-3.7.6 | 3.7.7-3.7.16 |
| 2538875 | IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file. | 3.7.2-3.7.16 | |
| 2538790 | NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.To restore connectivity, remove the VLAN ID from the bridge. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538756 | When you flap a VNI with ifdown vni and ifup vni, the value of all MTUs for the SVI lowers to 1500 regardless of the default value set in the /etc/network/ifupdown2/policy.d/mtu.json file. This behavior does not occur if you flap the link with ip link set vni down. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2538741 | The NCLU command net show bridge spanning-tree does not show the MLAG peer link as part of the STP forwarding instance.To work around this issue, use the mstpctl command to confirm the STP status of the port. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2538590 | When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538562 | On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538480 | Modifying the /etc/netd.conf file to set show_linux_command = True does not take effect. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2538302 | portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap. | 3.7.0-3.7.16 | |
| 2538294 | If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2538256 | On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets. | 3.7.2-4.0.1 | 4.1.0-4.4.5 |
| 2538022 | When you remove an interface from a bridge and add it to a VRF in the same commit/ifreload, the IPv6 link-local address is not created automatically. To work around this issue, do the change in two separate commits. First, remove the interface from the bridge, which causes it to be a layer 2 interface. Then, enslave the interface to the VRF. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2537819 | When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2537806 | Bridging ISIS traffic fails because layer 2 cache rules forward ISIS traffic to the CPU, where it is then dropped. To work around this issue, contact Customer Support. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2537699 | There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537544 | When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537378 | NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.To work around this issue, stop snmpd, remove the cache file, then restart snmpd. | 3.7.1-3.7.16 | |
| 2537188 | When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network. | 3.7.2-3.7.16 | |
| 2537153 | In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2537104 | When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL. | 3.7.1-3.7.16 | 4.0.0-4.4.5 |
| 2537061 | The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent. | 3.7.1-4.0.1 | 4.1.0-4.4.5 |
| 2536650 | Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters). While this issue is fixed for switches with the Spectrum ASIC, this is a [known limitation|https://docs.cumulusnetworks.com/cumulus-linux/Monitoring-and-Troubleshooting/Network-Troubleshooting/Monitoring-System-Statistics-and-Network-Traffic-with-sFlow/#caveats-and-errata] on this Helix4 platform. | 3.7.0-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2536639 | On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.To work around this issue: * If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000). * If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2536616 | CVE-2018-5391 (FragmentSmack) is a network vulnerability where an attacker can trigger time and calculation expensive fragment reassembly with specially crafted packets, leading to a denial of service. On a Cumulus Linux switch, the impact is limited to control plane and management plane traffic. Any control plane traffic coming in the front panel ports will be limited by existing policer ACLs. To work around this issue, create a file called /etc/sysctl.d/ip.conf and add these settings:
| 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2536608 | Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI. | 3.7.0-3.7.16 | |
| 2536559 | When deleting an interface using NCLU, if the /etc/network/interfaces alias is different than the /etc/frr/frr.conf description, the net commit command returns the following error:
Despite this error, the change is made and the description is removed from the frr.conf file. | 3.7.3-3.7.10 | 3.7.11-3.7.16 |
| 2536384 | The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2536230 | On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is no longer set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2536179 | On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535986 | At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535965 | On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2534450 | The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2532924 | The NetQ agent is bundled with Cumulus VX 3.4.3 and later; however, the NetQ agent is not bundled with Cumulus Linux 3.4.3 and later. The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bundled with Cumulus Linux in a future release. | 3.7.0-3.7.6 | 3.7.7-3.7.16 |
Fixed Issues in 3.7.4
| Issue ID | Description | Affects |
|---|---|---|
| 2540133 | The wrong route distinguisher is sent in an EVPN advertisement after a port flap. | 3.7.3 |
| 2539968 | Permanent bridge FDB entries for a layer 3 VNI SVI are sometimes overwritten by an offload entry and sometimes missing. | 3.7.3 |
| 2539835 | When an improperly programmed or corrupted module is inserted, the portwd service might crash due to an EEPROM transceiver code decoding problem and cannot be restarted. | 3.7.3 |
| 2539807 | neighmgrd crashes and more than half the neighbor entries are in the FAILED state. Memory and CPU usage is high. | 3.7.2-3.7.3 |
| 2539753 | Currently if the BMC firmware encounters a value that it cannot parse, it logs the following message, which provides insufficient data to understand which value failed to parse correctly and, therefore, how to further investigate the issue.
| 3.7.2-3.7.3 |
| 2539638 | In an MLAG configuration, some prefixes are correlated with an incorrect VNI, which results in loss of redundant paths in the fabric for these prefixes. To work around this issue, restart FRR or perform a hard boot. | 3.7.2-3.7.3 |
| 2539284 | The following CVEs were announced in Debian Security Advisory DSA-4393-1 and affect the systemd package. ———————————————————————————- Debian Security Advisory DSA-4393-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 18, 2019 https://www.debian.org/security/faq ———————————————————————————- Package : systemd CVE ID : CVE-2019-6454 Chris Coulson discovered a flaw in systemd leading to denial of service. An unprivileged user could take advantage of this issue to crash PID1 by sending a specially crafted D-Bus message on the system bus. For the stable distribution (stretch), this problem has been fixed inversion 232-25+deb9u9. We recommend that you upgrade your systemd packages. For the detailed security status of systemd please refer to its security tracker page at: https://security-tracker.debian.org/tracker/systemd | |
| 2539222 | Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.3 |
| 2539210 | Both the current and maximum values for the HostTableEntries counter always poll as 0 even when cl-resource-query provides the correct value. | |
| 2539148 | On the platforms that require a port block to be configured as a set of 10G or 25G, if you do not configure the entire set, for example:
when you restart switchd, the service restarts and Cumulus Linux logs an error message into /var/log/switchd.log that is not clear. | 3.7.3 |
| 2539092 | The switch forwards traffic destined to the MLAG paired switch SVI, then drops the traffic. | 3.7.2-3.7.3 |
| 2539082 | TThe following CVEs were announced in Debian Security Advisory DSA-4386-1 and affect the curl package. ———————————————————————————- Debian Security Advisory DSA-4386-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini February 06, 2019 https://www.debian.org/security/faq ———————————————————————————- Package : curl CVE ID : CVE-2018-16890 CVE-2019-3822 CVE-2019-3823 Multiple vulnerabilities were discovered in cURL, an URL transfer library. CVE-2018-16890 Wenxiang Qian of Tencent Blade Team discovered that the function handling incoming NTLM type-2 messages does not validate incoming data correctly and is subject to an integer overflow vulnerability, which could lead to an out-of-bounds buffer read. CVE-2019-3822 Wenxiang Qian of Tencent Blade Team discovered that the function creating an outgoing NTLM type-3 header is subject to an integer overflow vulnerability, which could lead to an out-of-bounds write. CVE-2019-3823 Brian Carpenter of Geeknik Labs discovered that the code handling the end-of-response for SMTP is subject to an out-of-bounds heap read. For the stable distribution (stretch), these problems have been fixed in version 7.52.1-5+deb9u9. We recommend that you upgrade your curl packages. For the detailed security status of curl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl | |
| 2539075 | When layer 2 VNIs are configured that terminate on Cisco switches at the edge, BUM traffic arriving on the Cisco switch is not being properly VXLAN encapsulated and forwarded to the Cumulus VTEPs. | 3.7.2-3.7.3 |
| 2539072 | After upgrading to Cumulus Linux, the SNMP agent crashes when you call snmpbulkget. The SNMP agent will automatically restart and there is no impact to forwarding traffic. To work around this issue, do not call snmpbulkget where the response packet length is greater than the default maximum message length of 1472. | 3.7.2-3.7.3 |
| 2538977 | The Dell Z9264F and Edgecore AS7816 switch does not support QSFP optical modules broken out to 4x individual interfaces. | |
| 2538965 | On the Edgecore AS7816 switch, when you configure ports as 4x, the links for the ports do not come up and the port EEPROM cannot be read. | |
| 2538942 | The EEPROM information changed on the Dell S5048F switch, which causes PCIe Bus Errors. | 3.7.2-3.7.3 |
| 2538884 | cl-acltool -i fails to install LOG rules if either the source or destination (-d or -s) has multiple comma-separated values, such as:
You see errors similar to the following:
| 3.7.2-3.7.3 |
| 2538814 | The permanent MAC entry that corresponds to the SVI of the layer 3 VNI (corresponding VLAN) is missing in the bridge FDB. | 3.7.0-3.7.3 |
| 2538737 | When a MAC address is frozen, if the switch receives an update for that MAC address from a remote VTEP and the remote sequence number of that update is higher than its local sequence number, the switch programs that MAC address in the kernel bridge FDB as an offload entry reachable behind that remote VTEP. This occurs only when the MAC is moving across three or more VTEPs. | |
| 2538686 | On Trident3 switches, not all ping requests match on the ingress ACL rule. | 3.7.3 |
| 2538651 | On the Edgecore AS7816-64X switch, the fans might spin at high speeds even when the temperature is not high. | 3.7.3 |
| 2538594 | EVPN supports a route map to control which routes in the BGP VRF routing table can inject into EVPN as type-5. This is supposed to operate properly on all common criteria handled by BGP route maps. However, when there is an attribute change that results in the route having to be filtered out, it does not remove the route from EVPN if previously obtained from there. | 3.7.2-3.7.3 |
| 2538500 | The following CVEs were announced in Debian Security Advisory DSA-4367-1 and affect the systemd package. ———————————————————————————– Debian Security Advisory DSA-4367-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 13, 2019 https://www.debian.org/security/faq ———————————————————————————– Package: systemd CVE ID: CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 Debian Bug: 918841 918848 The Qualys Research Labs discovered multiple vulnerabilities in systemd-journald. Two memory corruption flaws, via attacker-controlled alloca()s (CVE-2018-16864, CVE-2018-16865) and an out-of-bounds read flaw leading to an information leak (CVE-2018-16866), could allow an attacker to cause a denial of service or the execution of arbitrary code. Further details in the Qualys Security Advisory at https://www.qualys.com/2019/01/09/system-down/system-down.txt For the stable distribution (stretch), these problems have been fixed in version 232-25+deb9u7. We recommend that you upgrade your systemd packages. For the detailed security status of systemd, refer to its security tracker page at: https://security-tracker.debian.org/tracker/system. | |
| 2538206 | You cannot currently disable FEC in Cumulus Linux on a Mellanox switch. | 3.7.1-3.7.3 |
| 2538054 | On the Dell S4148 switch, if link pause is enabled in the /etc/cumulus/datapath/traffic.conf file, switchd fails to restart. | 3.7.0-3.7.3 |
| 2538013 | When the peer link is lost and the backup IP address becomes inactive, the MLAG secondary switch brings up bonds but not VXLAN VNIs. | 3.7.1-3.7.3 |
| 2537918 | When the Cumulus Linux switch has a BGP neighbor to a host running FRR 5.0, if the host FRR syslog is set to debugging and FRR is restarted, the BGP neighbor comes up according to the frr.log but on the switch, the BGP neighbor does not show in the show ip bgp vrf all summary command output (and other neighbor command output). Routes from the host appear fine, but the route map fails to get applied.To work around this issue, either run FRR 6.0 on host or avoid running debug logging. | |
| 2537805 | When you configure an IPv6 only neighbor with NCLU without the peer-group command, then execute the same commands again, the BGP session is reset.For example, if you run the following commands:
Cumulus Linux removes the net commands and adds the following line to FRR (using v6only remote-as), which causes BGP to flap.
This issue does not occur if you add the peer-group command; for example:
. | 3.7.0-3.7.3 |
| 2537409 | It is not currently possible to bring up some 10G LR interfaces on Mellanox switches as auto-negotiation is set to on in hardware. | 3.7.1-3.7.3 |
| 2537111 | The gshut community is not removed after you commit the configuration. | 3.7.0-3.7.3 |
| 2536596 | The following CVEs were announced and affect the Linux kernel: https://security-tracker.debian.org/tracker/CVE-2018-17182 for debian. | |
| 2536470 | Full support for resilient hashing on Broadcom Trident 3 switches is not yet available. | |
| 2536329 | If a packet to an unknown IP address (but known network) enters the switch and matches an INPUT ACL rule, it is redirected for ARP and the counters increment for that rule, but it does not perform the action. This only happens until the ARP reply is sent, and then the traffic is forwarded properly. To work around this issue, change the rules to INPUT,FORWARD instead of INPUT. Drops should then be logged properly. | |
| 2536107 | On Tomahawk+ switches, the switchd process is unable to restart after configuring 2x25G in the /etc/cumulus/ports.conf file. | |
| 2535216 | If you add a bridge configuration on a routed (BGP unnumbered) switch port on a Mellanox switch, BGP remains up with routes exchanged or sent from the control plane, but packets received on this interface in the data plane are discarded in hardware. | 3.7.2-3.7.3 |
| 2535006 | Virtual device counters are not working as expected. The TX counter increments but the RX counter does not. | |
| 2532861 | OSFP might improperly determine the LSA recency (CVE-2017-3224). |
3.7.3 Release Notes
Open Issues in 3.7.3
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 3410952 | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.12.1 |
| 3376798 | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlanMAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5 |
| 3330705 | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.12.1 |
| 3327477 | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3216921 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-3.7.16, 4.3.0-4.4.5 | |
| 3209699 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.12.1 |
| 2959454 | CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2959444 | CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2957684 | CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2949602 | CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. | 3.7.0-3.7.15 | 3.7.16 |
| 2949586 | CVE-2022-21699: ipython may execute untrusted files in the current working directory Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2949585 | CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog. | 3.7.0-3.7.15 | 3.7.16 |
| 2949584 | CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2941560 | CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u | 3.7.0-3.7.15 | 3.7.16 |
| 2910862 | CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file” Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2910861 | CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13 | 3.7.0-3.7.15 | 3.7.16 |
| 2885241 | CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14 | 3.7.0-3.7.15 | 3.7.16 |
| 2885239 | CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2885238 | The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2866111 | CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. | 3.7.0-3.7.15 | 3.7.16 |
| 2862269 | CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2855881 | A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2855879 | The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2850806 | CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts) Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23 | 3.7.0-3.7.15 | 3.7.16 |
| 2845540 | CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2841003 | CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2835994 | CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2823255 | CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode) Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2821981 | The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions) CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2820758 | The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2813826 | Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop” CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’ Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2813823 | Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19 | 3.7.0-3.7.15 | 3.7.16 |
| 2801126 | CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2801125 | OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15 | 3.7.0-3.7.15 | 3.7.16 |
| 2801124 | GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2798139 | CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2769687 | CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21 | 3.7.0-3.7.15 | 3.7.16 |
| 2769633 | CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2769632 | CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2769631 | CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2743132 | CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6 | 3.7.0-3.7.15 | 3.7.16 |
| 2736247 | CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2736245 | CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2728207 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728206 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728205 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5 |
| 2726776 | CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18 | 3.7.0-3.7.15 | 3.7.16 |
| 2716841 | CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2705169 | CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2705168 | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2702519 | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2684404 | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2679950 | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.4.1-cl4.4.0u1Fixed: 4.4.1-cl4.4.0u2 | 3.7.0-4.3.3 | 4.4.0-4.4.5 |
| 2677063 | CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2677061 | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2677060 | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2668477 | CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2660693 | CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20 | 3.7.0-3.7.15 | 3.7.16 |
| 2658233 | The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2654684 | CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10 | 3.7.0-3.7.15 | 3.7.16 |
| 2653521 | CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2646974 | The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2646968 | CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24 | 3.7.0-3.7.15 | 3.7.16 |
| 2635951 | The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617009 | CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617008 | CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617007 | CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617006 | CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617002 | CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589570 | The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589567 | The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2552739 | Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | |
| 2552352 | The following security vulnerabilities have been announced in the nss / libnss3 packages: CVE-2020-6829: Side channel attack on ECDSA signature generation CVE-2020-12400: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function CVE-2020-12401: ECDSA timing attack mitigation bypass Vulnerable: <= 3.26-1+debu8u11 Fixed: 3.26-1+debu8u12 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2552351 | The following vulnerability has been announced in the libx11 packages: CVE-2020-14344: The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method. Vulnerable: <= 1.6.2-3+deb8u2 Fixed: 1.6.2-3+deb8u3 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2551675 | When you restart clagd, the edge port setting on the peer link changes. | 3.7.2-4.2.0 | 4.2.1-4.4.5 |
| 2550323 | After a neighbor is removed, the redistributed neighbor entry is withdrawn from the BGP table, but the prefix might still be selected as the bestpath when the host’s originated prefix is not advertised. To work around this issue, recreate the neighbor entry and flap the interface to the host. Or, if the host is already down, manually create a neighbor entry with an invalid MAC address, which forces redistribute neighbor to re-withdraw the entry. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2548243 | On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2546868 | Broadcom Field Alert - SID - MMU 2B Errors A few of the MMU memories on Broadcom switches are grouped together with single parity control. During SER correction when a parity error occurs on one of those groups, other memory in that group might also report a SER error. This occurs when the memory is accessed either by a packet hit or through a schan operation. This issue can cause SER errors in other memory and cause traffic mis-forwarding or a packet drop. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546702 | The FRR cl-support module times out on switches on the ARM platform even when the switch is not under heavy load. To work around this issue, run the cl-support -M command to disable timeouts. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2545599 | IPv6 table rules might affect forwarding. For example, if you create the following rule in the /etc/cumulus/acl/policy.d/03-sshd.rules file, the rule counter increments but IPv4 SSH traffic might be dropped.
