This documentation is for the extended support release (ESR) version of Cumulus Linux. We will continue to keep this content up to date until 21 February, 2023, when ESR support ends. For more information about ESR, please read this knowledge base article.

If you are using the current version of Cumulus Linux, the content on this page may not be up to date. The current version of the documentation is available here. If you are redirected to the main page of the user guide, then this page may have been renamed; please search for it there.

Cumulus Linux 3.7 Release Notes

Download 3.7 Release Notes xls    Download all 3.7 release notes as .xls

3.7.16 Release Notes

Open Issues in 3.7.16

Issue IDDescriptionAffectsFixed
3418046
None
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.3.7.0-5.4.05.5.0-5.6.0
3376798
On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected.
3.7.0-3.7.16, 4.3.1-4.4.5
3330705
When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present.3.7.0-5.3.15.4.0-5.6.0
3327477
If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password.3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0
3216922
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users).3.7.0-5.2.15.3.0-5.6.0
3216921
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
3.7.0-3.7.16, 4.3.0-4.4.5
3216759
None
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode.
3.7.15-3.7.16, 4.3.0-4.4.5
3209699
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
3.7.0-4.3.0, 4.4.0-5.2.14.3.1, 5.3.0-5.6.0
3129819
On the EdgeCore AS4610 switch, the clagd service loses communication after 198 days of uptime.3.7.15-3.7.16, 4.3.0-4.4.5
3123556
When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it.3.7.15-4.3.0, 4.4.0-5.1.04.3.1, 5.2.0-5.6.0
3119615
In an MLAG topology, if you admin down a single connected interface, any dynamic MAC addresses on the peer link are flushed, then added back momentarily, which creates a disruption in traffic.3.7.15-5.1.05.2.0-5.6.0
3093966
On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules.3.7.15-3.7.16, 4.3.0-4.4.5
3093863
The snmpd process will slowly leak memory when you poll TCP-MIB objects. To work around this issue, restart the snmpd service to free memory with the systemctl restart snmpd command.3.7.16-4.4.34.4.4-4.4.5, 5.2.0-5.6.0
3077737
The update-ports.service fails because a blank space in the comment lines of the /etc/cumulus/ports.conf file causes parsing errors
To work around this issue, remove the blank spaces in the commented lines, then restart the update-ports and switchd services.
3.7.15-4.3.04.3.1-4.4.5, 4.4.4-4.4.5
3073668
On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap.3.7.12-3.7.16, 4.3.0-4.4.5
3072613
When you delete a bond interface with NCLU, BGP peer group configuration is removed.3.7.15-3.7.16, 4.3.0-4.4.5
3066704
The hostapd service stops working if an 802.1X interface goes up and down many times over a long period of time
To work around this issue, restart the hostapd service with the systemctl restart hostapd command.
3.7.15-4.3.04.3.1-4.4.5
3021693
When ARP suppression is off, Cumulus Linux sends GARPs from neighmgrd for remote neighbors over VXLAN.3.7.15-4.3.0, 4.4.0-4.4.3, 5.0.0-5.1.04.3.1, 4.4.4-4.4.5, 5.2.0-5.6.0
3017190
When you power cycle the switch, multiple interfaces came up in a PoE disabled state
To work around this issue, run the sudo poectl -a | grep disabled command to find ports with disabled POE. Run the sudo poectl -e swp1-swp48 command to enable POE on affected ports.
3.7.10-3.7.16
3015881
Traffic flows fail because the remote VTEP IP address is missing in the layer 3 neighbor table in hardware on the switch. This happens when there is a neighbor entry for the same /32 that we have also received a type-5 route for. When the route is learned after the neighbor entry there is a timing condition that can be hit that will cause the neighbor entry to get removed from hardware when the route is installed in hardware
This condition has been seen when customers re-use the VTEP IP on an interface inside of a vrf. The neigh entry for the TEP IP is installed when a symmetric route is learned via that VTEP. The Type-5 route for the TEP IP is learned in the VRF if the customer has redistributed it or advertised it within BGP in the VRF.
3.7.15-3.7.16
3007564
After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed.3.7.15-5.0.15.1.0-5.6.0, 5.2.0-5.6.0
2991514
Cumulus Linux can take a long time (100 seconds) to sync a large number of VNIs on a bridge.3.7.15-4.3.04.3.1-4.4.5
2972538
With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts.3.7.15-3.7.16
2965759
On the EdgeCore AS4610-54T switch, the fan speed reports a minimum threshold in the logs.3.7.15-3.7.16
2961008
SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces.3.7.15-4.4.2, 5.0.0-5.0.14.4.3-4.4.5, 5.1.0-5.6.0
2959067
ECMP produces errors indicating No More Resources and switchd crashes even when ECMP utilization is low.3.7.14.2-4.2.14.3.0-4.4.5
2951110
The net show time ntp servers command does not show any output with the management VRF.3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.6.0
2947679
If the clagd service stops during initDelay, the peerlink flag does not clear from any VNIs that become dual connected during this time. switchd uses the peerlink flag to program MLAG loop prevention. As a result of the overlapping stale flags, traffic destined for the VXLAN might drop.3.7.15-3.7.16
2934939
When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
aggregate-address 10.10.0.0/16 summary-only
redistribute connected
After:
ip route 10.10.0.0/16 Null0
!
address-family ipv4 unicast
redistribute connected route-map DENY-COMPONENTS
redistribute static
exit-address-family
ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
!
route-map DENY-COMPONENTS deny 10
match ip address prefix-list NO-COMPONENTS
!
route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed.
3.7.12-3.7.16
2899422
Broadcom switches return a table full error when creating VXLAN gports, which causes {switchd to crash.3.7.15-4.3.04.3.1-4.4.5
2896733
Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send. To work around this issue, run the vtysh clear ip mroute command.3.7.15-4.3.0, 5.0.0-5.0.14.3.1-4.4.5, 5.1.0-5.6.0
2867058
On the Dell Z9264F-ON switch, interfaces that use the QSFP28 module remain down after you restart switchd.3.7.15-4.3.04.3.1-4.4.5
2866084
When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb del
dev [dst|via] <interface|IP> command, then add “vxlan-learning”: “off” in the /etc/network/ifupdown2/policy.d/vxlan.json file:
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
{
“vxlan”: {
“module_globals”: { “vxlan-purge-remotes”: “no” },
“defaults”: {
“vxlan-ageing”: “1800”,
“vxlan-port”: “4789”, <==== This comma needs to be added at the end of this line
“vxlan-learning”: “off” <= This line needs to be added
}
}
}
Reboot the affected switches.
3.7.12-4.3.04.3.1-4.4.5
2859177
The cl-route-check –layer3 command fails with a memory error. For example:
cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last):
File “/usr/cumulus/bin/cl-route-check”, line 1270, in
routing.collect_data()
File “/usr/cumulus/bin/cl-route-check”, line 528, in collect_data
self.collect_data_bgp_ipv4()
File “/usr/cumulus/bin/cl-route-check”, line 711, in collect_data_bgp_ipv4
bgp_ipv4 = json.loads(output)
File “/usr/lib/python2.7/json/init.py”, line 338, in loads
return _default_decoder.decode(s)
File “/usr/lib/python2.7/json/decoder.py”, line 366, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File “/usr/lib/python2.7/json/decoder.py”, line 382, in raw_decode
obj, end = self.scan_once(s, idx)MemoryError
3.7.15-3.7.16
2853536
MLAG between Cumulus Linux and Arista devices might result in some links being suspended by the Arista devices with the error LACP partner validation failed
This happens when you use the same LACP port ID for more than one bond member on the Cumulus Linux switch
To work around this issue, run the net add bond bond mode balance-xor command on the bond on the Cumulus Linux switch. For proper operation, you need to make the equivalent change on the device on the other side of the link.
3.7.15-3.7.16
2827336
After bringing up a bridge port, there is a multi second delay before the bridge port is able to learn any MAC addresses or neighbors, which causes a forwarding delay (about six seconds with 300 or more VLANs).3.7.15-3.7.16
2821869
The cl-route-check –layer3 command fails with a memory error. For example:
cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last):
File “/usr/cumulus/bin/cl-route-check”, line 1270, in
routing.collect_data()
File “/usr/cumulus/bin/cl-route-check”, line 528, in collect_data
self.collect_data_bgp_ipv4()
File “/usr/cumulus/bin/cl-route-check”, line 711, in collect_data_bgp_ipv4
bgp_ipv4 = json.loads(output)
File “/usr/lib/python2.7/json/init.py”, line 338, in loads
return _default_decoder.decode(s)
File “/usr/lib/python2.7/json/decoder.py”, line 366, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File “/usr/lib/python2.7/json/decoder.py”, line 382, in raw_decode
obj, end = self.scan_once(s, idx)MemoryError
3.7.15-4.4.55.0.0-5.6.0
2798979
Configuring a route map to filter VNIs will cause type-3 routes not to be advertised even for L2VNIs permitted through the route map3.7.15-3.7.16
2792750
If you change the clagd-vxlan-anycast-ip setting on both MLAG peers at the same time, both peers use their unique VTEP address indefinitely.3.7.15-4.3.0, 4.4.0-4.4.54.3.1
2754791
Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP.3.7.14.2-3.7.16, 4.3.0-4.4.5
2743186
When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish.3.7.15-5.1.05.2.0-5.6.0
2734107
When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs.3.7.12-4.3.0, 4.4.0-4.4.14.3.1, 4.4.2-4.4.5
2728207
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-3.7.16, 4.0.0-4.4.5
2728206
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-3.7.16, 4.0.0-4.4.5
2728205
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-4.4.14.4.2-4.4.5
2716822
The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports.3.7.15-4.3.04.3.1-4.4.5
2713888
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode.
3.7.15-5.0.15.1.0-5.6.0
2687332
When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
aggregate-address 10.10.0.0/16 summary-only
redistribute connected
After:
ip route 10.10.0.0/16 Null0
!
address-family ipv4 unicast
redistribute connected route-map DENY-COMPONENTS
redistribute static
exit-address-family
ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
!
route-map DENY-COMPONENTS deny 10
match ip address prefix-list NO-COMPONENTS
!
route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed.
3.7.12-4.2.14.3.0-4.4.5
2684452
When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst|via] <interface|IP> command2. Add “vxlan-learning”: “off” under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
{
“vxlan”: {
“module_globals”: { “vxlan-purge-remotes”: “no” },
“defaults”: {
“vxlan-ageing”: “1800”,
“vxlan-port”: “4789”, <==== This comma needs to be added at the end of this line
“vxlan-learning”: “off” <= This line needs to be added
}
}
}
3. Reboot the affected switch(es)
3.7.12-3.7.16
2669858
CM-32169
OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf.
This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper.
3.7.14-3.7.16, 4.0.0-4.4.5
2656291
The following CVEs affect the linux kernel package:
CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
For the detailed security status of linux, refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux
3.7.12-3.7.164.0.0-4.4.5
2653400
None
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration.3.7.10-3.7.16
2652003
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static FDB entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration.3.7.10-4.3.04.3.1-4.4.5
2648658
If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure.3.7.15-4.3.14.4.0-4.4.5
2638137
When you delete a static route using NCLU, the configuration is not deleted from the running configuration or from the /etc/frr/frr.conf file.3.7.13-3.7.16
2633245
On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle.3.7.10-3.7.16
2607965
On the EdgeCore AS7726 switch, when you run the NCLU net show system command, you see the error Command not found.3.7.14.2-3.7.16
2562347
When you bring VXLAN interfaces up and down physically or administratively, the MTU for the SVIs changes to 1550 (the default value).3.7.14.2-3.7.16
2556037
CM-33012
After you add an interface to the bridge, an OSPF session flap might occur
3.7.9-4.2.04.2.1-4.4.5
2555908
CM-32940
If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up
To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command.
3.7.12-4.0.14.1.0-4.4.5
2555528
CM-32750
In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer’s ARP policer.
To work around this issue, increase the burst value of the ARP policers to 200 or higher.
3.7.14-4.2.14.3.0-4.4.5
2555175
CM-32528
Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link.3.7.15-3.7.16, 4.2.1-4.4.5
2554785
CM-32275
After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:
Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!
To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor
2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX=“cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command
4. Reboot the switch.
3.7.11-4.2.14.3.0-4.4.5
2554709
CM-32217
The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.
To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM.
3.7.13-3.7.16, 4.2.1-4.4.5
2554588
CM-32149
If you try to reconfigure a DHCP server after you delete the switch configuration with the net del all command, the dhcpd service fails because a duplicate process is running
To work around this issue, edit the /usr/lib/python2.7/dist-packages/nclu/plugins/dhcp.py file to change:
DHCPD_PID="-pf {0}” 
to:
DHCPD_PID="-pf {1}"
3.7.13-4.2.14.3.0-4.4.5
2554369
CM-32006
Certain Dell S4048-ON switches show an incorrect vendor name and hang when you issue the reboot command.3.7.12-4.2.14.3.0-4.4.5
2553887
CM-31700
When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server.
3.7.7-3.7.16, 4.0.0-4.4.5
2553677
CM-31605
When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config –create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:
createUser userSHAwithAES SHA “shaauthpass” AES “aesprivpass”
adding the following line to /snmp/snmpd.conf:
rwuser userSHAwithAES
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation.
3.7.13-3.7.16, 4.0.0-4.4.5
2553219
CM-31407
You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters.3.7.12-4.2.14.3.0-4.4.5
2553116
CM-31357
When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool.
3.7.12-3.7.16, 4.0.0-4.4.5
2553050
CM-31322
SNMP status might incorrectly reflect that a BGP neighbor is down due to an issue between bgpd and SNMP AgentX when the IP-FORWARD-MIB is also polled.
To work around this issue, avoid polling IP-FORWARD-MIB objects.
3.7.12-3.7.16
2553015
CM-31300
If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail.3.7.10-3.7.16, 4.2.0-4.4.5
2552939
CM-31263
RX_DRP on a bond interface increases without any data traffic while the slave port does not increase.3.7.12-4.2.14.3.0-4.4.5
2552869
CM-31231
On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.
To work around this issue, use the ethtool -m command.
3.7.13-4.2.14.3.0-4.4.5
2552742
CM-31150
On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd.
3.7.12-4.2.14.3.0-4.4.5
2552739
CM-31148
Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor.3.7.2-3.7.16
2552610
CM-31057
The following vulnerability has been announced:
CVE-2019-11360: A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c.
3.7.13-4.2.04.2.1-4.4.5
2552294
CM-30879
NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
3.7.12-3.7.16, 4.0.0-4.4.5
2552266
CM-30863
OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files.
The two scenarios where an exploit may be useful to an attacker:
-The user is authorized to scp but not ssh (based on the command option in the authorized_keys file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so.
-An attacker plants a maliciously named file in a directory tree that someone later uses scp -r to copy over to the target computer.
Be aware that restricting users to scp by using the command option in the authorized_keys file is not effective in preventing those users from executing arbitrary commands on the server.
If you want to use scp -r to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with tar, zip, or a similar program, then copying the archive over to be extracted on the server avoids having to use scp -r altogether. In addition, OpenSSH provides sftp, which you can use instead of scp to copy files.
To disable scp completely, use /bin/chmod 0 /usr/bin/scp .
3.7.14-3.7.16, 4.0.0-4.4.5
2551912
CM-30580
ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down.3.7.12-4.2.04.2.1-4.4.5
2551578
CM-30422
When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error.3.7.12-3.7.16, 4.0.0-4.4.5
2551565
CM-30414
If you toggle VRRP priority values between VRRP routers, then restart switchd, a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affected
To work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands.
3.7.13-3.7.16, 4.2.0-4.4.5
2551554
CM-30408
Customers running security scans on Cumulus Linux 4 may encounter the listing of an incorrect version of u-boot 2014.10+dfsg1-4 with the following vulnerabilities:CVE-2017-3225CVE-2017-3226CVE-2018-18440CVE-2019-11690CVE-2019-13103CVE-2019-14192CVE-2019-14193CVE-2019-14194CVE-2019-14195CVE-2019-14196CVE-2019-14197CVE-2019-14198CVE-2019-14199CVE-2019-14200CVE-2019-14201CVE-2019-14202CVE-2019-14203CVE-2019-14204CVE-2020-10648The u-boot-tools package is not installed on the switch by default, but is available in the repository for optional installation. On Cumulus Linux 4, the version is at least 2019.01+dfsg-7. However, the older versions available for optional installation on Cumulus Linux 3 may be vulnerable
According to https://security-tracker.debian.org/tracker/source-package/u-boot , all except the following are fixed in 2019.01+dfsg-7:CVE-2017-3225: https://security-tracker.debian.org/tracker/CVE-2017-3225 says “Negligible security impact”
CVE-2017-3226: https://security-tracker.debian.org/tracker/CVE-2017-3226 says “Negligible security impact”
CVE-2018-18440: https://security-tracker.debian.org/tracker/CVE-2018-18440 says “No security impact as supported/packaged in Debian”.
3.7.12-3.7.164.0.0-4.4.5
2551305
CM-30296
The net show configuration command provides the wrong net add command for ACL under the VLAN interface.