| 3.7.2-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2545235 | On the Edgecore AS6812 switch, you might see rare I2C errors. | 3.7.2-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545132 | On the Mellanox switch, ACL lookups are performed for VLAN matches when no rules with UNTAGGED match are present. | 3.7.2-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2544401 | Package: openssl CVE ID: CVE-2019-1547 CVE-2019-1549 CVE-2019-1563 Three security issues were discovered in OpenSSL: A timing attack against ECDSA, a padding oracle in PKCS7_dataDecode() and CMS_decrypt_set1_pkey() and it was discovered that a feature of the random number generator (RNG) intended to protect against shared RNG state between parent and child processes in the event of a fork() syscall was not used by default. Fixed version: 1.1.1d-0+deb10u1 We recommend that you upgrade your openssl packages. For the detailed security status of openssl, refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2544324 | Package: hostapd CVE ID: CVE-2019-13377 CVE-2019-16275 Two vulnerabilities were found in the WPA protocol implementation found in wpa_supplication (station) and hostapd (access point). CVE-2019-13377 A timing-based side-channel attack against WPA3’s Dragonfly handshake when using Brainpool curves could be used by an attacker to retrieve the password. CVE-2019-16275 Insufficient source address validation for some received Management frames in hostapd could lead to a denial of service for stations associated to an access point. An attacker in radio range of the access point could inject a specially constructed unauthenticated IEEE 802.11 frame to the access point to cause associated stations to be disconnected and require a reconnection to the network. Fixed version: 1:2.8.0-cl4u3 | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2544212 | Cumulus Linux poed generates excessive debug log entries. These will be reduced in a future release. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2543835 | The following CVEs were announced that affect the ghostscript package: CVE ID : CVE-2019-14811 CVE-2019-14812 CVE-2019-14813 CVE-2019-14817 It was discovered that various procedures in Ghostscript, the GPL PostScript/PDF interpreter, do not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript | 3.7.0-3.7.10 | 3.7.11-3.7.16 |
| 2543727 | ACL rules, such as the following, fail to install if you use swp+ (interfaces mentioned as wildcards).
You can now install such rules with swp+. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2543211 | In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2543113 | NCLU restarts FRR when attempting to remove a BGP VRF stanza. This happens regardless of whether the VRF is valid/configured elsewhere on the switch or the removal is successful. To work around this issue, remove the stanza using vtysh. | 3.7.3-3.7.16 | 4.0.0-4.4.5 |
| 2543044 | Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up. You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2542871 | After you issue the NCLU net del bgp vrf command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2542336 | On the Mellanox SN2410 switch, switchd does not start. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2542301 | When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2541761 | A TACACS privilege level 15 user mapped to tacacs15 cannot use net commands even though the user is part of the netedit and/or netshow user group. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2541604 | The snmpd service exits with a message similar to the following:
This problem might occur during or after network convergence events. For example, when bgpd needs to process a high number of updates and the CPU cannot keep up, bgpd is disconnected and agentx generates a core dump in snmpd due to a memory allocation problem.To work around this issue, disable agentx by commenting out the following lines in the /etc/snmp/snmpd.conf file. Then, restart the snmpd service with the systemctl restart snmpd command.
If you still want to poll the BGP4-MIB information, re-enable the bgp pass persist script by adding the following line in the /etc/snmp/snmpd.conf file:
| 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2541090 | The dhcrelay service crashes when the DHCP relay packet comes back from the server. To work around this issue, remove the –nl flag from the dhcrelay service. | 3.7.3-3.7.6 | 3.7.7-3.7.16 |
| 2540950 | On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status. | 3.7.3-4.1.1 | 4.2.0-4.4.5 |
| 2540863 | On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number. | 3.7.3-3.7.16 | |
| 2540845 | On the Dell Z9100-ON switch, smond reports various sensors going from OK to BAD or OK to ABSENT; then the sensors recover. | 3.7.1-3.7.5 | 3.7.6-3.7.16 |
| 2540843 | On the Dell S3048 switch, ports with FEC disabled show as BaseR on boot up. | 3.7.3-3.7.6 | 3.7.7-3.7.16 |
| 2540830 | On the Dell S5248F switch, packets forwarded to the CPU are corrupted. | 3.7.3-3.7.16 | |
| 2540827 | The platform json file for the Dell S5048-ON switch is improperly populated. This creates an issue when trying to poll the inventory statistics with NetQ. | 3.7.3-3.7.5 | 3.7.6-3.7.16 |
| 2540737 | When you commit a configuration change to a VXLAN layer 2 VNI in an MLAG configuration, the peer link on the MLAG secondary switch goes into an STP blocking state. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2540684 | On a Dell S5248F (Trident3) switch, packets from switch ports are forwarded to the CPU and are sometimes corrupted. The corruption might result in BGP peerings being down, which can lead to all VXLAN traffic to and from a node to be lost, causing an outage to dually connected hosts in a rack. To work around this issue, restart switchd. | 3.7.3-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2540600 | If the clagd-vxlan-anycast-ip is removed from the /etc/network/interfaces file (either with the NCLU command or by editing the file manually), MLAG still believes it is present until clagd restarts. | 3.7.3-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2540557 | On Trident3 switches, transit packets larger than 1500 bytes(DF) routed between SVIs is unexpectedly forwarded to the CPU even when the MTU is greater than 9000. This severely limits throughput for routed jumbo frames as packets arriving at a high interval are dropped to the CPU. | 3.7.0-3.7.16 | |
| 2540510 | When traffic is routed by the VRR IP of an SVI, forward chain traffic is erroneously matched to input chain ACLs. | 3.7.3-3.7.5 | 3.7.6-3.7.16 |
| 2540486 | Routes configured in the non-default VRF are not installed in hardware. Restarting switchd or rebooting the switch does not resolve the issue. This issue was discovered on the Helix4 switch but applies to all switches.In Cumulus Linux 3.7.5 and earlier, do not include the string eth in non-management interface names; routes associated with those interfaces might not be installed in hardware. | 3.7.3-3.7.5 | 3.7.6-3.7.16 |
| 2540352 | When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2540288 | The switchd service crashes when you add a route with a nexhop label. | 3.7.3-3.7.5 | 3.7.6-3.7.16 |
| 2540268 | An incorrect readout of the optical transceiver high temperature alarm threshold (read as 17 degrees centigrade), disables a 100G optical module on Mellanox Spectrum switches. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2540254 | In an EVPN centralized routing deployment, the border leaf sends out incorrect packets when flapping the VLAN interface. | 3.7.2-3.7.5 | 3.7.6-3.7.16 |
| 2540155 | On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2540133 | The wrong route distinguisher is sent in an EVPN advertisement after a port flap. | 3.7.3 | 3.7.4-3.7.16 |
| 2540122 | The snmpd daemon sometimes crashes with the error Unknown operation 6 in agentx_got_response. | 3.7.2-3.7.5 | 3.7.6-3.7.16 |
| 2540045 | After adding or removing a VLAN from a VLAN-aware bridge or from a trunk either using the NCLU command or manually editing the /etc/network/interfaces file and running ifreload -a, an SVI bound to a different VLAN loses its IPv4 address defined in the /etc/network/interfaces file. | 3.7.3-3.7.5 | 3.7.6-3.7.16 |
| 2540031 | NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
| 2539994 | When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539968 | Permanent bridge FDB entries for a layer 3 VNI SVI are sometimes overwritten by an offload entry and sometimes missing. | 3.7.3 | 3.7.4-3.7.16 |
| 2539962 | When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2539835 | When an improperly programmed or corrupted module is inserted, the portwd service might crash due to an EEPROM transceiver code decoding problem and cannot be restarted. | 3.7.3 | 3.7.4-3.7.16 |
| 2539807 | neighmgrd crashes and more than half the neighbor entries are in the FAILED state. Memory and CPU usage is high. | 3.7.2-3.7.3 | 3.7.4-3.7.16 |
| 2539753 | Currently if the BMC firmware encounters a value that it cannot parse, it logs the following message, which provides insufficient data to understand which value failed to parse correctly and, therefore, how to further investigate the issue.
| 3.7.2-3.7.3 | 3.7.4-3.7.16 |
| 2539686 | The Cumulus Linux switch sometimes sends out ARP request packets with the sender IP address set to 0.0.0.0. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2539670 | On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539638 | In an MLAG configuration, some prefixes are correlated with an incorrect VNI, which results in loss of redundant paths in the fabric for these prefixes. To work around this issue, restart FRR or perform a hard boot. | 3.7.2-3.7.16 | |
| 2539433 | If multiple files reference the same module, ifupdown2 user-defined policy overrides do not apply. | 3.7.0-3.7.6 | 3.7.7-3.7.16 |
| 2539422 | In FRR, you can remove the default BGP instance even if there are other instances that depend on it, which causes configuration issues. | 3.7.3-3.7.6 | 3.7.7-3.7.16 |
| 2539222 | Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.3 | 3.7.4-3.7.16 |
| 2539218 | On the Mellanox SN2700 switch, the 100G-LR4 port might have problems establishing a link over a long distance (around 500 miles) through a telco service provider after a flap. If the laser is forced up by the link provider’s equipment, the circuit comes up. However, the circuit cannot survive a flap and the link remains down after a flap event. However, you might have to explicitly disable auto-negotiation and FEC in this scenario. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2539169 | On the QuantaMesh T1048-LY4R, smonctl reports that all power supplies are absent:
| 3.7.3-3.7.6 | 3.7.7-3.7.16 |
| 2539148 | On the platforms that require a port block to be configured as a set of 10G or 25G, if you do not configure the entire set, for example:
when you restart switchd, the service restarts and Cumulus Linux logs an error message into /var/log/switchd.log that is not clear. | 3.7.3 | 3.7.4-3.7.16 |
| 2539124 | The net add interface command adds no ptm-enable for that interface in the frr.conf file.Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539092 | The switch forwards traffic destined to the MLAG paired switch SVI, then drops the traffic. | 3.7.2-3.7.3 | 3.7.4-3.7.16 |
| 2539081 | When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2539075 | When layer 2 VNIs are configured that terminate on Cisco switches at the edge, BUM traffic arriving on the Cisco switch is not being properly VXLAN encapsulated and forwarded to the Cumulus VTEPs. | 3.7.2-3.7.3 | 3.7.4-3.7.16 |
| 2539072 | After upgrading to Cumulus Linux, the SNMP agent crashes when you call snmpbulkget. The SNMP agent will automatically restart and there is no impact to forwarding traffic. To work around this issue, do not call snmpbulkget where the response packet length is greater than the default maximum message length of 1472. | 3.7.2-3.7.3 | 3.7.4-3.7.16 |
| 2538980 | A dummy interface does not inherit the MTU from a defaults file in /etc/network/ifupdown2/policy.d. A dummy interface is typically used to keep SVI interfaces up when there are no switch ports up that are associated with that VLAN. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2538942 | The EEPROM information changed on the Dell S5048F switch, which causes PCIe Bus Errors. | 3.7.2-3.7.3 | 3.7.4-3.7.16 |
| 2538910 | In a layer 2 VXLAN configuration, where each ECMP path is a layer 3 LACP bond with multiple port members, ECMP hash appears fine for data traffic over VXLAN from one VTEP to another, but the LACP hash is unbalanced. | 3.7.1-3.7.6 | 3.7.7-3.7.16 |
| 2538884 | cl-acltool -i fails to install LOG rules if either the source or destination (-d or -s) has multiple comma-separated values, such as:
You see errors similar to the following:
| 3.7.2-3.7.3 | 3.7.4-3.7.16 |
| 2538875 | IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file. | 3.7.2-3.7.16 | |
| 2538814 | The permanent MAC entry that corresponds to the SVI of the layer 3 VNI (corresponding VLAN) is missing in the bridge FDB. | 3.7.0-3.7.16 | |
| 2538790 | NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.To restore connectivity, remove the VLAN ID from the bridge. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538756 | When you flap a VNI with ifdown vni and ifup vni, the value of all MTUs for the SVI lowers to 1500 regardless of the default value set in the /etc/network/ifupdown2/policy.d/mtu.json file. This behavior does not occur if you flap the link with ip link set vni down. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2538741 | The NCLU command net show bridge spanning-tree does not show the MLAG peer link as part of the STP forwarding instance.To work around this issue, use the mstpctl command to confirm the STP status of the port. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2538686 | On Trident3 switches, not all ping requests match on the ingress ACL rule. | 3.7.3 | 3.7.4-3.7.16 |
| 2538651 | On the Edgecore AS7816-64X switch, the fans might spin at high speeds even when the temperature is not high. | 3.7.3 | 3.7.4-3.7.16 |
| 2538594 | EVPN supports a route map to control which routes in the BGP VRF routing table can inject into EVPN as type-5. This is supposed to operate properly on all common criteria handled by BGP route maps. However, when there is an attribute change that results in the route having to be filtered out, it does not remove the route from EVPN if previously obtained from there. | 3.7.2-3.7.3 | 3.7.4-3.7.16 |
| 2538590 | When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538562 | On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538480 | Modifying the /etc/netd.conf file to set show_linux_command = True does not take effect. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2538302 | portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap. | 3.7.0-3.7.16 | |
| 2538294 | If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2538256 | On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets. | 3.7.2-4.0.1 | 4.1.0-4.4.5 |
| 2538206 | You cannot currently disable FEC in Cumulus Linux on a Mellanox switch. | 3.7.1-3.7.3 | 3.7.4-3.7.16 |
| 2538054 | On the Dell S4148 switch, if link pause is enabled in the /etc/cumulus/datapath/traffic.conf file, switchd fails to restart. | 3.7.0-3.7.3 | 3.7.4-3.7.16 |
| 2538022 | When you remove an interface from a bridge and add it to a VRF in the same commit/ifreload, the IPv6 link-local address is not created automatically. To work around this issue, do the change in two separate commits. First, remove the interface from the bridge, which causes it to be a layer 2 interface. Then, enslave the interface to the VRF. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2538013 | When the peer link is lost and the backup IP address becomes inactive, the MLAG secondary switch brings up bonds but not VXLAN VNIs. | 3.7.1-3.7.3 | 3.7.4-3.7.16 |
| 2537819 | When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2537806 | Bridging ISIS traffic fails because layer 2 cache rules forward ISIS traffic to the CPU, where it is then dropped. To work around this issue, contact Customer Support. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2537805 | When you configure an IPv6 only neighbor with NCLU without the peer-group command, then execute the same commands again, the BGP session is reset.For example, if you run the following commands:
Cumulus Linux removes the net commands and adds the following line to FRR (using v6only remote-as), which causes BGP to flap.
This issue does not occur if you add the peer-group command; for example:
. | 3.7.0-3.7.3 | 3.7.4-3.7.16 |
| 2537699 | There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537544 | When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537409 | It is not currently possible to bring up some 10G LR interfaces on Mellanox switches as auto-negotiation is set to on in hardware. | 3.7.1-3.7.3 | 3.7.4-3.7.16 |
| 2537378 | NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.To work around this issue, stop snmpd, remove the cache file, then restart snmpd. | 3.7.1-3.7.16 | |
| 2537188 | When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network. | 3.7.2-3.7.16 | |
| 2537153 | In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2537111 | The gshut community is not removed after you commit the configuration. | 3.7.0-3.7.3 | 3.7.4-3.7.16 |
| 2537104 | When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL. | 3.7.1-3.7.16 | 4.0.0-4.4.5 |
| 2537061 | The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent. | 3.7.1-4.0.1 | 4.1.0-4.4.5 |
| 2536650 | Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters). While this issue is fixed for switches with the Spectrum ASIC, this is a [known limitation|https://docs.cumulusnetworks.com/cumulus-linux/Monitoring-and-Troubleshooting/Network-Troubleshooting/Monitoring-System-Statistics-and-Network-Traffic-with-sFlow/#caveats-and-errata] on this Helix4 platform. | 3.7.0-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2536639 | On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.To work around this issue: * If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000). * If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2536616 | CVE-2018-5391 (FragmentSmack) is a network vulnerability where an attacker can trigger time and calculation expensive fragment reassembly with specially crafted packets, leading to a denial of service. On a Cumulus Linux switch, the impact is limited to control plane and management plane traffic. Any control plane traffic coming in the front panel ports will be limited by existing policer ACLs. To work around this issue, create a file called /etc/sysctl.d/ip.conf and add these settings:
| 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2536608 | Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI. | 3.7.0-3.7.16 | |
| 2536559 | When deleting an interface using NCLU, if the /etc/network/interfaces alias is different than the /etc/frr/frr.conf description, the net commit command returns the following error:
Despite this error, the change is made and the description is removed from the frr.conf file. | 3.7.3-3.7.10 | 3.7.11-3.7.16 |
| 2536384 | The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2536230 | On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is no longer set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2536179 | On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535986 | At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535965 | On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535216 | If you add a bridge configuration on a routed (BGP unnumbered) switch port on a Mellanox switch, BGP remains up with routes exchanged or sent from the control plane, but packets received on this interface in the data plane are discarded in hardware. | 3.7.2-3.7.3 | 3.7.4-3.7.16 |
| 2534450 | The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2532924 | The NetQ agent is bundled with Cumulus VX 3.4.3 and later; however, the NetQ agent is not bundled with Cumulus Linux 3.4.3 and later. The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bundled with Cumulus Linux in a future release. | 3.7.0-3.7.6 | 3.7.7-3.7.16 |
Fixed Issues in 3.7.3
| Issue ID | Description | Affects |
|---|---|---|
| 2547838 | The link-down yes parameter in the /etc/network/interfaces file does not work on subinterfaces configured in a VRF. | 3.7.2 |
| 2539386 | Traffic increments the FORWARD ACL rule counter, but nothing is logged to syslog. | |
| 2538538 | EVPN prefixes retain the max-med on startup value after the timer expires. | 3.7.2 |
| 2538384 | Log entries containing grep commands almost completely fill the var/log/openvswitch/ovs-vtepd.log file. | 3.7.2 |
| 2538343 | In an EVPN symmetric routing deployment with active-active anycast IP configured, the next hop attribute is sometimes set to a unique address instead of the anycast IP address. To work around this issue, do not use default-originate ipv4; instead configure the network statements (recommended for small scale deployments). | 3.7.2 |
| 2538336 | On Trident3 switches, the LR interface_mode for 25G optics is not set automatically. | 3.7.2 |
| 2538258 | The following CVEs were announced in Debian Security Advisory DSA-4360-1, and affect the libarchive package. ————————————————————————————- Debian Security Advisory DSA-4360-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff December 27, 2018 https://www.debian.org/security/faq ————————————————————————————- Package: libarchive CVE ID: CVE-2016-10209 CVE-2016-10349 CVE-2016-10350 CVE-2017-14166 CVE-2017-14501 CVE-2017-14502 CVE-2017-14503 CVE-2018-1000877 CVE-2018-1000878 CVE-2018-1000880 Multiple security issues were found in libarchive, a multi-format archive and compression library: Processing malformed RAR archives could result in denial of service or the execution of arbitrary code and malformed WARC, LHarc, ISO, Xar or CAB archives could result in denial of service. For the stable distribution (stretch), these problems have been fixed inversion 3.2.2-2+deb9u1. We recommend that you upgrade your libarchive packages. For the detailed security status of libarchive, refer to its security tracker page at: https://security-tracker.debian.org/tracker/libarchive | |
| 2538157 | Many of the SFPs are not enabled until SFP_TX_ENABLE is set manually. | 3.7.2 |
| 2538150 | If an interface is correctly configured according to the /etc/ptm.d/topology.dot file (pass), then the link goes down, ptmd still shows the cbl status as pass. | 3.7.2 |
| 2538093 | In an EVPN asymmetric type 5 deployment, the EVPN arp-cache of the SVI on the remote leaf is incorrect on the local leaf, which causes a ping failure from the SVI on the remote leaf to the server attached on the local leaf in the same VLAN. | 3.7.2 |
| 2538086 | On the Dell S4000 and S4148 switch, when you insert a 10G-BaseT module, portwd reports a failed reading. | 3.7.2 |
| 2538075 | The kvm-clock module is missing in the kernel on the telemetry server. The system clock only advances one second for approximately every ten real-time seconds that pass. This stops NTP from being able to synchronize the clock. | 3.7.2 |
| 2538046 | Both switches in an MLAG configuration show the correct MLAG role status; however mstpd shows that both switches are in the MLAG primary role, which causes constant STP recalculation, shows the peer link as the STP backup port role, and traffic as being blocked. | |
| 2538042 | If you add a route for a VRF with the ip route command, which writes to the /etc/frr/frr.conf file and then you reload frr, when you try to remove the route from the file, the route is not removed when frr reloads.. | 3.7.2 |
| 2538004 | Cumulus VX images for versions 3.7.0 through 3.7.2 include a vagrant user, as the vagrant box format [requires it|https://www.vagrantup.com/docs/boxes/base.html#default-user-settings] in order to function. This user is not needed; remove the user from the following Cumulus VX images:* cumulus-linux-3.7.0-vx-amd64-qemu.qcow2 * cumulus-linux-3.7.0-vx-amd64-vbox.ova * cumulus-linux-3.7.0-vx-amd64-vmware.ova * cumulus-linux-3.7.1-vx-amd64-qemu.qcow2 * cumulus-linux-3.7.1-vx-amd64-vbox.ova * cumulus-linux-3.7.1-vx-amd64-vmware.ova * cumulus-linux-3.7.2-vx-amd64-qemu.qcow2 * cumulus-linux-3.7.2-vx-amd64-vbox.ova * cumulus-linux-3.7.2-vx-amd64-vmware.ova To remove the vagrant user, run:
| 3.7.0-3.7.2 |
| 2537982 | When the /etc/hostapd.conf file does not exist, the following sequence of commands causes a traceback:
To work around this issue: # Create the /etc/hostapd.conf file with the following default contents:
# Issue the following commands to set the ownership and permissions:
| 3.7.2 |
| 2537977 | After upgrading to Cumulus Linux 3.7.2, the BGP route map does not filter type-5 routes. | 3.7.2 |
| 2537919 | In Cumulus Linux 3.7.2 and earlier, an ACL entry containing 0.0.0.0 as a match parameter is interpreted as a catchall address (0.0.0.0 = 0.0.0.0/0). However in Cumulus Linux 3.7.3 and later, an ACL entry containing 0.0.0.0 as a match parameter is interpreted as a single address (0.0.0.0 = 0.0.0.0/32). Review your ACLs and update as necessary to include the proper subnet mask. | 3.7.2 |
| 2537861 | When booting the switch, the mlxfirmware upgrade fails because a call is made to a file that does not yet exist (the firmware information is not available). This upgrade failure prevents sx_sdk.service and switchd from starting. The switch boots but does not forward any traffic, causing a major outage. | |
| 2537836 | Running ifdown vlan or ip link set vlan down brings down a virtual interface but the interface always comes back up after you run the ifreload -a or net commit command. | 3.7.1-3.7.2 |
| 2537824 | The following CVEs were announced in Debian Security Advisory DSA-4349-1, and affect the libtiff5 package. ————————————————————————————- Debian Security Advisory DSA-4349-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 30, 2018 https://www.debian.org/security/faq ————————————————————————————- Package: libtiff5 CVE ID: CVE-2017-11613 CVE-2017-17095 CVE-2018-5784 CVE-2018-7456 CVE-2018-8905 CVE-2018-10963 CVE-2018-17101 CVE-2018-18557 CVE-2018-15209 CVE-2018-16335 Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed. For the stable distribution (stretch), these problems have been fixed in version 4.0.8-2+deb9u4. We recommend that you upgrade your tiff packages. For the detailed security status of tiff, refer to its security tracker page at: https://security-tracker.debian.org/tracker/tiff | |
| 2537776 | BGP crashes with the error bgp_parse_nexthop_update. | 3.7.2 |
| 2537641 | On the Celestica RedstoneV switch, the hardware settings are incorrect on swp14 and swp22. | 3.7.0-3.7.2 |
| 2537543 | When an IP neighbor entry for a host behind an access switch pair is in a FAILED state on a centralized gateway and does not get resolved, a forwarding failure might result. | |
| 2537520 | The as-path is not propagating for EVPN type-5 prefixes until forced with a clear. | |
| 2537446 | The following CVEs were announced in Debian Security Advisory DSA-4338-1, and affect the qemu package. ————————————————————————————- Debian Security Advisory DSA-4338-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 11, 2018 https://www.debian.org/security/faq ————————————————————————————- Package: qemu CVE ID: CVE-2018-10839 CVE-2018-17962 CVE-2018-17963 Debian Bug: 908682 910431 911468 911469 Integer overflows in the processing of packets in network cards emulated by QEMU, a fast processor emulator, could result in denial of service. In addition this update backports support to passthrough the new CPU features added in the intel-microcode update shipped in DSA 4273 to x86-based guests. For the stable distribution (stretch), these problems have been fixed in version 1:2.8+dfsg-6+deb9u5. We recommend that you upgrade your qemu packages. For the detailed security status of qemu, refer to its security tracker page at: https://security-tracker.debian.org/tracker/qemu Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ | |
| 2537405 | The following CVEs were announced in Debian Security Advisory DSA-4335-1, and affect the nginx package. ————————————————————————————- Debian Security Advisory DSA-4335-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 08, 2018 https://www.debian.org/security/faq —————————————————————————————— Package : nginx CVE ID : CVE-2018-16843 CVE-2018-16844 CVE-2018-16845 Three vulnerabilities were discovered in Nginx, a high-performance web and reverse proxy server, which could in denial of service in processing HTTP/2 (via excessive memory/CPU usage) or server memory disclosure in the ngx_http_mp4_module module (used for server-side MP4 streaming). For the stable distribution (stretch), these problems have been fixed in version 1.10.3-1+deb9u2. We recommend that you upgrade your nginx packages. For the detailed security status of nginx please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nginx | |
| 2537384 | FEC is set when another interface is changed because ifupdown2 does an invalid compare, then switchd modifies the configuration causing the link to flap. | |
| 2537085 | When you run the net add (bond|interface) command, NCLU does not add the port as a slave of the VLAN-aware bridge. | 3.7.1-3.7.2 |
| 2537077 | Switch ports that are configured as MLAG interfaces, then deleted, go into protodown on state unexpectedly.To work around this issue, turn off protodown manually with the ip link command:
| |
| 2537023 | If a pluggable is removed from the Dell S5232F switch during a read transaction, the ocores driver gets stuck and no more i2c transactions are possible on that core. | |
| 2536730 | When you run the net show counters json command, you see the following error if any value is Unknown:
To work around this issue, run the following command to clear out the semaphore file created by cl-netstat -c:
| 3.7.0-3.7.2 |
| 2536615 | NCLU net show configuration commands does not display any output for IPv6 rsyslog hosts. | 3.7.0-3.7.2 |
| 2536614 | NCLU net show configuration commands displays a net add syslog command with invalid syntax. For example, if you run the following commands:
then run�� net show configuration commands, the output of the command syntax is invalid. | 3.7.0-3.7.2 |
| 2536245 | When using dynamic route leaking, software forwarding of packets fails between the connected source and destination. To work around this issue, configure the leak on a switch that does not have any locally-connected hosts. | 3.7.1-3.7.2 |
| 2536167 | When RASH is enabled and an ECMP path is taken away using the ip link set command, traffic using that ECMP path is never moved to another path and is dropped permanently. | |
| 2536070 | This is due to a limitation between Cumulus Linux and the Mellanox hardware. Currently, on a Mellanox switch, Cumulus Linux supports only four ECMP containers with 1000 hash entries per container. | |
| 2535751 | The NCLU net add and net commit commands change the interfaces file even if you add a service like snmp/hostname/etc. This causes an issue with automation. For example, Ansible runs handlers (ifreload -a for interfaces) during each push if the file being edited changes. | 3.7.0-3.7.2 |
| 2535415 | The wrong route target/route distinguisher is sent in an EVPN advertisement after a port flap. | |
| 2535331 | If you use NCLU to configure an ACL for eth0, you cannot designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file. | |
| 2535279 | When links are not synchronized before associated routes, switchd shows the following error log:
| |
| 2534444 | When an interface is configured for OSPF/BGP unnumbered, the net show interface command shows NotConfigured instead of showing that it is unnumbered. | |
| 2533933 | When OSPF is originating a default route, and the command is removed from the process, then re-added, the router stops advertising the default route. Configuring the default-information originate command a second time causes it to start working. | |
| 2533039 | Currently, Cumulus Linux does not program the remote network SVI IP address in the route table. As a result, you can’t ping the remote network gateway address; however, you can ping the hosts in that remote network. | 3.7.0-3.7.2 |
| 2530923 | The upstream OVSDB VTEP schema has been updated multiple times and now contains a patch to support source-node replication. This patch is not included with the latest version of Cumulus Linux. |
3.7.2 Release Notes
Open Issues in 3.7.2
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 3410952 | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.12.1 |
| 3376798 | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlanMAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5 |
| 3330705 | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.12.1 |
| 3327477 | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3216921 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-3.7.16, 4.3.0-4.4.5 | |
| 3209699 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.12.1 |
| 2959454 | CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2959444 | CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2957684 | CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2949602 | CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. | 3.7.0-3.7.15 | 3.7.16 |
| 2949586 | CVE-2022-21699: ipython may execute untrusted files in the current working directory Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2949585 | CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog. | 3.7.0-3.7.15 | 3.7.16 |
| 2949584 | CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2941560 | CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u | 3.7.0-3.7.15 | 3.7.16 |
| 2910862 | CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file” Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2910861 | CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13 | 3.7.0-3.7.15 | 3.7.16 |
| 2885241 | CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14 | 3.7.0-3.7.15 | 3.7.16 |
| 2885239 | CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2885238 | The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2866111 | CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. | 3.7.0-3.7.15 | 3.7.16 |
| 2862269 | CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2855881 | A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2855879 | The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2850806 | CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts) Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23 | 3.7.0-3.7.15 | 3.7.16 |
| 2845540 | CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2841003 | CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2835994 | CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2823255 | CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode) Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2821981 | The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions) CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2820758 | The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2813826 | Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop” CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’ Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2813823 | Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19 | 3.7.0-3.7.15 | 3.7.16 |
| 2801126 | CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2801125 | OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15 | 3.7.0-3.7.15 | 3.7.16 |
| 2801124 | GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2798139 | CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2769687 | CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21 | 3.7.0-3.7.15 | 3.7.16 |
| 2769633 | CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2769632 | CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2769631 | CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2743132 | CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6 | 3.7.0-3.7.15 | 3.7.16 |
| 2736247 | CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2736245 | CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2728207 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728206 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728205 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5 |
| 2726776 | CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18 | 3.7.0-3.7.15 | 3.7.16 |
| 2716841 | CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2705169 | CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2705168 | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2702519 | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2684404 | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2679950 | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.4.1-cl4.4.0u1Fixed: 4.4.1-cl4.4.0u2 | 3.7.0-4.3.3 | 4.4.0-4.4.5 |
| 2677063 | CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2677061 | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2677060 | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2668477 | CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2660693 | CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20 | 3.7.0-3.7.15 | 3.7.16 |
| 2658233 | The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2654684 | CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10 | 3.7.0-3.7.15 | 3.7.16 |
| 2653521 | CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2646974 | The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2646968 | CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24 | 3.7.0-3.7.15 | 3.7.16 |
| 2635951 | The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617009 | CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617008 | CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617007 | CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617006 | CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617002 | CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589570 | The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589567 | The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2552739 | Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | |
| 2552352 | The following security vulnerabilities have been announced in the nss / libnss3 packages: CVE-2020-6829: Side channel attack on ECDSA signature generation CVE-2020-12400: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function CVE-2020-12401: ECDSA timing attack mitigation bypass Vulnerable: <= 3.26-1+debu8u11 Fixed: 3.26-1+debu8u12 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2552351 | The following vulnerability has been announced in the libx11 packages: CVE-2020-14344: The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method. Vulnerable: <= 1.6.2-3+deb8u2 Fixed: 1.6.2-3+deb8u3 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2551675 | When you restart clagd, the edge port setting on the peer link changes. | 3.7.2-4.2.0 | 4.2.1-4.4.5 |
| 2547838 | The link-down yes parameter in the /etc/network/interfaces file does not work on subinterfaces configured in a VRF. | 3.7.2 | 3.7.3-3.7.16 |
| 2546868 | Broadcom Field Alert - SID - MMU 2B Errors A few of the MMU memories on Broadcom switches are grouped together with single parity control. During SER correction when a parity error occurs on one of those groups, other memory in that group might also report a SER error. This occurs when the memory is accessed either by a packet hit or through a schan operation. This issue can cause SER errors in other memory and cause traffic mis-forwarding or a packet drop. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546702 | The FRR cl-support module times out on switches on the ARM platform even when the switch is not under heavy load. To work around this issue, run the cl-support -M command to disable timeouts. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2545599 | IPv6 table rules might affect forwarding. For example, if you create the following rule in the /etc/cumulus/acl/policy.d/03-sshd.rules file, the rule counter increments but IPv4 SSH traffic might be dropped.