3.7.12-3.7.16, 4.1.0-4.4.5
2551288
CM-30286
When you remove BFD configuration by editing the /etc/frr/frr.conf file and restarting FRR, you see a traceback.
To work around this issue, either use NCLU or vtysh commands to remove the BFD configuration, or restart FRR with the new /etc/frr/frr.conf file.
3.7.7-3.7.164.0.0-4.4.5
2550974
CM-30195
On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured.3.7.11-3.7.16, 4.1.1-4.4.5
2550942
CM-30178
NCLU tab completion for net show displays the text add help text instead of system Information for the system option.3.7.11-4.2.04.2.1-4.4.5
2550796
CM-30103
On a Broadcom switch with the Trident2+ ASIC, ACL rules for VLANs are not applied after a reboot and the counters remain at zero.
To work around this issue, either do not set acl.non_atomic_update_mode = TRUE in the /etc/cumulus/switchd.conf file or run the cl-acltool -i command after the reboot to install the ACLs.
3.7.12-4.2.14.3.0-4.4.5
2550793
CM-30101
The NCLU net show bridge spanning-tree command displays the aging timer incorrectly.3.7.12-3.7.16, 4.0.0-4.4.5
2550479
CM-29899
VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches.3.7.7-4.2.04.2.1-4.4.5, 4.3.0-4.4.5
2550444
CM-29872
Tab completion for the net show rollback description command returns information about a snapshot instead of context help.
To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command.
3.7.12-3.7.16, 4.0.0-4.4.5
2550443
CM-29871
The net show rollback description command returns an error even if the string matches a commit description.
To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead.
3.7.12-3.7.16, 4.0.0-4.4.5
2550276
CM-29779
In LLDP, the snmp subagent loses all subsequent lldpRemSysName (1.0.8802.1.1.2.1.4.1.1.9) entries after an entry with a missing SysName is added.
All the information from lldpctl is correct. Only the entries after the entry that is missing a SysName in lldpRemSysName disappear from the snmp subagent.
3.7.12-4.2.14.3.0-4.4.5
2550243
CM-29759
When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.
To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service. For example:

#Requires=nginx.service restserver.socket
3.7.12-3.7.16, 4.0.0-4.4.5
2550056
CM-29652
The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:

error: invalid signature.
Press any key to continue…
3.7.12-3.7.16, 4.1.1-4.4.5
2549925
CM-29594
When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:

error: swp1s1.2: netlink: cannot set link swp1s1.2 up: operation failed with ‘Network is down’ (100)
warning: cmd ‘/bin/ip addr del 10.0.0.1/24 dev eth0’ failed: returned 2 (RTNETLINK answers: Cannot assign requested address

To work around this issue, run the ifreload -a command a second time.
3.7.12-3.7.16, 4.0.0-4.4.5
2549872
CM-29562
If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error.3.7.12-3.7.16, 4.1.1-4.4.5
2549838
CM-29546
In vtysh, if you configure, then remove a layer 3 VNI for a VRF, the VNI is removed from zebra even if the VNI interface still exists in the kernel.
If you configure a layer 2 VNI as a layer 3 VNI by mistake, removing the layer 3 VNI binding removes it from zebra but EVPN-learned MACs and neighbors are not installed into the kernel.
To work around this issue, delete, then re-add the missing VNI. For example:

cumulus@switch:~$ sudo ifdown vni10100
cumulus@switch:~$ sudo ifup vni10100

If you flap the link with the ip link set vni10100 down; ip link set vni10100 up commands, zebra does not re-add the VNI.
3.7.12-4.2.14.3.0-4.4.5
2549782
CM-29519
The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state.3.7.12-3.7.16, 4.0.0-4.4.5
2549731
CM-29492
When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:

[ebtables]
-A FORWARD –in-interface swp10 -j span –dport swp1
3.7.12-3.7.16, 4.1.1-4.4.5
2549472
CM-29367
On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic.3.7.11-4.1.14.2.0-4.4.5
2549371
CM-29309
When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive.3.7.11-4.3.14.4.0-4.4.5
2549307
The following vulnerabilities affect git, which is available in the repository for optional installation:
CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host.
CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted.
3.7.12-4.1.14.2.0-4.4.5
2548962
CM-29165
With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table.3.7.12-4.1.14.2.0-4.4.5
2548930
CM-29148
On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware.3.7.11-4.2.14.3.0-4.4.5
2548746
CM-29068
On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect.3.7.11-4.1.14.2.0-4.4.5
2548657
CM-29035
When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:

W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

You can safely ignore these error messages.
3.7.12-3.7.16, 4.0.0-4.4.5
2548490
CM-28944
A change in a route map prefix list that should remove a route might not be reflected in the ospf6 database or in peers, and the route might not be deleted.
To work around this issue, reenter the redistribute <connected|static> route-map statement in the configuration.
3.7.11-4.1.14.2.0-4.4.5
2548485
CM-28940
If you configure the aggregate-address
summary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:
router bgp 1
address-family ipv4 unicast
aggregate-address 50.0.0.0/8 summary-only
exit-address-family
If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path*> 50.0.0.0 0.0.0.0 32768 is> 50.0.0.1/32 0.0.0.0 0 32768 i
Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Paths> 50.0.0.1/32 0.0.0.0 0 32768 i
To work around this issue, remove, then re-add the component prefix routes.
3.7.12-4.2.14.3.0-4.4.5
2548315
CM-28816
The following security advisory has been announced for bash:
CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability
When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.
To work around this issue, do not make bash or bash scripts setuid.
3.7.12-3.7.16, 4.0.0-4.4.5
2548243
CM-28754
On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules.3.7.3-3.7.16, 4.0.0-4.4.5
2548155
CM-28685
The net show bgp neighbor swpX json command shows negative output for the bgpTimerUpMsec timer.3.7.10-3.7.164.0.0-4.4.5
2548117
CM-28659
In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX.3.7.12-3.7.16, 4.0.0-4.4.5
2548024
CM-28596
On the Dell Z9100 switch, 100G-SR4 modules might not link up reliably in certain ports.
swp1, 2, 3, 9, 10, 23, 24, 30, 31, and 32 might be affected
To work around this issue, move 100G SR4 modules to one of the ports not affected by this issue.
3.7.11-4.1.14.2.0-4.4.5
2547942
CM-28533
On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl.3.7.11-4.0.14.1.0-4.4.5
2547878
The following vulnerability has been found in the libgcrypt20 cryptographic library.
CVE-2019-13627: there was a ECDSA timing attack.
For more information, see https://www.debian.org/lts/security/2020/dla-1931-2.en.html
Vulnerable: 1.6.3-2+deb8u7
Fixed: 1.6.3-2+deb8u8
3.7.11-3.7.16
2547876
The following vulnerability affects libxml2:
CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c has a memory leak related to newDoc->oldNs. This can lead to a denial of service.
For more information, see https://www.debian.org/lts/security/2019/dla-2048.en.html .
Vulnerable: 2.9.1+dfsg1-5+deb8u7
Fixed: 2.9.1+dfsg1-5+deb8u8
3.7.11-3.7.16
2547874
The following vulnerability affects libbsd, a package containing utility functions from BSD systems.
CVE-2016-2090: In function fgetwln() an off-by-one error could triggers a heap buffer overflow.
For more information, see https://www.debian.org/lts/security/2019/dla-2052.en.html .
Vulnerable: 0.7.0-2
Fixed: 0.7.0-2+deb8u1
3.7.11-3.7.16
2547839
CM-28465
When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error.3.7.11-4.1.14.2.0-4.4.5
2547782
CM-28441
If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns.3.7.11-3.7.16, 4.0.0-4.4.5
2547706
CM-28397
When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch.
3.7.11-3.7.16, 4.0.0-4.4.5
2547659
CM-28372
On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise.3.7.11-4.0.14.1.0-4.4.5
2547573
CM-28322
On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU.3.7.9-3.7.16
2547443
CM-28248
On the Dell N3248PXE-ON switch, 25G SFP ports do not work in 10G mode.3.7.11-4.0.14.1.0-4.4.5
2547381
CM-28212
The hsflowd service sends an undefined header protocol 0 in the sampled flow sample to the collector, which is not recognized by the sFlow tool. You see errors similar to the following:

Dec 20 08:43:27 netflow-nms sfcapd[3991]: SFLOW: readFlowSample_header() undefined headerProtocol = 0

3.7.11-3.7.164.0.0-4.4.5
2547349
CM-28193
When you change an interface IP address, then change it back, static routes are misprogrammed
One of the following actions recovers the routes:- Bounce both layer 3 interfaces- Remove or add static routes in FRR- Restart FRR
3.7.11-3.7.164.0.0-4.4.5
2547123
CM-28078
On the Broadcom switch with the Trident3 ASC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect.3.7.11-4.1.14.2.0-4.4.5
2547120
CM-28076
After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command.3.7.11-3.7.16, 4.0.0-4.4.5
2547118
The following security vulnerabilities have been announced in the libtiff5 library on Cumulus Linux 4.0:
CVE-2019-14973, CVE-2019-17546: Multiple integer overflows have been discovered in the libtiff library and the included tools.
Vulnerable: 4.0.10-4
Fixed: 4.1.0+git191117-2~deb10u1
3.7.10-4.0.14.1.0-4.4.5
2547100
CM-28061
On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic.3.7.11-4.1.14.2.0-4.4.5
2547068
CM-28046
Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly
To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below
To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off”, change it to GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0”2. Run sudo update-grub
3. Reboot the system with sudo reboot
To disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci3
2. Disable C-states by running the command ./cpupower idle-set -d 2
C-states are disabled by default in Cumulus Linux 4.3.0 and later.
3.7.9-4.2.14.3.0-4.4.5
2546991
CM-28003
The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code.
3.7.11-3.7.16, 4.0.0-4.4.5
2546895
CM-27957
If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command.
3.7.11-3.7.16, 4.0.0-4.4.5
2546451
CM-27737
On the EdgeCore AS7326-56X switch, you might see the RPM of certain fans run over the maximum threshold.3.7.11-3.7.16
2546385
CM-27698
SNMP ifLastChange reports link transitions when there are none.3.7.6-3.7.16
2546225
CM-27627
When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support.
 
sudo onie-install -fai http://
sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image.
3.7.11-3.7.16, 4.0.0-4.4.5
2546203
CM-27620
When using QinQ with a traditional bridge, if you enable the LLDP dot1 TLV option, you see the following suboptimal behavior:
* Both the inner and outer VLAN information is sent as part of VLAN TLVs in the LLDP packet.
* If the outer VLAN ID is the same as the inner VLAN ID, only one VLAN TLV is sent with that VLAN ID in the LLDP packet.
3.7.11-3.7.16
2546131
CM-27581
On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present.
3.7.11-3.7.16, 4.0.0-4.4.5
2546010
CM-27530
When hal.bcm.per_vlan_router_mac_lookup is set to TRUE in the /etc/cumulus/switchd.conf file, inter-VLAN traffic is forwarded to the CPU when associated VNI interfaces exist.3.7.10-3.7.16
2545997
CM-27522
The NCLU command net show interface produces an error if bonds with no members exist.
To work around this issue, remove the empty Bond interfaces from the /etc/network/interfaces file and run sudo ifreload -a.
3.7.10-3.7.16
2545566
CM-27272
The Dell Z9100-ON switch incorrectly reports many sensors as ABSENT.3.7.12-4.0.14.1.0-4.4.5
2545446
CM-27192
If you use NCLU commands to add a non-MLAG bond, then add an MLAG configuration, the net commit command fails. However, a subsequent net commit command succeeds.3.7.10-3.7.16
2545125
CM-27018
If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address.3.7.10-3.7.16, 4.0.0-4.4.5
2544978
CM-26921
If you delete an undefined bond, then add a bond slave, the net commit command fails.3.7.9-3.7.16, 4.0.0-4.4.5
2544968
CM-26913
FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c “printf ‘interface 50\nvrf TEST description L3 routing interface\n’ » /etc/frr/frr.conf”

should be:

sudo sh -c “printf ‘interface 50 vrf TEST\ndescription L3 routing interface\n’ » /etc/frr/frr.conf”

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file.
3.7.9-3.7.16, 4.0.0-4.4.5
2544953
CM-26905
When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command.
3.7.10-3.7.16, 4.0.0-4.4.5
2544904
CM-26875
After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements.
To work around this issue, restart FRR after removing the IPv6 numbered configuration.
3.7.9-4.1.14.2.0-4.4.5
2544829
CM-26829
Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump.3.7.8-3.7.16
2544671
CM-26736
Package : sudoCVE ID : CVE-2019-14287Debian Bug : 942322Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID -1 or 4294967295. This could allow a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access
Details can be found in the upstream advisory at https://www.sudo.ws/alerts/minus_1_uid.html
We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudoVulnerable versions: < 1.8.27-1+deb10u1Fixed versions: >= 1.8.27-1+deb10u1To work around this iisue, disable (comment out) any sudoers entries in /etc/sudoers or files in /etc/sudoers.d that have entries with !root in them. Only root or other users with a uid of 0 that are affected.
3.7.9-3.7.164.0.0-4.4.5
2544556
CM-26655
If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:

net add time ntp server 1.2.3.4 iburst
net commit
net add time ntp server 1.2.3.4
net commit

If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options.
3.7.9-4.1.14.2.0-4.4.5
2544463
CM-26599
Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G.
3.7.9-3.7.16, 4.0.0-4.4.5
2544456
CM-26595
The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds.3.7.9-3.7.16, 4.0.0-4.4.5
2544311
CM-26516
Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host.3.7.5-3.7.16, 4.0.0-4.4.5
2544235
CM-26463
The following CVEs affect the linux kernel package:
CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
For the detailed security status of linux, refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux
3.7.10-3.7.16
2544155
CM-26423
NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

3.7.5-3.7.16, 4.0.0-4.4.5
2544113
CM-26412
Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file.
3.7.9-3.7.16, 4.0.0-4.4.5
2543900
CM-26288
On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address.3.7.8-3.7.16, 4.0.0-4.4.5
2543841
CM-26256
The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
3.7.8-3.7.16, 4.0.0-4.4.5
2543840
CM-26255
On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file.