| 3.7.2-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2545235 | On the Edgecore AS6812 switch, you might see rare I2C errors. | 3.7.2-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2545132 | On the Mellanox switch, ACL lookups are performed for VLAN matches when no rules with UNTAGGED match are present. | 3.7.2-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5 |
| 2544401 | Package: openssl CVE ID: CVE-2019-1547 CVE-2019-1549 CVE-2019-1563 Three security issues were discovered in OpenSSL: A timing attack against ECDSA, a padding oracle in PKCS7_dataDecode() and CMS_decrypt_set1_pkey() and it was discovered that a feature of the random number generator (RNG) intended to protect against shared RNG state between parent and child processes in the event of a fork() syscall was not used by default. Fixed version: 1.1.1d-0+deb10u1 We recommend that you upgrade your openssl packages. For the detailed security status of openssl, refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2544324 | Package: hostapd CVE ID: CVE-2019-13377 CVE-2019-16275 Two vulnerabilities were found in the WPA protocol implementation found in wpa_supplication (station) and hostapd (access point). CVE-2019-13377 A timing-based side-channel attack against WPA3’s Dragonfly handshake when using Brainpool curves could be used by an attacker to retrieve the password. CVE-2019-16275 Insufficient source address validation for some received Management frames in hostapd could lead to a denial of service for stations associated to an access point. An attacker in radio range of the access point could inject a specially constructed unauthenticated IEEE 802.11 frame to the access point to cause associated stations to be disconnected and require a reconnection to the network. Fixed version: 1:2.8.0-cl4u3 | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2543835 | The following CVEs were announced that affect the ghostscript package: CVE ID : CVE-2019-14811 CVE-2019-14812 CVE-2019-14813 CVE-2019-14817 It was discovered that various procedures in Ghostscript, the GPL PostScript/PDF interpreter, do not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript | 3.7.0-3.7.10 | 3.7.11-3.7.16 |
| 2543211 | In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2543044 | Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up. You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2542336 | On the Mellanox SN2410 switch, switchd does not start. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2541761 | A TACACS privilege level 15 user mapped to tacacs15 cannot use net commands even though the user is part of the netedit and/or netshow user group. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2541604 | The snmpd service exits with a message similar to the following:
This problem might occur during or after network convergence events. For example, when bgpd needs to process a high number of updates and the CPU cannot keep up, bgpd is disconnected and agentx generates a core dump in snmpd due to a memory allocation problem.To work around this issue, disable agentx by commenting out the following lines in the /etc/snmp/snmpd.conf file. Then, restart the snmpd service with the systemctl restart snmpd command.
If you still want to poll the BGP4-MIB information, re-enable the bgp pass persist script by adding the following line in the /etc/snmp/snmpd.conf file:
| 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2540845 | On the Dell Z9100-ON switch, smond reports various sensors going from OK to BAD or OK to ABSENT; then the sensors recover. | 3.7.1-3.7.5 | 3.7.6-3.7.16 |
| 2540737 | When you commit a configuration change to a VXLAN layer 2 VNI in an MLAG configuration, the peer link on the MLAG secondary switch goes into an STP blocking state. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2540557 | On Trident3 switches, transit packets larger than 1500 bytes(DF) routed between SVIs is unexpectedly forwarded to the CPU even when the MTU is greater than 9000. This severely limits throughput for routed jumbo frames as packets arriving at a high interval are dropped to the CPU. | 3.7.0-3.7.16 | |
| 2540352 | When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2540268 | An incorrect readout of the optical transceiver high temperature alarm threshold (read as 17 degrees centigrade), disables a 100G optical module on Mellanox Spectrum switches. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2540254 | In an EVPN centralized routing deployment, the border leaf sends out incorrect packets when flapping the VLAN interface. | 3.7.2-3.7.5 | 3.7.6-3.7.16 |
| 2540122 | The snmpd daemon sometimes crashes with the error Unknown operation 6 in agentx_got_response. | 3.7.2-3.7.5 | 3.7.6-3.7.16 |
| 2539994 | When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
| 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539962 | When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2539807 | neighmgrd crashes and more than half the neighbor entries are in the FAILED state. Memory and CPU usage is high. | 3.7.2-3.7.3 | 3.7.4-3.7.16 |
| 2539753 | Currently if the BMC firmware encounters a value that it cannot parse, it logs the following message, which provides insufficient data to understand which value failed to parse correctly and, therefore, how to further investigate the issue.
| 3.7.2-3.7.3 | 3.7.4-3.7.16 |
| 2539686 | The Cumulus Linux switch sometimes sends out ARP request packets with the sender IP address set to 0.0.0.0. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2539670 | On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539638 | In an MLAG configuration, some prefixes are correlated with an incorrect VNI, which results in loss of redundant paths in the fabric for these prefixes. To work around this issue, restart FRR or perform a hard boot. | 3.7.2-3.7.16 | |
| 2539433 | If multiple files reference the same module, ifupdown2 user-defined policy overrides do not apply. | 3.7.0-3.7.6 | 3.7.7-3.7.16 |
| 2539222 | Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.3 | 3.7.4-3.7.16 |
| 2539218 | On the Mellanox SN2700 switch, the 100G-LR4 port might have problems establishing a link over a long distance (around 500 miles) through a telco service provider after a flap. If the laser is forced up by the link provider’s equipment, the circuit comes up. However, the circuit cannot survive a flap and the link remains down after a flap event. However, you might have to explicitly disable auto-negotiation and FEC in this scenario. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2539124 | The net add interface command adds no ptm-enable for that interface in the frr.conf file.Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2539092 | The switch forwards traffic destined to the MLAG paired switch SVI, then drops the traffic. | 3.7.2-3.7.3 | 3.7.4-3.7.16 |
| 2539081 | When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2539075 | When layer 2 VNIs are configured that terminate on Cisco switches at the edge, BUM traffic arriving on the Cisco switch is not being properly VXLAN encapsulated and forwarded to the Cumulus VTEPs. | 3.7.2-3.7.3 | 3.7.4-3.7.16 |
| 2539072 | After upgrading to Cumulus Linux, the SNMP agent crashes when you call snmpbulkget. The SNMP agent will automatically restart and there is no impact to forwarding traffic. To work around this issue, do not call snmpbulkget where the response packet length is greater than the default maximum message length of 1472. | 3.7.2-3.7.3 | 3.7.4-3.7.16 |
| 2538980 | A dummy interface does not inherit the MTU from a defaults file in /etc/network/ifupdown2/policy.d. A dummy interface is typically used to keep SVI interfaces up when there are no switch ports up that are associated with that VLAN. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2538942 | The EEPROM information changed on the Dell S5048F switch, which causes PCIe Bus Errors. | 3.7.2-3.7.3 | 3.7.4-3.7.16 |
| 2538910 | In a layer 2 VXLAN configuration, where each ECMP path is a layer 3 LACP bond with multiple port members, ECMP hash appears fine for data traffic over VXLAN from one VTEP to another, but the LACP hash is unbalanced. | 3.7.1-3.7.6 | 3.7.7-3.7.16 |
| 2538884 | cl-acltool -i fails to install LOG rules if either the source or destination (-d or -s) has multiple comma-separated values, such as:
You see errors similar to the following:
| 3.7.2-3.7.3 | 3.7.4-3.7.16 |
| 2538875 | IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file. | 3.7.2-3.7.16 | |
| 2538814 | The permanent MAC entry that corresponds to the SVI of the layer 3 VNI (corresponding VLAN) is missing in the bridge FDB. | 3.7.0-3.7.16 | |
| 2538790 | NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.To restore connectivity, remove the VLAN ID from the bridge. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538756 | When you flap a VNI with ifdown vni and ifup vni, the value of all MTUs for the SVI lowers to 1500 regardless of the default value set in the /etc/network/ifupdown2/policy.d/mtu.json file. This behavior does not occur if you flap the link with ip link set vni down. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2538741 | The NCLU command net show bridge spanning-tree does not show the MLAG peer link as part of the STP forwarding instance.To work around this issue, use the mstpctl command to confirm the STP status of the port. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2538594 | EVPN supports a route map to control which routes in the BGP VRF routing table can inject into EVPN as type-5. This is supposed to operate properly on all common criteria handled by BGP route maps. However, when there is an attribute change that results in the route having to be filtered out, it does not remove the route from EVPN if previously obtained from there. | 3.7.2-3.7.3 | 3.7.4-3.7.16 |
| 2538590 | When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538562 | On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | |
| 2538538 | EVPN prefixes retain the max-med on startup value after the timer expires. | 3.7.2 | 3.7.3-3.7.16 |
| 2538480 | Modifying the /etc/netd.conf file to set show_linux_command = True does not take effect. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2538384 | Log entries containing grep commands almost completely fill the var/log/openvswitch/ovs-vtepd.log file. | 3.7.2 | 3.7.3-3.7.16 |
| 2538343 | In an EVPN symmetric routing deployment with active-active anycast IP configured, the next hop attribute is sometimes set to a unique address instead of the anycast IP address. To work around this issue, do not use default-originate ipv4; instead configure the network statements (recommended for small scale deployments). | 3.7.2 | 3.7.3-3.7.16, 4.0.0-4.4.5 |
| 2538336 | On Trident3 switches, the LR interface_mode for 25G optics is not set automatically. | 3.7.2 | 3.7.3-3.7.16 |
| 2538302 | portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap. | 3.7.0-3.7.16 | |
| 2538294 | If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2538256 | On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets. | 3.7.2-4.0.1 | 4.1.0-4.4.5 |
| 2538206 | You cannot currently disable FEC in Cumulus Linux on a Mellanox switch. | 3.7.1-3.7.3 | 3.7.4-3.7.16 |
| 2538157 | Many of the SFPs are not enabled until SFP_TX_ENABLE is set manually. | 3.7.2 | 3.7.3-3.7.16 |
| 2538150 | If an interface is correctly configured according to the /etc/ptm.d/topology.dot file (pass), then the link goes down, ptmd still shows the cbl status as pass. | 3.7.2 | 3.7.3-3.7.16 |
| 2538093 | In an EVPN asymmetric type 5 deployment, the EVPN arp-cache of the SVI on the remote leaf is incorrect on the local leaf, which causes a ping failure from the SVI on the remote leaf to the server attached on the local leaf in the same VLAN. | 3.7.2 | 3.7.3-3.7.16 |
| 2538086 | On the Dell S4000 and S4148 switch, when you insert a 10G-BaseT module, portwd reports a failed reading. | 3.7.2 | 3.7.3-3.7.16 |
| 2538075 | The kvm-clock module is missing in the kernel on the telemetry server. The system clock only advances one second for approximately every ten real-time seconds that pass. This stops NTP from being able to synchronize the clock. | 3.7.2 | 3.7.3-3.7.16 |
| 2538054 | On the Dell S4148 switch, if link pause is enabled in the /etc/cumulus/datapath/traffic.conf file, switchd fails to restart. | 3.7.0-3.7.3 | 3.7.4-3.7.16 |
| 2538042 | If you add a route for a VRF with the ip route command, which writes to the /etc/frr/frr.conf file and then you reload frr, when you try to remove the route from the file, the route is not removed when frr reloads.. | 3.7.2 | 3.7.3-3.7.16 |
| 2538022 | When you remove an interface from a bridge and add it to a VRF in the same commit/ifreload, the IPv6 link-local address is not created automatically. To work around this issue, do the change in two separate commits. First, remove the interface from the bridge, which causes it to be a layer 2 interface. Then, enslave the interface to the VRF. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2538013 | When the peer link is lost and the backup IP address becomes inactive, the MLAG secondary switch brings up bonds but not VXLAN VNIs. | 3.7.1-3.7.3 | 3.7.4-3.7.16 |
| 2538004 | Cumulus VX images for versions 3.7.0 through 3.7.2 include a vagrant user, as the vagrant box format [requires it|https://www.vagrantup.com/docs/boxes/base.html#default-user-settings] in order to function. This user is not needed; remove the user from the following Cumulus VX images:* cumulus-linux-3.7.0-vx-amd64-qemu.qcow2 * cumulus-linux-3.7.0-vx-amd64-vbox.ova * cumulus-linux-3.7.0-vx-amd64-vmware.ova * cumulus-linux-3.7.1-vx-amd64-qemu.qcow2 * cumulus-linux-3.7.1-vx-amd64-vbox.ova * cumulus-linux-3.7.1-vx-amd64-vmware.ova * cumulus-linux-3.7.2-vx-amd64-qemu.qcow2 * cumulus-linux-3.7.2-vx-amd64-vbox.ova * cumulus-linux-3.7.2-vx-amd64-vmware.ova To remove the vagrant user, run:
| 3.7.0-3.7.2 | 3.7.3-3.7.16 |
| 2537982 | When the /etc/hostapd.conf file does not exist, the following sequence of commands causes a traceback:
To work around this issue: # Create the /etc/hostapd.conf file with the following default contents:
# Issue the following commands to set the ownership and permissions:
| 3.7.2 | 3.7.3-3.7.16 |
| 2537977 | After upgrading to Cumulus Linux 3.7.2, the BGP route map does not filter type-5 routes. | 3.7.2 | 3.7.3-3.7.16 |
| 2537919 | In Cumulus Linux 3.7.2 and earlier, an ACL entry containing 0.0.0.0 as a match parameter is interpreted as a catchall address (0.0.0.0 = 0.0.0.0/0). However in Cumulus Linux 3.7.3 and later, an ACL entry containing 0.0.0.0 as a match parameter is interpreted as a single address (0.0.0.0 = 0.0.0.0/32). Review your ACLs and update as necessary to include the proper subnet mask. | 3.7.2 | 3.7.3-3.7.16 |
| 2537836 | Running ifdown vlan or ip link set vlan down brings down a virtual interface but the interface always comes back up after you run the ifreload -a or net commit command. | 3.7.1-3.7.2 | 3.7.3-3.7.16 |
| 2537819 | When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. | 3.7.2-3.7.16 | 4.0.0-4.4.5 |
| 2537806 | Bridging ISIS traffic fails because layer 2 cache rules forward ISIS traffic to the CPU, where it is then dropped. To work around this issue, contact Customer Support. | 3.7.2-3.7.6 | 3.7.7-3.7.16 |
| 2537805 | When you configure an IPv6 only neighbor with NCLU without the peer-group command, then execute the same commands again, the BGP session is reset.For example, if you run the following commands:
Cumulus Linux removes the net commands and adds the following line to FRR (using v6only remote-as), which causes BGP to flap.