3.7.6-3.7.16
2543800
CM-26230
When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface.
3.7.8-3.7.164.0.0-4.4.5
2543647
CM-26137
ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:

-A FORWARD -i vni10 -j erspan –src-ip 100.1.1.2 –dst-ip 100.1.1.1 –ttl 64
3.7.6-4.2.14.3.0-4.4.5
2543646
CM-26136
In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case).3.7.6-3.7.16, 4.0.0-4.4.5
2543627
CM-26126
Tomahawk 40G DACs cannot disable auto-negotiation.3.7.7-3.7.164.0.0-4.4.5
2543270
CM-25923
The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate.
3.7.8-4.1.14.2.0-4.4.5
2543211
CM-25890
In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
3.7.0-3.7.16, 4.0.0-4.4.5
2543164
CM-25859
The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command.
3.7.7-3.7.16, 4.0.0-4.4.5
2543096
CM-25815
When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
3.7.6-3.7.16, 4.0.0-4.4.5
2543058
CM-25798
The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.
To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces.
3.7.7-3.7.164.0.0-4.4.5
2543052
CM-25796
Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as “inactive” in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR.
To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:

ifdown vlan123 ; sleep 2 ; ifup vlan123

You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI.
3.7.5-3.7.164.0.0-4.4.5
2543044
CM-25794
Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up.
3.7.2-3.7.164.0.0-4.4.5
2542979
CM-25766
On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work.3.7.7-4.1.14.2.0-4.4.5
2542945
CM-25740
On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
3.7.6-3.7.16, 4.0.0-4.4.5
2542310
CM-25404
hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
3.7.6-3.7.16
2542305
CM-25400
If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
3.7.6-3.7.16, 4.0.0-4.4.5
2542301
CM-25397
When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
3.7.3-3.7.16, 4.0.0-4.4.5
2541212
CM-24894
The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded.3.7.5-3.7.16, 4.0.0-4.4.5
2541165
CM-24878
On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, poectl reports that four_pair_mode_enabled is true. However, this configuration is not supported on the port so poectl should report that four_pair_mode_enabled is false.
3.7.6-3.7.16
2541029
CM-24799
On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped.
This issue only affects QinQ configurations.
3.7.5-3.7.16, 4.0.0-4.4.5
2540950
CM-24751
On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status.
3.7.3-4.1.14.2.0-4.4.5
2540885
CM-24703
The Dell N3048EP-ON switch does not support 1G Base-T modules in the SFP ports.3.7.7-3.7.16
2540863
CM-24686
On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number.
3.7.3-3.7.16
2540753
CM-24618
If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
 
ERROR: No closing quotation
See /var/log/netd.log for more details.

3.7.5-3.7.16, 4.0.0-4.4.5
2540444
CM-24473
SNMP incorrectly requires engine ID specification.
3.7.4-3.7.16, 4.0.0-4.4.5
2540352
CM-24435
When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect:
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct:
 
net add routing route-map Proxy-ARP permit 25 match interface swp9
net add routing route-map Proxy-ARP permit 30 match interface swp10

3.7.2-3.7.16, 4.0.0-4.4.5
2540340
CM-24426
NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example:
 
cumulus@switch:~$ net add vrf mgmt


Tab completion for the net add vrf ip address
command works correctly.
3.7.4-3.7.16, 4.0.0-4.4.5
2540274
CM-24379
On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route.3.7.5-3.7.16, 4.0.0-4.4.5
2540204
CM-24350
When links come up after FRR is started, VRF connected routes do not get redistributed.3.7.4-3.7.16, 4.0.0-4.4.5
2540192
CM-24343
The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value.
3.7.4-3.7.16, 4.0.0-4.4.5
2540155
CM-24332
On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
3.7.3-3.7.16, 4.0.0-4.4.5
2540042
CM-24272
When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface br0.100
switch(config-if)# vrrp 1 priority 110
switch(config-if)# vrrp 1 advertisement-interval
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540041
CM-24271
On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU.
To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface vlan100
switch(config-if)# vrrp 1 priority 110
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540040
CM-24270
Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface swp4
switch(config-if)# vrrp 1 version 2
switch(config-if)# no vrrp 1 preempt
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540031
CM-24262
NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist.
3.7.3-3.7.16, 4.0.0-4.4.5
2539994
CM-24241
When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
 
cumulus@switch:~$ net del bgp neighbor fabric peer-group
‘router bgp 65001’ configuration does not have ‘neighbor fabric peer-group’

3.7.2-3.7.16, 4.0.0-4.4.5
2539962
CM-24222
When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error.
3.7.0-3.7.16, 4.0.0-4.4.5
2539670
CM-24035
On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type.
3.7.2-3.7.16, 4.0.0-4.4.5
2539124
CM-23825
The net add interface ptm-enable command adds no ptm-enable for that interface in the frr.conf file.
Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh.
3.7.2-3.7.16, 4.0.0-4.4.5
2539081
CM-23792
When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.
To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command.
3.7.0-3.7.164.0.0-4.4.5
2538875
CM-23696
IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file.
3.7.2-3.7.16
2538790
CM-23665
NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan bridge access . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.
To restore connectivity, remove the VLAN ID from the bridge.
3.7.2-3.7.16, 4.0.0-4.4.5
2538590
CM-23584
When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain.
3.7.2-3.7.16, 4.0.0-4.4.5
2538562
CM-23570
On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G.
3.7.2-3.7.16, 4.0.0-4.4.5
2538302
CM-23422
portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap.
3.7.0-3.7.16
2538294
CM-23417
If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid.3.7.0-3.7.16, 4.0.0-4.4.5
2538256
CM-23397
On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
3.7.2-4.0.14.1.0-4.4.5
2537820
CM-23123
When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
3.7.2-3.7.164.0.0-4.4.5
2537699
CM-23075
There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
3.7.1-3.7.16, 4.0.0-4.4.5
2537544
CM-23021
When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB.3.7.1-3.7.16, 4.0.0-4.4.5
2537378
CM-22937
NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
3.7.1-3.7.16
2537188
CM-22849
When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.
This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
3.7.2-3.7.16
2537104
CM-22808
When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
3.7.1-3.7.164.0.0-4.4.5
2537061
CM-22794
The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
3.7.1-4.0.14.1.0-4.4.5
2536608
CM-22583
Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
3.7.0-3.7.16
2536384
CM-22386
The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
3.7.0-3.7.16, 4.0.0-4.4.5
2536179
CM-22228
On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working.3.7.0-3.7.16, 4.0.0-4.4.5
2535986
CM-22041
At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart.
3.7.0-3.7.16, 4.0.0-4.4.5
2535965
CM-22020
On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic.
3.7.0-3.7.16, 4.0.0-4.4.5
2533691
CM-19788
If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict.
To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface.
3.7.12-3.7.16, 4.0.0-4.4.5
2532017
CM-18192
In FRR, bgp_snmp does not show all BGP peers when peer groups used.3.7.11-4.0.14.1.0-4.4.5

Fixed Issues in 3.7.16

Issue IDDescriptionAffects
3135801
None
Zebra rejects MAC IP updates from BGP when the MAC mobility sequence number that BGP sends is lower than the sequence number known to zebra
When the MAC mobility sequence that BGP knows legitimately lowers (due to narrow timing conditions during convergence or after rebooting an MLAG pair one VTEP at a time), zebra rejects these updates and maintains a stale state. If the stale information that zebra uses points to the wrong VTEP address, traffic goes to the wrong VTEP and might drop.
4.0.0-4.3.0, 4.4.0-4.4.5
2973714
When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds.3.7.15, 4.3.0, 4.4.0-4.4.1
2964279
When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI.3.7.15, 4.4.2-4.4.5, 5.0.0-5.6.0
2959454
CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact
Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7
3.7.0-3.7.15
2959444
CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information
Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5
3.7.0-3.7.15
2959024
ACL rules do not always install in hardware after switch reboot
To work around this issue, run the sudo cl-acltool -i command to reinstall the ACL rules.
3.7.14.2-3.7.15
2957684
CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability
Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4
3.7.0-3.7.15
2949602
CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.3.7.0-3.7.15
2949586
CVE-2022-21699: ipython may execute untrusted files in the current working directory
Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1
3.7.0-3.7.15
2949585
CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog.3.7.0-3.7.15
2949584
CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service
Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16
3.7.0-3.7.15
2943442
Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd, expect a single VNI for a given bridge or VLAN.3.7.15, 4.2.1-4.3.0, 4.4.2-5.0.1
2941560
CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed
Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u
3.7.0-3.7.15
2940052
When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN.3.7.15, 4.2.1-4.3.0
2934940
CM-32683
When you change the SVI vlan-id value in the /etc/network/interfaces file, then run ifreload -a, the 802.1Q ID for the SVI in the kernel does not change.
This operation is not supported in the kernel without recreating the SVI. To apply the change, run ifdown, then ifup for the SVI to recreate the interface.
3.7.13-3.7.15, 4.2.1
2934938
When the clagd process terminates unexpectedly due to signals such as sig11 or sig6, no core file is generated.3.7.15
2934935
{switchd can cause a memory leak.3.7.14.2-3.7.15
2923748
CVE-2021-43818: lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs
Vulnerable: <= 3.4.0-1+deb8u4Fixed: 3.4.0-1+deb8u5
3.7.15
2923737
When switchd restarts, the port watch daemon (portwd) attempts to send requests to switchd before switchd is ready. As a result, portwd goes into a failed state because there is no response from switchd.4.3.0
2910862
CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file”
Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3
3.7.0-3.7.15
2910861
CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse
CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods
Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13
3.7.0-3.7.15
2885241
CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code
Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14
3.7.0-3.7.15
2885239
CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms
Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1
3.7.0-3.7.15
2885238
The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data
CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response
CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash
Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4
3.7.0-3.7.15
2879645
When you add a new VLAN, the VLAN interface type shows as unknown and cannot be reached.3.7.15
2875279
In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally.4.2.1-4.3.0, 4.4.0-5.0.1
2866111
CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c.3.7.0-3.7.15
2866096
CM-33416
Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file.3.7.12-3.7.15, 4.1.1-4.3.0
2862269
CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established
Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5
3.7.0-3.7.15
2855881
A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger
CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value
CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections
CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow
Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9
3.7.0-3.7.15
2855879
The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem
CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server
CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server
Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11
3.7.0-3.7.15
2850806
CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts)
Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23
3.7.0-3.7.15
2848219
On Dell S3048 switches configured for 802.1x auth, you might see file descriptor exhaustion with Hostapd messages indicating that Cumulus Linux is unable to open /dev/urandom or write out the transient ACL files
To work around this issue, reboot the switch.
3.7.15, 4.3.0
2845540
CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling
Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9
3.7.0-3.7.15
2841003
CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference
Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3
3.7.0-3.7.15
2835994
CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function
Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16
3.7.0-3.7.15
2823255
CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode)
Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9
3.7.0-3.7.15
2821981
The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename
CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions)
CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12
3.7.0-3.7.15
2821970
When there is a netlink event showing an update to a forwarding database entry from the VXLAN driver, ip monitor reports the remote VTEP address (dst) as ??? . The bridge monitor command correctly shows the value.3.7.15
2820758
The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected
CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data
Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22
3.7.0-3.7.15
2817130
The cl-route-check –layer3 command fails with a memory error. For example:
cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last):
File “/usr/cumulus/bin/cl-route-check”, line 1270, in
routing.collect_data()
File “/usr/cumulus/bin/cl-route-check”, line 528, in collect_data
self.collect_data_bgp_ipv4()
File “/usr/cumulus/bin/cl-route-check”, line 711, in collect_data_bgp_ipv4
bgp_ipv4 = json.loads(output)
File “/usr/lib/python2.7/json/init.py”, line 338, in loads
return _default_decoder.decode(s)
File “/usr/lib/python2.7/json/decoder.py”, line 366, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File “/usr/lib/python2.7/json/decoder.py”, line 382, in raw_decode
obj, end = self.scan_once(s, idx)MemoryError
3.7.15
2815592
In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence.3.7.12-3.7.15, 4.3.0, 4.4.2-5.0.1
2813826
Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop”
CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’
Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12
3.7.0-3.7.15
2813823
Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash
CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer
CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may
CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user
Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19
3.7.0-3.7.15
2803044
In an EVPN configuration with IP or MAC mobility, higher MM EVPN routes do not remove the old ARP entries during VIP migration between VTEP racks.3.7.14.2-3.7.15, 4.3.0-4.4.5
2801262
On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart
To work around this issue, load the port configuration in a staggered manner (groups of five downlink ports).
3.7.12-3.7.15, 4.3.0, 4.4.2-4.4.5
2801126
CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures
Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3
3.7.0-3.7.15
2801125
OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01
Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15
3.7.0-3.7.15
2801124
GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01
Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2
3.7.0-3.7.15
2799742
CM-33032
On the Edgecore AS4610 switch, the historic CPU usage displayed in /run/sysmonitor/history sometimes shows as a negative value.3.7.12-3.7.15
2798139
CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions
Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4
3.7.0-3.7.15
2794750
CM-29043
When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering.
3.7.12-3.7.15, 4.0.0-4.2.1
2770226
In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges.3.7.14.2-3.7.15, 4.3.0-4.4.5
2769687
CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library
Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21
3.7.0-3.7.15
2769633
CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames
Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3
3.7.0-3.7.15
2769632
CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made
Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5
3.7.0-3.7.15
2769631
CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data
Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2
3.7.0-3.7.15
2743132
CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code
Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6
3.7.0-3.7.15
2736265
After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes.3.7.12-3.7.15, 4.2.1-4.3.0
2736247
CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u113.7.0-3.7.15
2736245
CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems
Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8
3.7.0-3.7.15
2726776
CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour
Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18
3.7.0-3.7.15
2717312
When you modify a prefix list with NCLU commands, the bgpd service crashes.3.7.14.2-3.7.15
2716841
CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository
Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2
3.7.0-3.7.15
2705169
CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed
Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11
3.7.0-3.7.15
2705168
CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access
Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3
3.7.0-3.7.15
2702519
CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt
Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9
3.7.0-3.7.15
2700767
Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration.3.7.12-3.7.15, 4.3.0-4.4.5
2699464
In a VXLAN fabric with ToR switches configured in a MLAG pair, BUM traffic received on a VXLAN tunnel is decapsulated and forwarded on the peer link bond. The BUM traffic is then encapsulated by the peer switch and sent back to the fabric. The issue has been seen in environments where the following conditions exist at the same time:1) high VNI scale2) switchd is busy processing updates3) clagd is in a transition state, such as Up, then Down, then Up. For example, when clagd restarts, the switch reboots, and so on
The problem is seen on the switch that experiences the clagd state transition.
3.7.12-3.7.15
2690100
When you run the vtysh show ip bgp vrf statistics command, the bgpd service crashes if you use vrf all. For example:
spine01# show ip bgp vrf all statistics vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!
To workaround this issue, run the command against each VRF independently.
3.7.15, 4.0.0-4.3.0
2684404
CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9
3.7.0-3.7.15
2679950
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1
3.7.0-3.7.15, 4.0.0-4.3.1
2677063
CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11
3.7.0-3.7.15
2677061
CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8
3.7.0-3.7.15
2677060
CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7
3.7.0-3.7.15
2669831
If you try to remove BFD configuration with systemctl reload frr, the FRR service fails. The reload action results in a TypeError: expected string or bytes-like object error
You see this issue only if there is default configuration, such as configuration in the /etc/frr/frr.conf file that is suppressed from view in the FRR running configuration
To work around this issue, remove the default configuration lines; for example:
username cumulus nopassword
3.7.14.2-3.7.15
2668483
If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent fdb entry for the old MAC address.3.7.15, 4.3.0, 4.4.0-4.4.3, 5.0.0-5.0.1
2668477
CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions
Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5
3.7.0-3.7.15
2660693
CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request
Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20
3.7.0-3.7.15
2660582
In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure)
To recover restart the clagd service with sudo systemctl restart clagd.service
3.7.8-3.7.15
2658233
The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file
CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file
Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1
3.7.0-3.7.15
2654684
CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files
Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10
3.7.0-3.7.15
2653521
CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code
Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1
3.7.0-3.7.15
2646974
The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service
CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query
CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries
Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22
3.7.0-3.7.15
2646968
CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service
Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24
3.7.0-3.7.15
2645846
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration.3.7.10-3.7.15
2638400
When you stop clagd on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the clagd priorities to ensure that you only reboot a switch that is in the MLAG secondary role.3.7.15, 4.3.0
2581473
When netq-agent is installed on the Dell N3048EP platform, switchd might crash if pluggables are installed in the SFP+ ports.3.7.13-3.7.15
2548044
CM-28608
When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor.3.7.12-3.7.15, 4.0.0-4.4.5