This issue does not occur if you add the peer-group command; for example:
. | 3.7.0-3.7.3 | 3.7.4-3.7.16 |
| 2537776 | BGP crashes with the error bgp_parse_nexthop_update. | 3.7.2 | 3.7.3-3.7.16 |
| 2537699 | There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537641 | On the Celestica RedstoneV switch, the hardware settings are incorrect on swp14 and swp22. | 3.7.0-3.7.2 | 3.7.3-3.7.16 |
| 2537544 | When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537409 | It is not currently possible to bring up some 10G LR interfaces on Mellanox switches as auto-negotiation is set to on in hardware. | 3.7.1-3.7.3 | 3.7.4-3.7.16 |
| 2537378 | NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.To work around this issue, stop snmpd, remove the cache file, then restart snmpd. | 3.7.1-3.7.16 | |
| 2537188 | When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network. | 3.7.2-3.7.16 | |
| 2537153 | In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | 3.7.9-3.7.16 |
| 2537111 | The gshut community is not removed after you commit the configuration. | 3.7.0-3.7.3 | 3.7.4-3.7.16 |
| 2537104 | When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL. | 3.7.1-3.7.16 | 4.0.0-4.4.5 |
| 2537085 | When you run the net add (bond|interface) command, NCLU does not add the port as a slave of the VLAN-aware bridge. | 3.7.1-3.7.2 | 3.7.3-3.7.16 |
| 2537061 | The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent. | 3.7.1-4.0.1 | 4.1.0-4.4.5 |
| 2536730 | When you run the net show counters json command, you see the following error if any value is Unknown:
To work around this issue, run the following command to clear out the semaphore file created by cl-netstat -c:
| 3.7.0-3.7.2 | 3.7.3-3.7.16 |
| 2536650 | Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters). While this issue is fixed for switches with the Spectrum ASIC, this is a [known limitation|https://docs.cumulusnetworks.com/cumulus-linux/Monitoring-and-Troubleshooting/Network-Troubleshooting/Monitoring-System-Statistics-and-Network-Traffic-with-sFlow/#caveats-and-errata] on this Helix4 platform. | 3.7.0-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2536639 | On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.To work around this issue: * If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000). * If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2536616 | CVE-2018-5391 (FragmentSmack) is a network vulnerability where an attacker can trigger time and calculation expensive fragment reassembly with specially crafted packets, leading to a denial of service. On a Cumulus Linux switch, the impact is limited to control plane and management plane traffic. Any control plane traffic coming in the front panel ports will be limited by existing policer ACLs. To work around this issue, create a file called /etc/sysctl.d/ip.conf and add these settings:
| 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2536615 | NCLU net show configuration commands does not display any output for IPv6 rsyslog hosts. | 3.7.0-3.7.2 | 3.7.3-3.7.16 |
| 2536614 | NCLU net show configuration commands displays a net add syslog command with invalid syntax. For example, if you run the following commands:
then run�� net show configuration commands, the output of the command syntax is invalid. | 3.7.0-3.7.2 | 3.7.3-3.7.16 |
| 2536608 | Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI. | 3.7.0-3.7.16 | |
| 2536384 | The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2536245 | When using dynamic route leaking, software forwarding of packets fails between the connected source and destination. To work around this issue, configure the leak on a switch that does not have any locally-connected hosts. | 3.7.1-3.7.2 | 3.7.3-3.7.16 |
| 2536179 | On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535986 | At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535965 | On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535751 | The NCLU net add and net commit commands change the interfaces file even if you add a service like snmp/hostname/etc. This causes an issue with automation. For example, Ansible runs handlers (ifreload -a for interfaces) during each push if the file being edited changes. | 3.7.0-3.7.2 | 3.7.3-3.7.16 |
| 2535216 | If you add a bridge configuration on a routed (BGP unnumbered) switch port on a Mellanox switch, BGP remains up with routes exchanged or sent from the control plane, but packets received on this interface in the data plane are discarded in hardware. | 3.7.2-3.7.3 | 3.7.4-3.7.16 |
| 2534450 | The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2533039 | Currently, Cumulus Linux does not program the remote network SVI IP address in the route table. As a result, you can’t ping the remote network gateway address; however, you can ping the hosts in that remote network. | 3.7.0-3.7.2 | 3.7.3-3.7.16 |
| 2532924 | The NetQ agent is bundled with Cumulus VX 3.4.3 and later; however, the NetQ agent is not bundled with Cumulus Linux 3.4.3 and later. The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bundled with Cumulus Linux in a future release. | 3.7.0-3.7.6 | 3.7.7-3.7.16 |
Fixed Issues in 3.7.2
| Issue ID | Description | Affects |
|---|---|---|
| 2539912 | The snmpd service fails and generates a core file when the service is stopped or restarted and there is a trapsess line configured.To work around this issue, comment out the trapsess lines. | 3.7.0-3.7.1 |
| 2538443 | On the Dell S5048F and Dell Z9100 switches, the MODULE_DEVICE_TABLE declaration enables the kernel to auto load the drivers on any platform with a Xilinx 7021 device. As a result, these switches might exhibit errors in their dmseg logs when trying to auto load an incompatible driver. | 3.7.0-3.7.1 |
| 2537832 | In an MLAG configuration, you might see the traceback AttributeError: ‘NoneType’ object has no attribute ‘replace’. | 3.7.1 |
| 2537351 | When installing a Cumulus Linux 3.6.1 through 3.7.1 image, the poed service is not enabled by default. | |
| 2537317 | The following CVEs were announced in Debian Security Advisory DSA-4332-1, and affect the ruby package ————————————————————————- Debian Security Advisory DSA-4332-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 03, 2018 https://www.debian.org/security/faq ————————————————————————- Package : ruby2.3 CVE ID : CVE-2018-16395 CVE-2018-16396 Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-16395 Tyler Eckstein reported that the equality check of OpenSSL::X509::Name could return true for non-equal objects. If a malicious X.509 certificate is passed to compare with an existing certificate, there is a possibility to be judged incorrectly that they are equal. CVE-2018-16396 Chris Seaton discovered that tainted flags are not propagated in Array#pack and String#unpack with some directives. For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u4. We recommend that you upgrade your ruby2.3 packages. For the detailed security status of ruby2.3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby2.3 The 2.1 tracker for jessie is: https://security-tracker.debian.org/tracker/ruby2.1 | |
| 2537302 | After FEC is enabled on an interface, ifupdown2 invokes ethtool –set-fec, even if FEC is unchanged. For Broadcom switches, this might cause a link flap. | |
| 2537038 | When you run the NCLU net show system command on the Dell S5248F-ON switch, the output shows blank values for both CPU and Chipset:
| 3.7.0-3.7.1 |
| 2537028 | Under certain conditions, DHCP relay produces a segmentation fault when used in an EVPN symmetric environment with the -U option. | 3.7.1 |
| 2536975 | When you have certain options configured (such as PIM, MSDP, or ssmping), exit-vrf is copied beneath the vni line within the vrf stanza in the running vtysh configuration and in the /etc/frr/frr.conf file. This can cause a conflict; for example, if you are running PIM in the same VRF, the vni line is added above the ip pim rp line:
| 3.7.0-3.7.1 |
| 2536934 | When installing an IPv6 onlink route, if the kernel has a default route and the gateway resolves out of the default route, the route is rejected if the passed in ifindex does not match. With IPv4, the default route match is ignored and the onlink based route is installed. | |
| 2536833 | When you use a Trident3 switch as the exit node, which is playing the role of the spine, pings to external hosts fail after a systemctl restart networking event. | |
| 2536735 | The following CVEs were announced in Debian Security Advisory DSA-4314-1 and affect the net-snmp package. —————————————————————— Debian Security Advisory DSA-4314-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 11, 2018 https://www.debian.org/security/faq —————————————————————— Package : net-snmp CVE ID : CVE-2018-18065 Debian Bug : 910638 Magnus Klaaborg Stubman discovered a NULL pointer dereference bug in net-snmp, a suite of Simple Network Management Protocol applications, allowing a remote, authenticated attacker to crash the snmpd process (causing a denial of service). For the stable distribution (stretch), this problem has been fixed in version 5.7.3+dfsg-1.7+deb9u1. We recommend that you upgrade your net-snmp packages. For the detailed security status of net-snmp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/net-snmp Upstream info and fix are: https://dumpco.re/blog/net-snmp-5.7.3-remote-dos https://sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d/ | |
| 2536686 | If you add the MTU to a VLAN with the NCLU net add vlan command, Cumulus Linux adds extra mtu lines in the /etc/network/interfaces file when there are defined bridge ports that do not exist elsewhere in the file. | 3.7.0-3.7.1 |
| 2536669 | After attempting to install unsupported ICMPv6-type rules, the hardware sync fails with an Out of table resource message even after you correct the rules. | 3.7.0-3.7.1 |
| 2536653 | The following CVEs were announced in Debian Security Advisory DSA-4311-1, and affect the git package. ——————————————————————- Debian Security Advisory DSA-4311-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 05, 2018 https://www.debian.org/security/faq ——————————————————————- Package : git CVE ID : CVE-2018-17456 joernchen of Phenoelit discovered that git, a fast, scalable, distributed revision control system, is prone to an arbitrary code execution vulnerability via a specially crafted .gitmodules file in a project cloned with –recurse-submodules. For the stable distribution (stretch), this problem has been fixed in version 1:2.11.0-3+deb9u4. We recommend that you upgrade your git packages. For the detailed security status of git please refer to its security tracker page at: https://security-tracker.debian.org/tracker/git | |
| 2536582 | The following CVEs were announced in Debian Security Advisory DSA-4306-1, and affect the python package. ————————————————————————- Debian Security Advisory DSA-4306-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 27, 2018 https://www.debian.org/security/faq ————————————————————————- Package: python3.4 CVE ID: CVE-2018-1060 CVE-2018-1061 CVE-2018-1000802 Multiple security issues were discovered in Python: ElementTree failed to initialise Expat’s hash salt, two denial of service issues were found in difflib and poplib and the shutil module was affected by a command injection vulnerability. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ | |
| 2536520 | When you run the net show system command on a Facebook Backpack switch, you see an error in netd.log:
| 3.7.0-3.7.1 |
| 2536489 | On a Mellanox switch, when using an ECMP route over /31 interfaces, incorrect layer 3 neighbor and layer 3 route entries are shown. | |
| 2536481 | On Mellanox switches, BFD packets share the same TRAP group (Trap Group 8) as other bulk IP2ME traffic. If traffic is flooded to the CPU (for example, because of route withdrawal) BFD packets are dropped. | |
| 2536463 | The NCLU net del command fails to remove a message-digest-key from a subinterface in a VRF and displays an error message. | |
| 2536454 | Input chain ACLs do not apply in hardware on Broadcom platforms and input packets are processed against rules in the kernel instead. This can result in rules with the drop action not applying in hardware and the packets reaching the kernel. for platforms that do not provide native support for VXLAN routing (non-RIOT platforms). | |
| 2536447 | Add the DAS listener service to the /etc/vrf/systemd.conf file so it can be started in the management VRF as needed. | 3.7.0-3.7.1 |
| 2536445 | The following CVEs were announced in Debian Security Advisory DSA-4924-1, and affect the ghostscript package. ———————————————————- Debian Security Advisory DSA-4294-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 16, 2018 https://www.debian.org/security/faq ———————————————————- Package : ghostscript CVE ID : CVE-2018-16509 CVE-2018-16802 Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an interpreter for the PostScript language, which could result in the execution of arbitrary code if a malformed Postscript file is processed (despite the dSAFER sandbox being enabled). For the stable distribution (stretch), these problems have been fixed in version 9.20~dfsg-3.2+deb9u5. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript | |
| 2536412 | If you configure a BGP community list using NCLU, it should set bgpd=yes if it is not already enabled. Communities are only used with BGP. If you try to configure a community (or extcommunity) before enabling bgpd (either by editing the /etc/frr/daemons file or by running other BGP NCLU commands), NCLU accepts the configuration and no warning is reported when committed. However, the configuration is not accepted by FRR. | |
| 2536392 | NCLU currently supports BGP prefix filtering via community and extcommunity, but not large-community, which are common in 4-Byte ASN environments. NCLU now supports large-community. | |
| 2536366 | When programming policy-based routing (PBR), if you change the input interface from a physical interface to a subinterface, the traffic is not properly redirected. You must flap the nexthop interface to reprogram the PBR. | |
| 2536330 | The following CVEs were announced in Debian Security Advisory DSA-4288-1 and affect the ghostscript package. ——————————————————————————————— Debian Security Advisory DSA-4288-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 07, 2018 https://www.debian.org/security/faq ———————————————————————————————- Package : ghostscript CVE ID : CVE-2018-15908 CVE-2018-15910 CVE-2018-15911 CVE-2018-16511 CVE-2018-16513 CVE-2018-16539 CVE-2018-16540 CVE-2018-16541 CVE-2018-16542 CVE-2018-16543 CVE-2018-16585 Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an interpreter for the PostScript language, which could result in denial of service, the creation of files or the execution of arbitrary code if a malformed Postscript file is processed (despite the dSAFER sandbox being enabled). For the stable distribution (stretch), these problems have been fixed in version 9.20~dfsg-3.2+deb9u4. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript | |
| 2536253 | The following CVEs were announced in Debian Security Advisory DSA-4286-1, and affect the curl package. ————————————————————- Debian Security Advisory DSA-4286-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini September 05, 2018 https://www.debian.org/security/faq ————————————————————- Package : curl CVE ID : CVE-2018-14618 Zhaoyang Wu discovered that cURL, an URL transfer library, contains a buffer overflow in the NTLM authentication code triggered by passwords that exceed 2GB in length on 32bit systems. See https://curl.haxx.se/docs/CVE-2018-14618.html for more information. For the stable distribution (stretch), this problem has been fixed in version 7.52.1-5+deb9u7. We recommend that you upgrade your curl packages. For the detailed security status of curl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl | |
| 2536210 | When you add ports as bridge ports multiple times with the NCLU command, the commits succeed without error. To work around this issue, remove the extra interfaces with the net del bridge bridge ports command. | |
| 2536188 | When you configure SNMP with NCLU commands, the SNMP server does not restart and you see a warning:WARNING: snmpd is not running. Run “journalctl -u snmpd” for error messages.To work around this issue, start SNMP manually. | |
| 2536072 | The following CVEs affect the hostapd and wpa_supplicant packages. ———————————————————————— https://nvd.nist.gov/vuln/detail/CVE-2018-14526 ———————————————————————— Packages: https://launchpad.net/ubuntu/+source/wpa/2:2.6-15ubuntu2.1 https://launchpad.net/ubuntu/+source/wpa/2.4-0ubuntu6.3 https://launchpad.net/ubuntu/+source/wpa/2.1-0ubuntu1.6 CVE-2018-14526 wpa_supplicant and hostapd could be made to expose sensitive information if it received a crafted message. It was discovered that wpa_supplicant and hostapd incorrectly handled certain messages. An attacker could possibly use this to access sensitive information. The problem can be corrected by updating your system to the following package versions: buntu 18.04 LTS: hostapd 2:2.6-15ubuntu2.1 wpasupplicant 2:2.6-15ubuntu2.1 Ubuntu 16.04 LTS: hostapd 2.4-0ubuntu6.3 wpasupplicant 2.4-0ubuntu6.3 Ubuntu 14.04 LTS: hostapd 2.1-0ubuntu1.6 wpasupplicant 2.1-0ubuntu1.6 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://usn.ubuntu.com/usn/usn-3745-1 Package Information: https://launchpad.net/ubuntu/+source/wpa/2:2.6-15ubuntu2.1 https://launchpad.net/ubuntu/+source/wpa/2.4-0ubuntu6.3 https://launchpad.net/ubuntu/+source/wpa/2.1-0ubuntu1.6 | 3.7.0-3.7.1 |