3.7.15 Release Notes

Open Issues in 3.7.15

Issue IDDescriptionAffectsFixed
3418046
None
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.3.7.0-5.4.05.5.0-5.6.0
3376798
On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected.
3.7.0-3.7.16, 4.3.1-4.4.5
3330705
When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present.3.7.0-5.3.15.4.0-5.6.0
3327477
If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password.3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0
3216922
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users).3.7.0-5.2.15.3.0-5.6.0
3216921
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
3.7.0-3.7.16, 4.3.0-4.4.5
3216759
None
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode.
3.7.15-3.7.16, 4.3.0-4.4.5
3209699
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
3.7.0-4.3.0, 4.4.0-5.2.14.3.1, 5.3.0-5.6.0
3129819
On the EdgeCore AS4610 switch, the clagd service loses communication after 198 days of uptime.3.7.15-3.7.16, 4.3.0-4.4.5
3123556
When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it.3.7.15-4.3.0, 4.4.0-5.1.04.3.1, 5.2.0-5.6.0
3119615
In an MLAG topology, if you admin down a single connected interface, any dynamic MAC addresses on the peer link are flushed, then added back momentarily, which creates a disruption in traffic.3.7.15-5.1.05.2.0-5.6.0
3093966
On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules.3.7.15-3.7.16, 4.3.0-4.4.5
3077737
The update-ports.service fails because a blank space in the comment lines of the /etc/cumulus/ports.conf file causes parsing errors
To work around this issue, remove the blank spaces in the commented lines, then restart the update-ports and switchd services.
3.7.15-4.3.04.3.1-4.4.5, 4.4.4-4.4.5
3073668
On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap.3.7.12-3.7.16, 4.3.0-4.4.5
3072613
When you delete a bond interface with NCLU, BGP peer group configuration is removed.3.7.15-3.7.16, 4.3.0-4.4.5
3066704
The hostapd service stops working if an 802.1X interface goes up and down many times over a long period of time
To work around this issue, restart the hostapd service with the systemctl restart hostapd command.
3.7.15-4.3.04.3.1-4.4.5
3021693
When ARP suppression is off, Cumulus Linux sends GARPs from neighmgrd for remote neighbors over VXLAN.3.7.15-4.3.0, 4.4.0-4.4.3, 5.0.0-5.1.04.3.1, 4.4.4-4.4.5, 5.2.0-5.6.0
3017190
When you power cycle the switch, multiple interfaces came up in a PoE disabled state
To work around this issue, run the sudo poectl -a | grep disabled command to find ports with disabled POE. Run the sudo poectl -e swp1-swp48 command to enable POE on affected ports.
3.7.10-3.7.16
3015881
Traffic flows fail because the remote VTEP IP address is missing in the layer 3 neighbor table in hardware on the switch. This happens when there is a neighbor entry for the same /32 that we have also received a type-5 route for. When the route is learned after the neighbor entry there is a timing condition that can be hit that will cause the neighbor entry to get removed from hardware when the route is installed in hardware
This condition has been seen when customers re-use the VTEP IP on an interface inside of a vrf. The neigh entry for the TEP IP is installed when a symmetric route is learned via that VTEP. The Type-5 route for the TEP IP is learned in the VRF if the customer has redistributed it or advertised it within BGP in the VRF.
3.7.15-3.7.16
3007564
After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed.3.7.15-5.0.15.1.0-5.6.0, 5.2.0-5.6.0
2991514
Cumulus Linux can take a long time (100 seconds) to sync a large number of VNIs on a bridge.3.7.15-4.3.04.3.1-4.4.5
2973714
When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds.3.7.15, 4.3.0, 4.4.0-4.4.13.7.16, 4.3.1, 4.4.2-4.4.5, 5.0.0-5.6.0
2972538
With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts.3.7.15-3.7.16
2965759
On the EdgeCore AS4610-54T switch, the fan speed reports a minimum threshold in the logs.3.7.15-3.7.16
2964279
When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI.3.7.15, 4.4.2-4.4.5, 5.0.0-5.6.03.7.16
2961008
SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces.3.7.15-4.4.2, 5.0.0-5.0.14.4.3-4.4.5, 5.1.0-5.6.0
2959454
CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact
Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7
3.7.0-3.7.153.7.16
2959444
CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information
Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5
3.7.0-3.7.153.7.16
2959067
ECMP produces errors indicating No More Resources and switchd crashes even when ECMP utilization is low.3.7.14.2-4.2.14.3.0-4.4.5
2959024
ACL rules do not always install in hardware after switch reboot
To work around this issue, run the sudo cl-acltool -i command to reinstall the ACL rules.
3.7.14.2-3.7.153.7.16
2957684
CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability
Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4
3.7.0-3.7.153.7.16
2951110
The net show time ntp servers command does not show any output with the management VRF.3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.6.0
2949602
CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.3.7.0-3.7.153.7.16
2949586
CVE-2022-21699: ipython may execute untrusted files in the current working directory
Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1
3.7.0-3.7.153.7.16
2949585
CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog.3.7.0-3.7.153.7.16
2949584
CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service
Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16
3.7.0-3.7.153.7.16
2947679
If the clagd service stops during initDelay, the peerlink flag does not clear from any VNIs that become dual connected during this time. switchd uses the peerlink flag to program MLAG loop prevention. As a result of the overlapping stale flags, traffic destined for the VXLAN might drop.3.7.15-3.7.16
2943442
Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd, expect a single VNI for a given bridge or VLAN.3.7.15-4.3.0, 4.4.2-5.0.14.3.1, 5.1.0-5.6.0
2941560
CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed
Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u
3.7.0-3.7.153.7.16
2940052
When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN.3.7.15, 4.2.1-4.3.03.7.16, 4.3.1-4.4.5
2934940
CM-32683
When you change the SVI vlan-id value in the /etc/network/interfaces file, then run ifreload -a, the 802.1Q ID for the SVI in the kernel does not change.
This operation is not supported in the kernel without recreating the SVI. To apply the change, run ifdown, then ifup for the SVI to recreate the interface.
3.7.13-3.7.15, 4.2.13.7.16, 4.3.0-4.4.5
2934939
When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
aggregate-address 10.10.0.0/16 summary-only
redistribute connected
After:
ip route 10.10.0.0/16 Null0
!
address-family ipv4 unicast
redistribute connected route-map DENY-COMPONENTS
redistribute static
exit-address-family
ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
!
route-map DENY-COMPONENTS deny 10
match ip address prefix-list NO-COMPONENTS
!
route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed.
3.7.12-3.7.16
2934938
When the clagd process terminates unexpectedly due to signals such as sig11 or sig6, no core file is generated.3.7.153.7.16
2934935
{switchd can cause a memory leak.3.7.14.2-3.7.153.7.16, 4.3.1-4.4.5
2923748
CVE-2021-43818: lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs
Vulnerable: <= 3.4.0-1+deb8u4Fixed: 3.4.0-1+deb8u5
3.7.153.7.16
2910862
CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file”
Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3
3.7.0-3.7.153.7.16
2910861
CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse
CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods
Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13
3.7.0-3.7.153.7.16
2899422
Broadcom switches return a table full error when creating VXLAN gports, which causes {switchd to crash.3.7.15-4.3.04.3.1-4.4.5
2896733
Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send. To work around this issue, run the vtysh clear ip mroute command.3.7.15-4.3.0, 5.0.0-5.0.14.3.1-4.4.5, 5.1.0-5.6.0
2885241
CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code
Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14
3.7.0-3.7.153.7.16
2885239
CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms
Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1
3.7.0-3.7.153.7.16
2885238
The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data
CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response
CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash
Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4
3.7.0-3.7.153.7.16
2879645
When you add a new VLAN, the VLAN interface type shows as unknown and cannot be reached.3.7.153.7.16
2867058
On the Dell Z9264F-ON switch, interfaces that use the QSFP28 module remain down after you restart switchd.3.7.15-4.3.04.3.1-4.4.5
2866111
CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c.3.7.0-3.7.153.7.16
2866096
CM-33416
Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file.3.7.12-3.7.15, 4.1.1-4.3.03.7.16, 4.3.1-4.4.5, 5.0.0-5.6.0
2866084
When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb del
dev [dst|via] <interface|IP> command, then add “vxlan-learning”: “off” in the /etc/network/ifupdown2/policy.d/vxlan.json file:
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
{
“vxlan”: {
“module_globals”: { “vxlan-purge-remotes”: “no” },
“defaults”: {
“vxlan-ageing”: “1800”,
“vxlan-port”: “4789”, <==== This comma needs to be added at the end of this line
“vxlan-learning”: “off” <= This line needs to be added
}
}
}
Reboot the affected switches.
3.7.12-4.3.04.3.1-4.4.5
2862269
CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established
Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5
3.7.0-3.7.153.7.16
2859177
The cl-route-check –layer3 command fails with a memory error. For example:
cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last):
File “/usr/cumulus/bin/cl-route-check”, line 1270, in
routing.collect_data()
File “/usr/cumulus/bin/cl-route-check”, line 528, in collect_data
self.collect_data_bgp_ipv4()
File “/usr/cumulus/bin/cl-route-check”, line 711, in collect_data_bgp_ipv4
bgp_ipv4 = json.loads(output)
File “/usr/lib/python2.7/json/init.py”, line 338, in loads
return _default_decoder.decode(s)
File “/usr/lib/python2.7/json/decoder.py”, line 366, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File “/usr/lib/python2.7/json/decoder.py”, line 382, in raw_decode
obj, end = self.scan_once(s, idx)MemoryError
3.7.15-3.7.16
2855881
A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger
CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value
CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections
CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow
Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9
3.7.0-3.7.153.7.16
2855879
The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem
CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server
CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server
Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11
3.7.0-3.7.153.7.16
2853536
MLAG between Cumulus Linux and Arista devices might result in some links being suspended by the Arista devices with the error LACP partner validation failed
This happens when you use the same LACP port ID for more than one bond member on the Cumulus Linux switch
To work around this issue, run the net add bond bond mode balance-xor command on the bond on the Cumulus Linux switch. For proper operation, you need to make the equivalent change on the device on the other side of the link.
3.7.15-3.7.16
2850806
CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts)
Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23
3.7.0-3.7.153.7.16
2848219
On Dell S3048 switches configured for 802.1x auth, you might see file descriptor exhaustion with Hostapd messages indicating that Cumulus Linux is unable to open /dev/urandom or write out the transient ACL files
To work around this issue, reboot the switch.
3.7.15, 4.3.03.7.16, 4.3.1-4.4.5
2845540
CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling
Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9
3.7.0-3.7.153.7.16
2841003
CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference
Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3
3.7.0-3.7.153.7.16
2835994
CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function
Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16
3.7.0-3.7.153.7.16
2827336
After bringing up a bridge port, there is a multi second delay before the bridge port is able to learn any MAC addresses or neighbors, which causes a forwarding delay (about six seconds with 300 or more VLANs).3.7.15-3.7.16
2823255
CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode)
Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9
3.7.0-3.7.153.7.16
2821981
The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename
CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions)
CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12
3.7.0-3.7.153.7.16
2821970
When there is a netlink event showing an update to a forwarding database entry from the VXLAN driver, ip monitor reports the remote VTEP address (dst) as ??? . The bridge monitor command correctly shows the value.3.7.153.7.16
2821869
The cl-route-check –layer3 command fails with a memory error. For example:
cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last):
File “/usr/cumulus/bin/cl-route-check”, line 1270, in
routing.collect_data()
File “/usr/cumulus/bin/cl-route-check”, line 528, in collect_data
self.collect_data_bgp_ipv4()
File “/usr/cumulus/bin/cl-route-check”, line 711, in collect_data_bgp_ipv4
bgp_ipv4 = json.loads(output)
File “/usr/lib/python2.7/json/init.py”, line 338, in loads
return _default_decoder.decode(s)
File “/usr/lib/python2.7/json/decoder.py”, line 366, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File “/usr/lib/python2.7/json/decoder.py”, line 382, in raw_decode
obj, end = self.scan_once(s, idx)MemoryError
3.7.15-4.4.55.0.0-5.6.0
2820758
The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected
CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data
Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22
3.7.0-3.7.153.7.16
2817130
The cl-route-check –layer3 command fails with a memory error. For example:
cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last):
File “/usr/cumulus/bin/cl-route-check”, line 1270, in
routing.collect_data()
File “/usr/cumulus/bin/cl-route-check”, line 528, in collect_data
self.collect_data_bgp_ipv4()
File “/usr/cumulus/bin/cl-route-check”, line 711, in collect_data_bgp_ipv4
bgp_ipv4 = json.loads(output)
File “/usr/lib/python2.7/json/init.py”, line 338, in loads
return _default_decoder.decode(s)
File “/usr/lib/python2.7/json/decoder.py”, line 366, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File “/usr/lib/python2.7/json/decoder.py”, line 382, in raw_decode
obj, end = self.scan_once(s, idx)MemoryError
3.7.153.7.16, 5.0.0-5.6.0
2815592
In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence.3.7.12-4.3.0, 4.4.2-5.0.14.3.1, 5.1.0-5.6.0
2813826
Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop”
CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’
Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12
3.7.0-3.7.153.7.16
2813823
Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash
CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer
CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may
CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user
Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19
3.7.0-3.7.153.7.16
2803044
In an EVPN configuration with IP or MAC mobility, higher MM EVPN routes do not remove the old ARP entries during VIP migration between VTEP racks.3.7.14.2-3.7.15, 4.3.0-4.4.53.7.16
2801262
On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart
To work around this issue, load the port configuration in a staggered manner (groups of five downlink ports).
3.7.12-4.3.0, 4.4.2-4.4.54.3.1, 5.0.0-5.6.0
2801126
CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures
Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3
3.7.0-3.7.153.7.16
2801125
OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01
Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15
3.7.0-3.7.153.7.16
2801124
GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01
Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2
3.7.0-3.7.153.7.16
2799742
CM-33032
On the Edgecore AS4610 switch, the historic CPU usage displayed in /run/sysmonitor/history sometimes shows as a negative value.3.7.12-3.7.153.7.16, 4.3.1-4.4.5
2798979
Configuring a route map to filter VNIs will cause type-3 routes not to be advertised even for L2VNIs permitted through the route map3.7.15-3.7.16
2798139
CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions
Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4
3.7.0-3.7.153.7.16
2794750
CM-29043
When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering.
3.7.12-3.7.15, 4.0.0-4.2.13.7.16, 4.3.0-4.4.5
2792750
If you change the clagd-vxlan-anycast-ip setting on both MLAG peers at the same time, both peers use their unique VTEP address indefinitely.3.7.15-4.3.0, 4.4.0-4.4.54.3.1
2770226
In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges.3.7.14.2-3.7.15, 4.3.0-4.4.53.7.16, 5.0.0-5.6.0
2769687
CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library
Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21
3.7.0-3.7.153.7.16
2769633
CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames
Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3
3.7.0-3.7.153.7.16
2769632
CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made
Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5
3.7.0-3.7.153.7.16
2769631
CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data
Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2
3.7.0-3.7.153.7.16
2754791
Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP.3.7.14.2-3.7.16, 4.3.0-4.4.5
2743186
When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish.3.7.15-5.1.05.2.0-5.6.0
2743132
CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code
Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6
3.7.0-3.7.153.7.16
2736265
After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes.3.7.12-3.7.15, 4.2.1-4.3.03.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5
2736247
CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u113.7.0-3.7.153.7.16
2736245
CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems
Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8
3.7.0-3.7.153.7.16
2734107
When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs.3.7.12-4.3.0, 4.4.0-4.4.14.3.1, 4.4.2-4.4.5
2728207
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-3.7.16, 4.0.0-4.4.5
2728206
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-3.7.16, 4.0.0-4.4.5
2728205
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-4.4.14.4.2-4.4.5
2726776
CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour
Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18
3.7.0-3.7.153.7.16
2717312
When you modify a prefix list with NCLU commands, the bgpd service crashes.3.7.14.2-3.7.153.7.16
2716841
CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository
Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2
3.7.0-3.7.153.7.16
2716822
The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports.3.7.15-4.3.04.3.1-4.4.5
2713888
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode.
3.7.15-5.0.15.1.0-5.6.0
2705169
CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed
Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11
3.7.0-3.7.153.7.16
2705168
CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access
Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3
3.7.0-3.7.153.7.16
2702519
CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt
Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9
3.7.0-3.7.153.7.16
2700767
Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration.3.7.12-3.7.15, 4.3.0-4.4.53.7.16
2699464
In a VXLAN fabric with ToR switches configured in a MLAG pair, BUM traffic received on a VXLAN tunnel is decapsulated and forwarded on the peer link bond. The BUM traffic is then encapsulated by the peer switch and sent back to the fabric. The issue has been seen in environments where the following conditions exist at the same time:1) high VNI scale2) switchd is busy processing updates3) clagd is in a transition state, such as Up, then Down, then Up. For example, when clagd restarts, the switch reboots, and so on
The problem is seen on the switch that experiences the clagd state transition.
3.7.12-3.7.153.7.16
2690100
When you run the vtysh show ip bgp vrf statistics command, the bgpd service crashes if you use vrf all. For example:
spine01# show ip bgp vrf all statistics vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!
To workaround this issue, run the command against each VRF independently.
3.7.15-4.3.04.3.1-4.4.5
2687332
When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
aggregate-address 10.10.0.0/16 summary-only
redistribute connected
After:
ip route 10.10.0.0/16 Null0
!
address-family ipv4 unicast
redistribute connected route-map DENY-COMPONENTS
redistribute static
exit-address-family
ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
!
route-map DENY-COMPONENTS deny 10
match ip address prefix-list NO-COMPONENTS
!
route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed.
3.7.12-4.2.14.3.0-4.4.5
2684452
When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst|via] <interface|IP> command2. Add “vxlan-learning”: “off” under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
{
“vxlan”: {
“module_globals”: { “vxlan-purge-remotes”: “no” },
“defaults”: {
“vxlan-ageing”: “1800”,
“vxlan-port”: “4789”, <==== This comma needs to be added at the end of this line
“vxlan-learning”: “off” <= This line needs to be added
}
}
}
3. Reboot the affected switch(es)
3.7.12-3.7.16
2684404
CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9
3.7.0-3.7.153.7.16
2679950
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1
3.7.0-3.7.15, 4.0.0-4.3.13.7.16, 4.4.0-4.4.5
2677063
CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11
3.7.0-3.7.153.7.16
2677061
CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8
3.7.0-3.7.153.7.16
2677060
CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7
3.7.0-3.7.153.7.16
2669858
CM-32169
OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf.
This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper.
3.7.14-3.7.16, 4.0.0-4.4.5
2669831
If you try to remove BFD configuration with systemctl reload frr, the FRR service fails. The reload action results in a TypeError: expected string or bytes-like object error
You see this issue only if there is default configuration, such as configuration in the /etc/frr/frr.conf file that is suppressed from view in the FRR running configuration
To work around this issue, remove the default configuration lines; for example:
username cumulus nopassword
3.7.14.2-3.7.153.7.16
2668483
If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent fdb entry for the old MAC address.3.7.15-4.3.0, 4.4.0-4.4.3, 5.0.0-5.0.14.3.1, 4.4.4-4.4.5, 5.1.0-5.6.0
2668477
CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions
Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5
3.7.0-3.7.153.7.16
2660693
CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request
Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20
3.7.0-3.7.153.7.16
2660582
In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure)
To recover restart the clagd service with sudo systemctl restart clagd.service
3.7.8-3.7.153.7.16
2658233
The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file
CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file
Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1
3.7.0-3.7.153.7.16
2656291
The following CVEs affect the linux kernel package:
CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
For the detailed security status of linux, refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux
3.7.12-3.7.164.0.0-4.4.5
2654684
CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files
Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10
3.7.0-3.7.153.7.16
2653521
CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code
Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1
3.7.0-3.7.153.7.16
2653400
None
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration.3.7.10-3.7.16
2652003
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static FDB entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration.3.7.10-4.3.04.3.1-4.4.5
2648658
If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure.3.7.15-4.3.14.4.0-4.4.5
2646974
The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service
CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query
CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries
Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22
3.7.0-3.7.153.7.16
2646968
CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service
Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24
3.7.0-3.7.153.7.16
2645846
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration.3.7.10-3.7.153.7.16, 4.3.1-4.4.5
2638400
When you stop clagd on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the clagd priorities to ensure that you only reboot a switch that is in the MLAG secondary role.3.7.15-4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2638137
When you delete a static route using NCLU, the configuration is not deleted from the running configuration or from the /etc/frr/frr.conf file.3.7.13-3.7.16
2633245
On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle.3.7.10-3.7.16
2607965
On the EdgeCore AS7726 switch, when you run the NCLU net show system command, you see the error Command not found.3.7.14.2-3.7.16
2581473
When netq-agent is installed on the Dell N3048EP platform, switchd might crash if pluggables are installed in the SFP+ ports.3.7.13-3.7.153.7.16
2562347
When you bring VXLAN interfaces up and down physically or administratively, the MTU for the SVIs changes to 1550 (the default value).3.7.14.2-3.7.16
2556037
CM-33012
After you add an interface to the bridge, an OSPF session flap might occur
3.7.9-4.2.04.2.1-4.4.5
2555908
CM-32940
If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up
To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command.
3.7.12-4.0.14.1.0-4.4.5
2555528
CM-32750
In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer’s ARP policer.
To work around this issue, increase the burst value of the ARP policers to 200 or higher.
3.7.14-4.2.14.3.0-4.4.5
2555175
CM-32528
Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link.3.7.15-3.7.16, 4.2.1-4.4.5
2554785
CM-32275
After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:
Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!
To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor
2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX=“cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command
4. Reboot the switch.
3.7.11-4.2.14.3.0-4.4.5
2554709
CM-32217
The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.
To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM.
3.7.13-3.7.16, 4.2.1-4.4.5
2554588
CM-32149
If you try to reconfigure a DHCP server after you delete the switch configuration with the net del all command, the dhcpd service fails because a duplicate process is running
To work around this issue, edit the /usr/lib/python2.7/dist-packages/nclu/plugins/dhcp.py file to change:
DHCPD_PID="-pf {0}” 
to:
DHCPD_PID="-pf {1}"
3.7.13-4.2.14.3.0-4.4.5
2554369
CM-32006
Certain Dell S4048-ON switches show an incorrect vendor name and hang when you issue the reboot command.3.7.12-4.2.14.3.0-4.4.5
2553887
CM-31700
When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server.
3.7.7-3.7.16, 4.0.0-4.4.5
2553677
CM-31605
When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config –create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:
createUser userSHAwithAES SHA “shaauthpass” AES “aesprivpass”
adding the following line to /snmp/snmpd.conf:
rwuser userSHAwithAES
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation.
3.7.13-3.7.16, 4.0.0-4.4.5
2553219
CM-31407
You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters.3.7.12-4.2.14.3.0-4.4.5
2553116
CM-31357
When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool.
3.7.12-3.7.16, 4.0.0-4.4.5
2553050
CM-31322
SNMP status might incorrectly reflect that a BGP neighbor is down due to an issue between bgpd and SNMP AgentX when the IP-FORWARD-MIB is also polled.
To work around this issue, avoid polling IP-FORWARD-MIB objects.
3.7.12-3.7.16
2553015
CM-31300
If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail.3.7.10-3.7.16, 4.2.0-4.4.5
2552939
CM-31263
RX_DRP on a bond interface increases without any data traffic while the slave port does not increase.3.7.12-4.2.14.3.0-4.4.5
2552869
CM-31231
On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.
To work around this issue, use the ethtool -m command.
3.7.13-4.2.14.3.0-4.4.5
2552742
CM-31150
On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd.
3.7.12-4.2.14.3.0-4.4.5
2552739
CM-31148
Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor.3.7.2-3.7.16
2552610
CM-31057
The following vulnerability has been announced:
CVE-2019-11360: A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c.
3.7.13-4.2.04.2.1-4.4.5
2552294
CM-30879
NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
3.7.12-3.7.16, 4.0.0-4.4.5
2552266
CM-30863
OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files.
The two scenarios where an exploit may be useful to an attacker:
-The user is authorized to scp but not ssh (based on the command option in the authorized_keys file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so.
-An attacker plants a maliciously named file in a directory tree that someone later uses scp -r to copy over to the target computer.
Be aware that restricting users to scp by using the command option in the authorized_keys file is not effective in preventing those users from executing arbitrary commands on the server.
If you want to use scp -r to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with tar, zip, or a similar program, then copying the archive over to be extracted on the server avoids having to use scp -r altogether. In addition, OpenSSH provides sftp, which you can use instead of scp to copy files.
To disable scp completely, use /bin/chmod 0 /usr/bin/scp .
3.7.14-3.7.16, 4.0.0-4.4.5
2551912
CM-30580
ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down.3.7.12-4.2.04.2.1-4.4.5
2551578
CM-30422
When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error.3.7.12-3.7.16, 4.0.0-4.4.5
2551565
CM-30414
If you toggle VRRP priority values between VRRP routers, then restart switchd, a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affected
To work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands.
3.7.13-3.7.16, 4.2.0-4.4.5
2551554
CM-30408
Customers running security scans on Cumulus Linux 4 may encounter the listing of an incorrect version of u-boot 2014.10+dfsg1-4 with the following vulnerabilities:CVE-2017-3225CVE-2017-3226CVE-2018-18440CVE-2019-11690CVE-2019-13103CVE-2019-14192CVE-2019-14193CVE-2019-14194CVE-2019-14195CVE-2019-14196CVE-2019-14197CVE-2019-14198CVE-2019-14199CVE-2019-14200CVE-2019-14201CVE-2019-14202CVE-2019-14203CVE-2019-14204CVE-2020-10648The u-boot-tools package is not installed on the switch by default, but is available in the repository for optional installation. On Cumulus Linux 4, the version is at least 2019.01+dfsg-7. However, the older versions available for optional installation on Cumulus Linux 3 may be vulnerable
According to https://security-tracker.debian.org/tracker/source-package/u-boot , all except the following are fixed in 2019.01+dfsg-7:CVE-2017-3225: https://security-tracker.debian.org/tracker/CVE-2017-3225 says “Negligible security impact”
CVE-2017-3226: https://security-tracker.debian.org/tracker/CVE-2017-3226 says “Negligible security impact”
CVE-2018-18440: https://security-tracker.debian.org/tracker/CVE-2018-18440 says “No security impact as supported/packaged in Debian”.
3.7.12-3.7.164.0.0-4.4.5
2551305
CM-30296
The net show configuration command provides the wrong net add command for ACL under the VLAN interface.