| 2536033 | NCLU does not allow for configuration of link-speed 10 and does not parse any unrelated NCLU configuration when link-speed 10 is detected in the /etc/network/interfaces file. | |
| 2535990 | SNMPv3 TRAP passwords or encryption keys longer then 16 characters might result in a core dump. For example:
To work around this issue, use SNMPv3 TRAP passwords and encryption keys that are 16 characters or shorter. | |
| 2535977 | On the Trident 3 switch, cl-ecmpcalc returns invalid entries (two entries for MAC address 00:00:00:00:00:00) that cause script failures. | |
| 2535947 | ARP reply packets are flooded to all remote VTEPs when the ARP reply arrives on a different MLAG peer than the one where the permanent MAC exits. To work around this issue: # Manually define the MAC address for the SVI. The MAC address allocated to the SVI is inherited by the bridge (by default). The bridge inherits the MAC address from a physical interface (swp*). This inheritance might result in a different SVI MAC address after a reboot (for example, a configuration change might result in the port being removed from the bridge). For this example, the MAC address of SVI vlan123 is statically configured as sw01 = MM:MM:MM:11:11:11 and sw02 = MM:MM:MM:22:22:22.# Program a static entry on sw01 pointing to sw02 over the _peerlink_ bond in VLAN 123:
# Configure a static MAC address on sw02 pointing to the SVI owned by sw01 over the _peerlink_ bond in VLAN 123:
# Repeat steps above for each VLAN. | |
| 2535877 | Mellanox switches prefer a MAC entry learned through the VNI over a permanent entry for the corresponding SVI. | |
| 2535799 | On the Mellanox Spectrum switch, VXLAN-encapsulated packets are not being forwarded. | |
| 2535733 | If you insert a 1G LX module into an Edgecore 4610 or 5812 switch or reboot the switch with this module installed, no traffic is passed on the switch port when auto-negotiation is enabled. Flapping the link down or up does not repair it. To work around this issue, disable auto-negotiation, then re-enable it to repair the link; otherwise, disable auto-negotiation permanently. For example, if swp1 has the 1G module, disable then re-enable auto-negotiation as follows:
| |
| 2535078 | When you use NCLU to delete an interface, the associated configuration is not removed from the /etc/frr/frr.conf file. | |
| 2534900 | Removing a VLAN from a bridge configured with VXLAN causes a network service outage until the configuration change is reverted with the net rollback last command. To work around this issue, remove the VNI interface first, then remove the unused VLAN from the bridge. | |
| 2533615 | Configuring an IP address on any local layer 3 interface causes the interface IP address to be placed in the BGP martian next hop table. However, subsequent removal of that address from an interface does not remove it from the BGP martian next hop table. | |
| 2532608 | On rare occasions, duplicate packets are seen in an EVPN configuration when routing between a dual-attached local host in one subnet and a remote host in another subnet. This is because the gateway VTEP does not have its VRR MAC address (anycast MAC address) configured on all gateway VTEPs in the bridge forwarding table Run the ifreload -a -X eth0 command to update the interface configuration on all gateway VTEPs. | |
| 2531159 | MLAG does not sync permanent MAC addresses between peers and nolearning is turned on; traffic with a next-hop pointing to the peerlink is forwarded to the CPU and throughput is limited.Permanent MAC address sync between MLAG peers is now supported. | |
| 2529692 | In some instances, ARP requests are not suppressed in a VXLAN active-active configuration but get flooded over VXLAN tunnels instead. This issue occurs because there is no control plane syncing the snooped local neighbor entries between the MLAG pair; MLAG does not perform this sync and neither does EVPN. |
3.7.1 Release Notes
Open Issues in 3.7.1
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 3410952 | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.12.1 |
| 3376798 | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlanMAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5 |
| 3330705 | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.12.1 |
| 3327477 | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3216921 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-3.7.16, 4.3.0-4.4.5 | |
| 3209699 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.12.1 |
| 2959454 | CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2959444 | CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2957684 | CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2949602 | CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. | 3.7.0-3.7.15 | 3.7.16 |
| 2949586 | CVE-2022-21699: ipython may execute untrusted files in the current working directory Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2949585 | CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog. | 3.7.0-3.7.15 | 3.7.16 |
| 2949584 | CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2941560 | CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u | 3.7.0-3.7.15 | 3.7.16 |
| 2910862 | CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file” Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2910861 | CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13 | 3.7.0-3.7.15 | 3.7.16 |
| 2885241 | CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14 | 3.7.0-3.7.15 | 3.7.16 |
| 2885239 | CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2885238 | The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2866111 | CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. | 3.7.0-3.7.15 | 3.7.16 |
| 2862269 | CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2855881 | A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2855879 | The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2850806 | CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts) Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23 | 3.7.0-3.7.15 | 3.7.16 |
| 2845540 | CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2841003 | CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2835994 | CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2823255 | CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode) Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2821981 | The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions) CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2820758 | The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2813826 | Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop” CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’ Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2813823 | Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19 | 3.7.0-3.7.15 | 3.7.16 |
| 2801126 | CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2801125 | OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15 | 3.7.0-3.7.15 | 3.7.16 |
| 2801124 | GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2798139 | CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2769687 | CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21 | 3.7.0-3.7.15 | 3.7.16 |
| 2769633 | CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2769632 | CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2769631 | CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2743132 | CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6 | 3.7.0-3.7.15 | 3.7.16 |
| 2736247 | CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2736245 | CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2728207 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728206 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728205 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5 |
| 2726776 | CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18 | 3.7.0-3.7.15 | 3.7.16 |
| 2716841 | CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2705169 | CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2705168 | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2702519 | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2684404 | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2679950 | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.4.1-cl4.4.0u1Fixed: 4.4.1-cl4.4.0u2 | 3.7.0-4.3.3 | 4.4.0-4.4.5 |
| 2677063 | CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2677061 | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2677060 | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2668477 | CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2660693 | CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20 | 3.7.0-3.7.15 | 3.7.16 |
| 2658233 | The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2654684 | CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10 | 3.7.0-3.7.15 | 3.7.16 |
| 2653521 | CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2646974 | The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2646968 | CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24 | 3.7.0-3.7.15 | 3.7.16 |
| 2635951 | The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617009 | CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617008 | CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617007 | CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617006 | CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617002 | CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589570 | The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589567 | The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2552352 | The following security vulnerabilities have been announced in the nss / libnss3 packages: CVE-2020-6829: Side channel attack on ECDSA signature generation CVE-2020-12400: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function CVE-2020-12401: ECDSA timing attack mitigation bypass Vulnerable: <= 3.26-1+debu8u11 Fixed: 3.26-1+debu8u12 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2552351 | The following vulnerability has been announced in the libx11 packages: CVE-2020-14344: The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method. Vulnerable: <= 1.6.2-3+deb8u2 Fixed: 1.6.2-3+deb8u3 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2546868 | Broadcom Field Alert - SID - MMU 2B Errors A few of the MMU memories on Broadcom switches are grouped together with single parity control. During SER correction when a parity error occurs on one of those groups, other memory in that group might also report a SER error. This occurs when the memory is accessed either by a packet hit or through a schan operation. This issue can cause SER errors in other memory and cause traffic mis-forwarding or a packet drop. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546702 | The FRR cl-support module times out on switches on the ARM platform even when the switch is not under heavy load. To work around this issue, run the cl-support -M command to disable timeouts. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2544401 | Package: openssl CVE ID: CVE-2019-1547 CVE-2019-1549 CVE-2019-1563 Three security issues were discovered in OpenSSL: A timing attack against ECDSA, a padding oracle in PKCS7_dataDecode() and CMS_decrypt_set1_pkey() and it was discovered that a feature of the random number generator (RNG) intended to protect against shared RNG state between parent and child processes in the event of a fork() syscall was not used by default. Fixed version: 1.1.1d-0+deb10u1 We recommend that you upgrade your openssl packages. For the detailed security status of openssl, refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2544324 | Package: hostapd CVE ID: CVE-2019-13377 CVE-2019-16275 Two vulnerabilities were found in the WPA protocol implementation found in wpa_supplication (station) and hostapd (access point). CVE-2019-13377 A timing-based side-channel attack against WPA3’s Dragonfly handshake when using Brainpool curves could be used by an attacker to retrieve the password. CVE-2019-16275 Insufficient source address validation for some received Management frames in hostapd could lead to a denial of service for stations associated to an access point. An attacker in radio range of the access point could inject a specially constructed unauthenticated IEEE 802.11 frame to the access point to cause associated stations to be disconnected and require a reconnection to the network. Fixed version: 1:2.8.0-cl4u3 | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2543835 | The following CVEs were announced that affect the ghostscript package: CVE ID : CVE-2019-14811 CVE-2019-14812 CVE-2019-14813 CVE-2019-14817 It was discovered that various procedures in Ghostscript, the GPL PostScript/PDF interpreter, do not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript | 3.7.0-3.7.10 | 3.7.11-3.7.16 |
| 2543211 | In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2540845 | On the Dell Z9100-ON switch, smond reports various sensors going from OK to BAD or OK to ABSENT; then the sensors recover. | 3.7.1-3.7.5 | 3.7.6-3.7.16 |
| 2540557 | On Trident3 switches, transit packets larger than 1500 bytes(DF) routed between SVIs is unexpectedly forwarded to the CPU even when the MTU is greater than 9000. This severely limits throughput for routed jumbo frames as packets arriving at a high interval are dropped to the CPU. | 3.7.0-3.7.16 | |
| 2539962 | When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2539912 | The snmpd service fails and generates a core file when the service is stopped or restarted and there is a trapsess line configured.To work around this issue, comment out the trapsess lines. | 3.7.0-3.7.1 | 3.7.2-3.7.16 |
| 2539433 | If multiple files reference the same module, ifupdown2 user-defined policy overrides do not apply. | 3.7.0-3.7.6 | 3.7.7-3.7.16 |
| 2539081 | When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2538910 | In a layer 2 VXLAN configuration, where each ECMP path is a layer 3 LACP bond with multiple port members, ECMP hash appears fine for data traffic over VXLAN from one VTEP to another, but the LACP hash is unbalanced. | 3.7.1-3.7.6 | 3.7.7-3.7.16 |
| 2538814 | The permanent MAC entry that corresponds to the SVI of the layer 3 VNI (corresponding VLAN) is missing in the bridge FDB. | 3.7.0-3.7.16 | |
| 2538443 | On the Dell S5048F and Dell Z9100 switches, the MODULE_DEVICE_TABLE declaration enables the kernel to auto load the drivers on any platform with a Xilinx 7021 device. As a result, these switches might exhibit errors in their dmseg logs when trying to auto load an incompatible driver. | 3.7.0-3.7.1 | 3.7.2-3.7.16 |
| 2538302 | portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap. | 3.7.0-3.7.16 | |
| 2538294 | If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2538206 | You cannot currently disable FEC in Cumulus Linux on a Mellanox switch. | 3.7.1-3.7.3 | 3.7.4-3.7.16 |
| 2538054 | On the Dell S4148 switch, if link pause is enabled in the /etc/cumulus/datapath/traffic.conf file, switchd fails to restart. | 3.7.0-3.7.3 | 3.7.4-3.7.16 |
| 2538013 | When the peer link is lost and the backup IP address becomes inactive, the MLAG secondary switch brings up bonds but not VXLAN VNIs. | 3.7.1-3.7.3 | 3.7.4-3.7.16 |
| 2538004 | Cumulus VX images for versions 3.7.0 through 3.7.2 include a vagrant user, as the vagrant box format [requires it|https://www.vagrantup.com/docs/boxes/base.html#default-user-settings] in order to function. This user is not needed; remove the user from the following Cumulus VX images:* cumulus-linux-3.7.0-vx-amd64-qemu.qcow2 * cumulus-linux-3.7.0-vx-amd64-vbox.ova * cumulus-linux-3.7.0-vx-amd64-vmware.ova * cumulus-linux-3.7.1-vx-amd64-qemu.qcow2 * cumulus-linux-3.7.1-vx-amd64-vbox.ova * cumulus-linux-3.7.1-vx-amd64-vmware.ova * cumulus-linux-3.7.2-vx-amd64-qemu.qcow2 * cumulus-linux-3.7.2-vx-amd64-vbox.ova * cumulus-linux-3.7.2-vx-amd64-vmware.ova To remove the vagrant user, run:
| 3.7.0-3.7.2 | 3.7.3-3.7.16 |
| 2537836 | Running ifdown vlan or ip link set vlan down brings down a virtual interface but the interface always comes back up after you run the ifreload -a or net commit command. | 3.7.1-3.7.2 | 3.7.3-3.7.16 |
| 2537832 | In an MLAG configuration, you might see the traceback AttributeError: ‘NoneType’ object has no attribute ‘replace’. | 3.7.1 | 3.7.2-3.7.16 |
| 2537805 | When you configure an IPv6 only neighbor with NCLU without the peer-group command, then execute the same commands again, the BGP session is reset.For example, if you run the following commands:
Cumulus Linux removes the net commands and adds the following line to FRR (using v6only remote-as), which causes BGP to flap.
This issue does not occur if you add the peer-group command; for example:
. | 3.7.0-3.7.3 | 3.7.4-3.7.16 |
| 2537699 | There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537641 | On the Celestica RedstoneV switch, the hardware settings are incorrect on swp14 and swp22. | 3.7.0-3.7.2 | 3.7.3-3.7.16 |
| 2537544 | When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | |
| 2537409 | It is not currently possible to bring up some 10G LR interfaces on Mellanox switches as auto-negotiation is set to on in hardware. | 3.7.1-3.7.3 | 3.7.4-3.7.16 |
| 2537378 | NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.To work around this issue, stop snmpd, remove the cache file, then restart snmpd. | 3.7.1-3.7.16 | |
| 2537111 | The gshut community is not removed after you commit the configuration. | 3.7.0-3.7.3 | 3.7.4-3.7.16 |
| 2537104 | When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL. | 3.7.1-3.7.16 | 4.0.0-4.4.5 |
| 2537085 | When you run the net add (bond|interface) command, NCLU does not add the port as a slave of the VLAN-aware bridge. | 3.7.1-3.7.2 | 3.7.3-3.7.16 |
| 2537061 | The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent. | 3.7.1-4.0.1 | 4.1.0-4.4.5 |
| 2537038 | When you run the NCLU net show system command on the Dell S5248F-ON switch, the output shows blank values for both CPU and Chipset:
| 3.7.0-3.7.1 | 3.7.2-3.7.16 |
| 2537028 | Under certain conditions, DHCP relay produces a segmentation fault when used in an EVPN symmetric environment with the -U option. | 3.7.1 | 3.7.2-3.7.16 |
| 2536975 | When you have certain options configured (such as PIM, MSDP, or ssmping), exit-vrf is copied beneath the vni line within the vrf stanza in the running vtysh configuration and in the /etc/frr/frr.conf file. This can cause a conflict; for example, if you are running PIM in the same VRF, the vni line is added above the ip pim rp line:
| 3.7.0-3.7.1 | 3.7.2-3.7.16 |
| 2536730 | When you run the net show counters json command, you see the following error if any value is Unknown:
To work around this issue, run the following command to clear out the semaphore file created by cl-netstat -c:
| 3.7.0-3.7.2 | 3.7.3-3.7.16 |
| 2536686 | If you add the MTU to a VLAN with the NCLU net add vlan command, Cumulus Linux adds extra mtu lines in the /etc/network/interfaces file when there are defined bridge ports that do not exist elsewhere in the file. | 3.7.0-3.7.1 | 3.7.2-3.7.16 |
| 2536669 | After attempting to install unsupported ICMPv6-type rules, the hardware sync fails with an Out of table resource message even after you correct the rules. | 3.7.0-3.7.1 | 3.7.2-3.7.16 |
| 2536650 | Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters). While this issue is fixed for switches with the Spectrum ASIC, this is a [known limitation|https://docs.cumulusnetworks.com/cumulus-linux/Monitoring-and-Troubleshooting/Network-Troubleshooting/Monitoring-System-Statistics-and-Network-Traffic-with-sFlow/#caveats-and-errata] on this Helix4 platform. | 3.7.0-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2536639 | On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.To work around this issue: * If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000). * If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2536616 | CVE-2018-5391 (FragmentSmack) is a network vulnerability where an attacker can trigger time and calculation expensive fragment reassembly with specially crafted packets, leading to a denial of service. On a Cumulus Linux switch, the impact is limited to control plane and management plane traffic. Any control plane traffic coming in the front panel ports will be limited by existing policer ACLs. To work around this issue, create a file called /etc/sysctl.d/ip.conf and add these settings:
| 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2536615 | NCLU net show configuration commands does not display any output for IPv6 rsyslog hosts. | 3.7.0-3.7.2 | 3.7.3-3.7.16 |
| 2536614 | NCLU net show configuration commands displays a net add syslog command with invalid syntax. For example, if you run the following commands:
then run�� net show configuration commands, the output of the command syntax is invalid. | 3.7.0-3.7.2 | 3.7.3-3.7.16 |
| 2536608 | Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI. | 3.7.0-3.7.16 | |
| 2536520 | When you run the net show system command on a Facebook Backpack switch, you see an error in netd.log:
| 3.7.0-3.7.1 | 3.7.2-3.7.16 |
| 2536447 | Add the DAS listener service to the /etc/vrf/systemd.conf file so it can be started in the management VRF as needed. | 3.7.0-3.7.1 | 3.7.2-3.7.16 |
| 2536384 | The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2536245 | When using dynamic route leaking, software forwarding of packets fails between the connected source and destination. To work around this issue, configure the leak on a switch that does not have any locally-connected hosts. | 3.7.1-3.7.2 | 3.7.3-3.7.16 |
| 2536179 | On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2536072 | The following CVEs affect the hostapd and wpa_supplicant packages. ———————————————————————— https://nvd.nist.gov/vuln/detail/CVE-2018-14526 ———————————————————————— Packages: https://launchpad.net/ubuntu/+source/wpa/2:2.6-15ubuntu2.1 https://launchpad.net/ubuntu/+source/wpa/2.4-0ubuntu6.3 https://launchpad.net/ubuntu/+source/wpa/2.1-0ubuntu1.6 CVE-2018-14526 wpa_supplicant and hostapd could be made to expose sensitive information if it received a crafted message. It was discovered that wpa_supplicant and hostapd incorrectly handled certain messages. An attacker could possibly use this to access sensitive information. The problem can be corrected by updating your system to the following package versions: buntu 18.04 LTS: hostapd 2:2.6-15ubuntu2.1 wpasupplicant 2:2.6-15ubuntu2.1 Ubuntu 16.04 LTS: hostapd 2.4-0ubuntu6.3 wpasupplicant 2.4-0ubuntu6.3 Ubuntu 14.04 LTS: hostapd 2.1-0ubuntu1.6 wpasupplicant 2.1-0ubuntu1.6 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://usn.ubuntu.com/usn/usn-3745-1 Package Information: https://launchpad.net/ubuntu/+source/wpa/2:2.6-15ubuntu2.1 https://launchpad.net/ubuntu/+source/wpa/2.4-0ubuntu6.3 https://launchpad.net/ubuntu/+source/wpa/2.1-0ubuntu1.6 | 3.7.0-3.7.1 | 3.7.2-3.7.16 |
| 2535986 | At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535965 | On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535751 | The NCLU net add and net commit commands change the interfaces file even if you add a service like snmp/hostname/etc. This causes an issue with automation. For example, Ansible runs handlers (ifreload -a for interfaces) during each push if the file being edited changes. | 3.7.0-3.7.2 | 3.7.3-3.7.16 |
| 2534450 | The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2533039 | Currently, Cumulus Linux does not program the remote network SVI IP address in the route table. As a result, you can’t ping the remote network gateway address; however, you can ping the hosts in that remote network. | 3.7.0-3.7.2 | 3.7.3-3.7.16 |
| 2532924 | The NetQ agent is bundled with Cumulus VX 3.4.3 and later; however, the NetQ agent is not bundled with Cumulus Linux 3.4.3 and later. The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bundled with Cumulus Linux in a future release. | 3.7.0-3.7.6 | 3.7.7-3.7.16 |
Fixed Issues in 3.7.1
| Issue ID | Description | Affects |
|---|---|---|
| 2540153 | On a Mellanox switch, when you change the VRF membership of an interface with VRR enabled, the VRR MAC address is not properly programmed into hardware. To work around this issue, delete and recreate the interface using ifup and ifdown. | 3.7.0 |
| 2536685 | OSPF6 fails to start on a fresh install of Cumulus Linux 3.7. | 3.7.0 |
| 2536561 | Due to changes made to the BMC firmware, Cumulus Linux might be unable to read certain sensors correctly on the Dell S5248F Trident3 switch; for example, the CPU temperature might appear as absent. | 3.7.0 |
| 2536521 | If you change the BGP aggregate addresses using NCLU and FRR is restarted, the configuration is accepted, but the routes do not appear in the BGP table. To work around this issue, manually change the BGP aggregate addresses in vtysh. | |
| 2536476 | When clagd is running and you add or modify the MLAG VXLAN anycast IP address on the loopback using NCLU or by editing the configuration file, the changes are not applied. You need to restart clagd manually for the changes to be applied. | |
| 2536195 | On the Trident3 switch, any packet received with TTL=1 and destined to the CPU is marked as dropped. | |
| 2536157 | On Mellanox switches, member interfaces for Bond are not supported on ERSPAN. | |
| 2536138 | If you start FRRouting and your configuration has a BGP IPv4 network statement that is the same as an aggregate-address statement, then the aggregate is not announced.For example, if you have the following FRR configuration:
Then that network is not advertised unless the 172.16.250.0/24 (exactly) is in the RIB. The issue does not happen if the network statement does not exactly match the aggregate-address statement (including super and subnets). To work around this issue, remove the matching network statement. | |
| 2536014 | On a Tomahawk switch with VXLAN-enabled VLANs, if the native VLAN on a port is changed, the GPORT associated with a MAC address in that VLAN is incorrect. | |
| 2535940 | The VRF membership for a VRR interface fails to update. This issue does not affect SVI (non-v0) interfaces. To work round this issue, reboot the switch or remove the VRR IP address and reconfigure it. For example:
| |
| 2534501 | Routes that are learned from an EVPN cloud do not get summarized. Only routes that reside on, or are owned by, a switch get summarized. |
3.7.0 Release Notes
Open Issues in 3.7.0
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 3410952 | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.12.1 |
| 3376798 | On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlanMAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5 |
| 3330705 | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.12.1 |
| 3327477 | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3216921 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-3.7.16, 4.3.0-4.4.5 | |
| 3209699 | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) | 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.12.1 |
| 2959454 | CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2959444 | CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2957684 | CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2949602 | CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. | 3.7.0-3.7.15 | 3.7.16 |
| 2949586 | CVE-2022-21699: ipython may execute untrusted files in the current working directory Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2949585 | CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog. | 3.7.0-3.7.15 | 3.7.16 |
| 2949584 | CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2941560 | CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u | 3.7.0-3.7.15 | 3.7.16 |
| 2910862 | CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file” Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2910861 | CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13 | 3.7.0-3.7.15 | 3.7.16 |
| 2885241 | CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14 | 3.7.0-3.7.15 | 3.7.16 |
| 2885239 | CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2885238 | The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2866111 | CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. | 3.7.0-3.7.15 | 3.7.16 |
| 2862269 | CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2855881 | A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2855879 | The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2850806 | CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts) Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23 | 3.7.0-3.7.15 | 3.7.16 |
| 2845540 | CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2841003 | CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2835994 | CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16 | 3.7.0-3.7.15 | 3.7.16 |
| 2823255 | CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode) Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2821981 | The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions) CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2820758 | The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2813826 | Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop” CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’ Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12 | 3.7.0-3.7.15 | 3.7.16 |
| 2813823 | Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19 | 3.7.0-3.7.15 | 3.7.16 |
| 2801126 | CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2801125 | OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15 | 3.7.0-3.7.15 | 3.7.16 |
| 2801124 | GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01 Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2798139 | CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4 | 3.7.0-3.7.15 | 3.7.16 |
| 2769687 | CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21 | 3.7.0-3.7.15 | 3.7.16 |
| 2769633 | CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2769632 | CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2769631 | CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2743132 | CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6 | 3.7.0-3.7.15 | 3.7.16 |
| 2736247 | CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2736245 | CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2728207 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728206 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2728205 | CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5 |
| 2726776 | CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18 | 3.7.0-3.7.15 | 3.7.16 |
| 2716841 | CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2 | 3.7.0-3.7.15 | 3.7.16 |
| 2705169 | CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2705168 | CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16 |
| 2702519 | CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2684404 | CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16 |
| 2679950 | CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.4.1-cl4.4.0u1Fixed: 4.4.1-cl4.4.0u2 | 3.7.0-4.3.3 | 4.4.0-4.4.5 |
| 2677063 | CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16 |
| 2677061 | CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16 |
| 2677060 | CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16 |
| 2668477 | CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5 | 3.7.0-3.7.15 | 3.7.16 |
| 2660693 | CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20 | 3.7.0-3.7.15 | 3.7.16 |
| 2658233 | The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2654684 | CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10 | 3.7.0-3.7.15 | 3.7.16 |
| 2653521 | CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1 | 3.7.0-3.7.15 | 3.7.16 |
| 2646974 | The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22 | 3.7.0-3.7.15 | 3.7.16 |
| 2646968 | CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24 | 3.7.0-3.7.15 | 3.7.16 |
| 2635951 | The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617009 | CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617008 | CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617007 | CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617006 | CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2617002 | CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589570 | The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2589567 | The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16 |
| 2552352 | The following security vulnerabilities have been announced in the nss / libnss3 packages: CVE-2020-6829: Side channel attack on ECDSA signature generation CVE-2020-12400: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function CVE-2020-12401: ECDSA timing attack mitigation bypass Vulnerable: <= 3.26-1+debu8u11 Fixed: 3.26-1+debu8u12 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2552351 | The following vulnerability has been announced in the libx11 packages: CVE-2020-14344: The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method. Vulnerable: <= 1.6.2-3+deb8u2 Fixed: 1.6.2-3+deb8u3 | 3.7.0-3.7.13 | 3.7.14-3.7.16 |
| 2546868 | Broadcom Field Alert - SID - MMU 2B Errors A few of the MMU memories on Broadcom switches are grouped together with single parity control. During SER correction when a parity error occurs on one of those groups, other memory in that group might also report a SER error. This occurs when the memory is accessed either by a packet hit or through a schan operation. This issue can cause SER errors in other memory and cause traffic mis-forwarding or a packet drop. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2546702 | The FRR cl-support module times out on switches on the ARM platform even when the switch is not under heavy load. To work around this issue, run the cl-support -M command to disable timeouts. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2544401 | Package: openssl CVE ID: CVE-2019-1547 CVE-2019-1549 CVE-2019-1563 Three security issues were discovered in OpenSSL: A timing attack against ECDSA, a padding oracle in PKCS7_dataDecode() and CMS_decrypt_set1_pkey() and it was discovered that a feature of the random number generator (RNG) intended to protect against shared RNG state between parent and child processes in the event of a fork() syscall was not used by default. Fixed version: 1.1.1d-0+deb10u1 We recommend that you upgrade your openssl packages. For the detailed security status of openssl, refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2544324 | Package: hostapd CVE ID: CVE-2019-13377 CVE-2019-16275 Two vulnerabilities were found in the WPA protocol implementation found in wpa_supplication (station) and hostapd (access point). CVE-2019-13377 A timing-based side-channel attack against WPA3’s Dragonfly handshake when using Brainpool curves could be used by an attacker to retrieve the password. CVE-2019-16275 Insufficient source address validation for some received Management frames in hostapd could lead to a denial of service for stations associated to an access point. An attacker in radio range of the access point could inject a specially constructed unauthenticated IEEE 802.11 frame to the access point to cause associated stations to be disconnected and require a reconnection to the network. Fixed version: 1:2.8.0-cl4u3 | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2543835 | The following CVEs were announced that affect the ghostscript package: CVE ID : CVE-2019-14811 CVE-2019-14812 CVE-2019-14813 CVE-2019-14817 It was discovered that various procedures in Ghostscript, the GPL PostScript/PDF interpreter, do not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript | 3.7.0-3.7.10 | 3.7.11-3.7.16 |
| 2543211 | In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2540557 | On Trident3 switches, transit packets larger than 1500 bytes(DF) routed between SVIs is unexpectedly forwarded to the CPU even when the MTU is greater than 9000. This severely limits throughput for routed jumbo frames as packets arriving at a high interval are dropped to the CPU. | 3.7.0-3.7.16 | |
| 2540153 | On a Mellanox switch, when you change the VRF membership of an interface with VRR enabled, the VRR MAC address is not properly programmed into hardware. To work around this issue, delete and recreate the interface using ifup and ifdown. | 3.7.0 | 3.7.1-3.7.16 |
| 2539962 | When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2539912 | The snmpd service fails and generates a core file when the service is stopped or restarted and there is a trapsess line configured.To work around this issue, comment out the trapsess lines. | 3.7.0-3.7.1 | 3.7.2-3.7.16 |
| 2539433 | If multiple files reference the same module, ifupdown2 user-defined policy overrides do not apply. | 3.7.0-3.7.6 | 3.7.7-3.7.16 |
| 2539081 | When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2538814 | The permanent MAC entry that corresponds to the SVI of the layer 3 VNI (corresponding VLAN) is missing in the bridge FDB. | 3.7.0-3.7.16 | |
| 2538443 | On the Dell S5048F and Dell Z9100 switches, the MODULE_DEVICE_TABLE declaration enables the kernel to auto load the drivers on any platform with a Xilinx 7021 device. As a result, these switches might exhibit errors in their dmseg logs when trying to auto load an incompatible driver. | 3.7.0-3.7.1 | 3.7.2-3.7.16 |
| 2538302 | portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap. | 3.7.0-3.7.16 | |
| 2538294 | If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2538054 | On the Dell S4148 switch, if link pause is enabled in the /etc/cumulus/datapath/traffic.conf file, switchd fails to restart. | 3.7.0-3.7.3 | 3.7.4-3.7.16 |
| 2538004 | Cumulus VX images for versions 3.7.0 through 3.7.2 include a vagrant user, as the vagrant box format [requires it|https://www.vagrantup.com/docs/boxes/base.html#default-user-settings] in order to function. This user is not needed; remove the user from the following Cumulus VX images:* cumulus-linux-3.7.0-vx-amd64-qemu.qcow2 * cumulus-linux-3.7.0-vx-amd64-vbox.ova * cumulus-linux-3.7.0-vx-amd64-vmware.ova * cumulus-linux-3.7.1-vx-amd64-qemu.qcow2 * cumulus-linux-3.7.1-vx-amd64-vbox.ova * cumulus-linux-3.7.1-vx-amd64-vmware.ova * cumulus-linux-3.7.2-vx-amd64-qemu.qcow2 * cumulus-linux-3.7.2-vx-amd64-vbox.ova * cumulus-linux-3.7.2-vx-amd64-vmware.ova To remove the vagrant user, run:
| 3.7.0-3.7.2 | 3.7.3-3.7.16 |
| 2537805 | When you configure an IPv6 only neighbor with NCLU without the peer-group command, then execute the same commands again, the BGP session is reset.For example, if you run the following commands:
Cumulus Linux removes the net commands and adds the following line to FRR (using v6only remote-as), which causes BGP to flap.
This issue does not occur if you add the peer-group command; for example:
. | 3.7.0-3.7.3 | 3.7.4-3.7.16 |
| 2537641 | On the Celestica RedstoneV switch, the hardware settings are incorrect on swp14 and swp22. | 3.7.0-3.7.2 | 3.7.3-3.7.16 |
| 2537111 | The gshut community is not removed after you commit the configuration. | 3.7.0-3.7.3 | 3.7.4-3.7.16 |
| 2537038 | When you run the NCLU net show system command on the Dell S5248F-ON switch, the output shows blank values for both CPU and Chipset:
| 3.7.0-3.7.1 | 3.7.2-3.7.16 |
| 2536975 | When you have certain options configured (such as PIM, MSDP, or ssmping), exit-vrf is copied beneath the vni line within the vrf stanza in the running vtysh configuration and in the /etc/frr/frr.conf file. This can cause a conflict; for example, if you are running PIM in the same VRF, the vni line is added above the ip pim rp line:
| 3.7.0-3.7.1 | 3.7.2-3.7.16 |
| 2536730 | When you run the net show counters json command, you see the following error if any value is Unknown:
To work around this issue, run the following command to clear out the semaphore file created by cl-netstat -c:
| 3.7.0-3.7.2 | 3.7.3-3.7.16 |
| 2536686 | If you add the MTU to a VLAN with the NCLU net add vlan command, Cumulus Linux adds extra mtu lines in the /etc/network/interfaces file when there are defined bridge ports that do not exist elsewhere in the file. | 3.7.0-3.7.1 | 3.7.2-3.7.16 |
| 2536685 | OSPF6 fails to start on a fresh install of Cumulus Linux 3.7. | 3.7.0 | 3.7.1-3.7.16 |
| 2536669 | After attempting to install unsupported ICMPv6-type rules, the hardware sync fails with an Out of table resource message even after you correct the rules. | 3.7.0-3.7.1 | 3.7.2-3.7.16 |
| 2536650 | Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters). While this issue is fixed for switches with the Spectrum ASIC, this is a [known limitation|https://docs.cumulusnetworks.com/cumulus-linux/Monitoring-and-Troubleshooting/Network-Troubleshooting/Monitoring-System-Statistics-and-Network-Traffic-with-sFlow/#caveats-and-errata] on this Helix4 platform. | 3.7.0-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5 |
| 2536639 | On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.To work around this issue: * If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000). * If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2536616 | CVE-2018-5391 (FragmentSmack) is a network vulnerability where an attacker can trigger time and calculation expensive fragment reassembly with specially crafted packets, leading to a denial of service. On a Cumulus Linux switch, the impact is limited to control plane and management plane traffic. Any control plane traffic coming in the front panel ports will be limited by existing policer ACLs. To work around this issue, create a file called /etc/sysctl.d/ip.conf and add these settings:
| 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5 |
| 2536615 | NCLU net show configuration commands does not display any output for IPv6 rsyslog hosts. | 3.7.0-3.7.2 | 3.7.3-3.7.16 |
| 2536614 | NCLU net show configuration commands displays a net add syslog command with invalid syntax. For example, if you run the following commands:
then run�� net show configuration commands, the output of the command syntax is invalid. | 3.7.0-3.7.2 | 3.7.3-3.7.16 |
| 2536608 | Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI. | 3.7.0-3.7.16 | |
| 2536561 | Due to changes made to the BMC firmware, Cumulus Linux might be unable to read certain sensors correctly on the Dell S5248F Trident3 switch; for example, the CPU temperature might appear as absent. | 3.7.0 | 3.7.1-3.7.16 |
| 2536520 | When you run the net show system command on a Facebook Backpack switch, you see an error in netd.log:
| 3.7.0-3.7.1 | 3.7.2-3.7.16 |
| 2536447 | Add the DAS listener service to the /etc/vrf/systemd.conf file so it can be started in the management VRF as needed. | 3.7.0-3.7.1 | 3.7.2-3.7.16 |
| 2536384 | The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2536179 | On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2536072 | The following CVEs affect the hostapd and wpa_supplicant packages. ———————————————————————— https://nvd.nist.gov/vuln/detail/CVE-2018-14526 ———————————————————————— Packages: https://launchpad.net/ubuntu/+source/wpa/2:2.6-15ubuntu2.1 https://launchpad.net/ubuntu/+source/wpa/2.4-0ubuntu6.3 https://launchpad.net/ubuntu/+source/wpa/2.1-0ubuntu1.6 CVE-2018-14526 wpa_supplicant and hostapd could be made to expose sensitive information if it received a crafted message. It was discovered that wpa_supplicant and hostapd incorrectly handled certain messages. An attacker could possibly use this to access sensitive information. The problem can be corrected by updating your system to the following package versions: buntu 18.04 LTS: hostapd 2:2.6-15ubuntu2.1 wpasupplicant 2:2.6-15ubuntu2.1 Ubuntu 16.04 LTS: hostapd 2.4-0ubuntu6.3 wpasupplicant 2.4-0ubuntu6.3 Ubuntu 14.04 LTS: hostapd 2.1-0ubuntu1.6 wpasupplicant 2.1-0ubuntu1.6 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://usn.ubuntu.com/usn/usn-3745-1 Package Information: https://launchpad.net/ubuntu/+source/wpa/2:2.6-15ubuntu2.1 https://launchpad.net/ubuntu/+source/wpa/2.4-0ubuntu6.3 https://launchpad.net/ubuntu/+source/wpa/2.1-0ubuntu1.6 | 3.7.0-3.7.1 | 3.7.2-3.7.16 |
| 2535986 | At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535965 | On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
| 2535751 | The NCLU net add and net commit commands change the interfaces file even if you add a service like snmp/hostname/etc. This causes an issue with automation. For example, Ansible runs handlers (ifreload -a for interfaces) during each push if the file being edited changes. | 3.7.0-3.7.2 | 3.7.3-3.7.16 |
| 2534450 | The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.16 | 4.0.0-4.4.5 |
| 2533039 | Currently, Cumulus Linux does not program the remote network SVI IP address in the route table. As a result, you can’t ping the remote network gateway address; however, you can ping the hosts in that remote network. | 3.7.0-3.7.2 | 3.7.3-3.7.16 |
| 2532924 | The NetQ agent is bundled with Cumulus VX 3.4.3 and later; however, the NetQ agent is not bundled with Cumulus Linux 3.4.3 and later. The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bundled with Cumulus Linux in a future release. | 3.7.0-3.7.6 | 3.7.7-3.7.16 |
Fixed Issues in 3.7.0
| Issue ID | Description | Affects |
|---|---|---|
| 2536324 | When you use NCLU to add an SVI to the second MLAG peer (after adding to the first), clagd issues a traceback and becomes unresponsive until systemd puts it into a failed state. | |
| 2536199 | When you add a new SVI to the switch and assign it to an existing VRF, all IPv6 global unicast address (GUA) neighbors are flushed and existing traffic between hosts in the data center is dropped. | |
| 2536141 | If you run ipdown and ifup commands several times on an SVI, you might see a clagd traceback. | |
| 2536111 | When the ptmd daemon detects an LLDP neighbor change event, the respective script is executed (if-topo-pass or if-topo-fail). Environment variables are set and are accessible to the script (as described in man ptmd). However, in LLDP events, some environment variables are not getting set correctly. | |
| 2536097 | The following CVEs were announced in Debian Security Advisory DSA-4280-1, and affect the openssh package. ————————————————————————- Debian Security Advisory DSA-4280-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond August 22, 2018 https://www.debian.org/security/faq ————————————————————————– Package : openssh CVE ID : CVE-2018-15473 Debian Bug : 906236 Dariusz Tytko, Michal Sajdak and Qualys Security discovered that OpenSSH, an implementation of the SSH protocol suite, was prone to a user enumeration vulnerability. This would allow a remote attacker to check whether a specific user account existed on the target server. For the stable distribution (stretch), this problem has been fixed in version 1:7.4p1-10+deb9u4. We recommend that you upgrade your openssh packages. For the detailed security status of openssh, refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssh | |
| 2536096 | If SNMP is configured, entering the NCLU command to create an SNMP v3 user that already exists returns an exit code of 1. To work around this issue, delete the username with the net del snmp-server username command before adding it again. | |
| 2536069 | The link-down yes configuration in the /etc/network/interfaces file does not work for eth0 or eth1 configured in the management VRF. This issue is not observed if the Ethernet interface is in the default VRF. | |
| 2536041 | When you start an Ansible playbook on an unlicensed Mellanox switch, a kernel fault occurs when setup script is being executed. | |
| 2536034 | After a sequence of MAC moves and IP moves, the leaf switches behind which the host is present point to the old MAC address associated with that IP address. | |
| 2536011 | When you run an NCLU command from the command line, the command hangs without a response. | |
| 2535961 | The following CVEs were announced in Debian Security Advisory DSA-4269-1 and affect the postgresql package. CVE-2018-10925 is fixed in Cumulus Linux 3.7.0. CVE-2018-10915 will be fixed when it’s fixed upstream. ————————————————————————- Debian Security Advisory DSA-4269-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 10, 2018 https://www.debian.org/security/faq ————————————————————————- Package : postgresql-9.6 CVE ID : CVE-2018-10915 CVE-2018-10925 Two vulnerabilities have been found in the PostgreSQL database system: CVE-2018-10915 Andrew Krasichkov discovered that libpq did not reset all its connection state during reconnects. CVE-2018-10925 It was discovered that some “CREATE TABLE” statements could disclose server memory. For additional information, refer to the upstream announcement at https://www.postgresql.org/about/news/1878/ For the detailed security status of postgresql-9.6, refer to its security tracker page at: https://security-tracker.debian.org/tracker/postgresql-9.6 https://security-tracker.debian.org/tracker/source-package/postgresql-9.4 https://security-tracker.debian.org/tracker/CVE-2018-10915 https://security-tracker.debian.org/tracker/CVE-2018-10925 CVE-2018-10925 is listed as fixed in jessie source package: 9.4.19-0+deb8u1 | |
| 2535951 | If a bond is configured with NCLU, incorrect configuration is generated on the system so that when you run net show config commands, you see a message stating that the vid and pvid commands are not supported and incorrect commands are provided to configure them. | |
| 2535939 | When you add a new peer group, then change the AFIs associated with that peer group, the frr-reload script fails with the error Specify remote-as or peer-group commands first.To work around this issue, perform the configuration in two separate commits. First, create the peer groups and commit, then change the AFIs in a second commit. | |
| 2535912 | The BFD UDP source port range is incorrect. | |
| 2535886 | The following CVEs were announced in Debian Security Advisory DSA-4266-1, and affect the kernel. ————————————————————————- Debian shows the CVE-2018-13405 details, including link to the kernel.org fix here: https://security-tracker.debian.org/tracker/CVE-2018-13405. The kernel.org fix is here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 Debian has the CVE-2018-5390 TCP DoS info here: https://security-tracker.debian.org/tracker/CVE-2018-5390. CWE-400: Uncontrolled Resource Consumption (‘Resource Exhaustion’) - CVE-2018-5390 Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service. An attacker can induce a denial of service condition by sending specially modified packets within ongoing TCP sessions. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port. Thus, the attacks cannot be performed using spoofed IP addresses. https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=1a4f14bab1868b443f0dd3c55b689a478f82e72e | |
| 2535873 | An ML2 REST API call to add a host to the bridge fails with an error. | |
| 2535869 | When you configure a breakout port using NCLU, the configuration is not successful. | |
| 2535841 | When a BGP peer is created with max med on startup, a timer is created. Deleting the BGP instance that contains that peer during the window in which the timer is still running results in a BGPd crash. | |
| 2535835 | The following CVEs were announced in Debian Security Advisory DSA-4259-1, and affect the ruby2.3 package. ————————————————————————- Debian Security Advisory DSA-4259-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 31, 2018 https://www.debian.org/security/faq ————————————————————————- Package: ruby2.3 CVE ID: CVE-2017-17405 CVE-2017-17742 CVE-2017-17790 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079 Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may result in incorrect processing of HTTP/FTP, directory traversal, command injection, unintended socket creation or information disclosure. This update also fixes several issues in RubyGems which could allow an attacker to use specially crafted gem files to mount cross-site scripting attacks, cause denial of service through an infinite loop, write arbitrary files, or run malicious code. For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u3. We recommend that you upgrade your ruby2.3 packages. Note: CVE-2018-1000073 and CVE-2018-1000074 are awaiting re-analysis. For the detailed security status of ruby2.3, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby2.3 | |
| 2535774 | For hosts (virtual machines) that rely on VRR, it is expected that the virtual-address is periodically sent by the gateway to avoid flooding on kvm/libvirt. Cumulus Linux sends GARP messages every 150 seconds out of the -v0 interface so the packet is not transmitted on the physical VLAN interface. | |
| 2535744 | NCLU mistakenly believes the FRR reload state is not active and restarts the service. | |
| 2535742 | Whenever there is a netlink link event, mstpd prints an additional log: bridge_notify: port 65: no_flush 0 where 65 is the ifIndex. There are already clear logs when there is a link transition; this log is not necessary. | |
| 2535720 | If you change the IP address of the clagd-backup-ip parameter in the configuration file and run ifreload -a, the changes are not applied and the VRF configuration is removed. | |
| 2535705 | On a Broadcom Trident II+ switch, VXLAN decapsulation does not work for unknown unicast flooding. To work around this issue, disable VXLAN routing by editing the /usr/lib/python2.7/dist-packages/cumulus/__chip_config/bcm/datapath.conf file; change the vxlan_routing_overlay.profile variable to disable, then restart switchd. | |
| 2535637 | If there is a failure when NCLU runs frr-reload.py, an incorrect error code of 0 is returned. | |
| 2535630 | The Dell S5048 Tomahawk+ ASIC does not provide high power to QSFP. | |
| 2535557 | The following CVEs affect ntp. ————————————————————————- [USN-3707-1] NTP vulnerabilities Ubuntu Security Notice USN-3707-1 July 09, 2018 ntp vulnerabilities ————————————————————————- A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.04 LTS Ubuntu 17.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary: Several security issues were fixed in NTP. Software Description: ntp: Network Time Protocol daemon and utility programs Details: Yihan Lian discovered that NTP incorrectly handled certain malformed mode 6 packets. A remote attacker could possibly use this issue to cause ntpd to crash, resulting in a denial of service. This issue only affected Ubuntu 17.10 and Ubuntu 18.04 LTS. (CVE-2018-7182) Michael Macnair discovered that NTP incorrectly handled certain responses. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2018-7183) Miroslav Lichvar discovered that NTP incorrectly handled certain zero-origin timestamps. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 17.10 and Ubuntu 18.04 LTS. (CVE-2018-7184) Miroslav Lichvar discovered that NTP incorrectly handled certain zero-origin timestamps. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2018-7185) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS: ntp 1:4.2.8p10+dfsg-5ubuntu7.1 Ubuntu 17.10: ntp 1:4.2.8p10+dfsg-5ubuntu3.3 Ubuntu 16.04 LTS: ntp 1:4.2.8p4+dfsg-3ubuntu5.9 Ubuntu 14.04 LTS: ntp 1:4.2.6.p5+dfsg-3ubuntu2.14.04.13 In general, a standard system update will make all the necessary changes. References: https://usn.ubuntu.com/usn/usn-3707-1 CVE-2018-7182, CVE-2018-7183, CVE-2018-7184, CVE-2018-7185 | |
| 2535502 | If you change the ASN configuration on a switch running EVPN then reload the FRR service (using sudo systemctl reload frr or via net commit), the programming of VXLAN forwarding entries breaks.To avoid this issue when making this change, restart the FRR process (using sudo systemctl restart frr) instead. | |
| 2535420 | When running the openstack network create command, you see an internal server error. | |
| 2535087 | When you use the net del all command in a configuration that is run by an Ansible script, the peerlink.4094 interface remains in the configuration, which prevents the commit from completing because the configured MTU is not accepted. | |
| 2534865 | On Maverick 100G switches, after enabling FEC on links with 100G AOC cables, random links do not come up after a reboot. To work around this issue, disable FEC on 100G AOC links. | |
| 2534556 | After moving an IP address to a new host, the neighbor table and EVPN routes do not update properly after receiving a GARP from the new MAC address to which the previously-active IP address has been moved. This issue is being investigated at this time. | |
| 2534230 | On a Cumulus Linux switch, if a bridge has VXLAN interfaces, then the arp_accept and arp_ignore options do not work for any switch virtual interfaces (SVIs).To work around this issue, disable ARP suppression on the VXLAN interfaces. For example, if the VXLAN is named vni100, disable ARP suppression on it with the following command:
This issue should be fixed in a future release of Cumulus Linux. | |
| 2534087 | In a VXLAN centralized routing configuration, IPv6 hosts (auto-configured using SLAAC) might experience intermittent connectivity loss between VXLAN segments (inter-subnet routing) within the data center fabric (EVPN type-5 external routes are not affected). The NA message has the wrong flag set (the router flag is not set, which is incorrect behavior based on RFC 4861, Section 4.4). To work around this issue, configure bridge-arp-nd-suppress off under VNI interfaces for all VTEP devices. | |
| 2533775 | The Edgecore AS4610-54T switch always displays a yellow system LED. | |
| 2527924 | When adding applying an anycast IP address in a VXLAN configuration to a pair of switches, the clagd process stops. | |
| 2527444 | On a Broadcom switch the HwIfOutQlen NIC statistic shows an incorrect value. |