3.7.12-3.7.16, 4.1.0-4.4.5
2551288
CM-30286
When you remove BFD configuration by editing the /etc/frr/frr.conf file and restarting FRR, you see a traceback.
To work around this issue, either use NCLU or vtysh commands to remove the BFD configuration, or restart FRR with the new /etc/frr/frr.conf file.
3.7.7-3.7.164.0.0-4.4.5
2550974
CM-30195
On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured.3.7.11-3.7.16, 4.1.1-4.4.5
2550942
CM-30178
NCLU tab completion for net show displays the text add help text instead of system Information for the system option.3.7.11-4.2.04.2.1-4.4.5
2550796
CM-30103
On a Broadcom switch with the Trident2+ ASIC, ACL rules for VLANs are not applied after a reboot and the counters remain at zero.
To work around this issue, either do not set acl.non_atomic_update_mode = TRUE in the /etc/cumulus/switchd.conf file or run the cl-acltool -i command after the reboot to install the ACLs.
3.7.12-4.2.14.3.0-4.4.5
2550793
CM-30101
The NCLU net show bridge spanning-tree command displays the aging timer incorrectly.3.7.12-3.7.16, 4.0.0-4.4.5
2550479
CM-29899
VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches.3.7.7-4.2.04.2.1-4.4.5, 4.3.0-4.4.5
2550444
CM-29872
Tab completion for the net show rollback description command returns information about a snapshot instead of context help.
To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command.
3.7.12-3.7.16, 4.0.0-4.4.5
2550443
CM-29871
The net show rollback description command returns an error even if the string matches a commit description.
To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead.
3.7.12-3.7.16, 4.0.0-4.4.5
2550276
CM-29779
In LLDP, the snmp subagent loses all subsequent lldpRemSysName (1.0.8802.1.1.2.1.4.1.1.9) entries after an entry with a missing SysName is added.
All the information from lldpctl is correct. Only the entries after the entry that is missing a SysName in lldpRemSysName disappear from the snmp subagent.
3.7.12-4.2.14.3.0-4.4.5
2550243
CM-29759
When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.
To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service. For example:

#Requires=nginx.service restserver.socket
3.7.12-3.7.16, 4.0.0-4.4.5
2550056
CM-29652
The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:

error: invalid signature.
Press any key to continue…
3.7.12-3.7.16, 4.1.1-4.4.5
2549925
CM-29594
When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:

error: swp1s1.2: netlink: cannot set link swp1s1.2 up: operation failed with ‘Network is down’ (100)
warning: cmd ‘/bin/ip addr del 10.0.0.1/24 dev eth0’ failed: returned 2 (RTNETLINK answers: Cannot assign requested address

To work around this issue, run the ifreload -a command a second time.
3.7.12-3.7.16, 4.0.0-4.4.5
2549872
CM-29562
If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error.3.7.12-3.7.16, 4.1.1-4.4.5
2549838
CM-29546
In vtysh, if you configure, then remove a layer 3 VNI for a VRF, the VNI is removed from zebra even if the VNI interface still exists in the kernel.
If you configure a layer 2 VNI as a layer 3 VNI by mistake, removing the layer 3 VNI binding removes it from zebra but EVPN-learned MACs and neighbors are not installed into the kernel.
To work around this issue, delete, then re-add the missing VNI. For example:

cumulus@switch:~$ sudo ifdown vni10100
cumulus@switch:~$ sudo ifup vni10100

If you flap the link with the ip link set vni10100 down; ip link set vni10100 up commands, zebra does not re-add the VNI.
3.7.12-4.2.14.3.0-4.4.5
2549782
CM-29519
The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state.3.7.12-3.7.16, 4.0.0-4.4.5
2549731
CM-29492
When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:

[ebtables]
-A FORWARD –in-interface swp10 -j span –dport swp1
3.7.12-3.7.16, 4.1.1-4.4.5
2549472
CM-29367
On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic.3.7.11-4.1.14.2.0-4.4.5
2549371
CM-29309
When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive.3.7.11-4.3.14.4.0-4.4.5
2549307
The following vulnerabilities affect git, which is available in the repository for optional installation:
CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host.
CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted.
3.7.12-4.1.14.2.0-4.4.5
2548962
CM-29165
With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table.3.7.12-4.1.14.2.0-4.4.5
2548930
CM-29148
On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware.3.7.11-4.2.14.3.0-4.4.5
2548746
CM-29068
On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect.3.7.11-4.1.14.2.0-4.4.5
2548657
CM-29035
When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:

W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

You can safely ignore these error messages.
3.7.12-3.7.16, 4.0.0-4.4.5
2548490
CM-28944
A change in a route map prefix list that should remove a route might not be reflected in the ospf6 database or in peers, and the route might not be deleted.
To work around this issue, reenter the redistribute <connected|static> route-map statement in the configuration.
3.7.11-4.1.14.2.0-4.4.5
2548485
CM-28940
If you configure the aggregate-address
summary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:
router bgp 1
address-family ipv4 unicast
aggregate-address 50.0.0.0/8 summary-only
exit-address-family
If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path*> 50.0.0.0 0.0.0.0 32768 is> 50.0.0.1/32 0.0.0.0 0 32768 i
Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Paths> 50.0.0.1/32 0.0.0.0 0 32768 i
To work around this issue, remove, then re-add the component prefix routes.
3.7.12-4.2.14.3.0-4.4.5
2548315
CM-28816
The following security advisory has been announced for bash:
CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability
When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.
To work around this issue, do not make bash or bash scripts setuid.
3.7.12-3.7.16, 4.0.0-4.4.5
2548243
CM-28754
On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules.3.7.3-3.7.16, 4.0.0-4.4.5
2548155
CM-28685
The net show bgp neighbor swpX json command shows negative output for the bgpTimerUpMsec timer.3.7.10-3.7.164.0.0-4.4.5
2548117
CM-28659
In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX.3.7.12-3.7.16, 4.0.0-4.4.5
2548044
CM-28608
When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor.3.7.12-3.7.15, 4.0.0-4.4.53.7.16
2548024
CM-28596
On the Dell Z9100 switch, 100G-SR4 modules might not link up reliably in certain ports.
swp1, 2, 3, 9, 10, 23, 24, 30, 31, and 32 might be affected
To work around this issue, move 100G SR4 modules to one of the ports not affected by this issue.
3.7.11-4.1.14.2.0-4.4.5
2547942
CM-28533
On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl.3.7.11-4.0.14.1.0-4.4.5
2547878
The following vulnerability has been found in the libgcrypt20 cryptographic library.
CVE-2019-13627: there was a ECDSA timing attack.
For more information, see https://www.debian.org/lts/security/2020/dla-1931-2.en.html
Vulnerable: 1.6.3-2+deb8u7
Fixed: 1.6.3-2+deb8u8
3.7.11-3.7.16
2547876
The following vulnerability affects libxml2:
CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c has a memory leak related to newDoc->oldNs. This can lead to a denial of service.
For more information, see https://www.debian.org/lts/security/2019/dla-2048.en.html .
Vulnerable: 2.9.1+dfsg1-5+deb8u7
Fixed: 2.9.1+dfsg1-5+deb8u8
3.7.11-3.7.16
2547874
The following vulnerability affects libbsd, a package containing utility functions from BSD systems.
CVE-2016-2090: In function fgetwln() an off-by-one error could triggers a heap buffer overflow.
For more information, see https://www.debian.org/lts/security/2019/dla-2052.en.html .
Vulnerable: 0.7.0-2
Fixed: 0.7.0-2+deb8u1
3.7.11-3.7.16
2547839
CM-28465
When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error.3.7.11-4.1.14.2.0-4.4.5
2547782
CM-28441
If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns.3.7.11-3.7.16, 4.0.0-4.4.5
2547706
CM-28397
When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch.
3.7.11-3.7.16, 4.0.0-4.4.5
2547659
CM-28372
On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise.3.7.11-4.0.14.1.0-4.4.5
2547573
CM-28322
On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU.3.7.9-3.7.16
2547443
CM-28248
On the Dell N3248PXE-ON switch, 25G SFP ports do not work in 10G mode.3.7.11-4.0.14.1.0-4.4.5
2547381
CM-28212
The hsflowd service sends an undefined header protocol 0 in the sampled flow sample to the collector, which is not recognized by the sFlow tool. You see errors similar to the following:

Dec 20 08:43:27 netflow-nms sfcapd[3991]: SFLOW: readFlowSample_header() undefined headerProtocol = 0

3.7.11-3.7.164.0.0-4.4.5
2547349
CM-28193
When you change an interface IP address, then change it back, static routes are misprogrammed
One of the following actions recovers the routes:- Bounce both layer 3 interfaces- Remove or add static routes in FRR- Restart FRR
3.7.11-3.7.164.0.0-4.4.5
2547123
CM-28078
On the Broadcom switch with the Trident3 ASC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect.3.7.11-4.1.14.2.0-4.4.5
2547120
CM-28076
After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command.3.7.11-3.7.16, 4.0.0-4.4.5
2547118
The following security vulnerabilities have been announced in the libtiff5 library on Cumulus Linux 4.0:
CVE-2019-14973, CVE-2019-17546: Multiple integer overflows have been discovered in the libtiff library and the included tools.
Vulnerable: 4.0.10-4
Fixed: 4.1.0+git191117-2~deb10u1
3.7.10-4.0.14.1.0-4.4.5
2547100
CM-28061
On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic.3.7.11-4.1.14.2.0-4.4.5
2547068
CM-28046
Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly
To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below
To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off”, change it to GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0”2. Run sudo update-grub
3. Reboot the system with sudo reboot
To disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci3
2. Disable C-states by running the command ./cpupower idle-set -d 2
C-states are disabled by default in Cumulus Linux 4.3.0 and later.
3.7.9-4.2.14.3.0-4.4.5
2546991
CM-28003
The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code.
3.7.11-3.7.16, 4.0.0-4.4.5
2546895
CM-27957
If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command.
3.7.11-3.7.16, 4.0.0-4.4.5
2546451
CM-27737
On the EdgeCore AS7326-56X switch, you might see the RPM of certain fans run over the maximum threshold.3.7.11-3.7.16
2546385
CM-27698
SNMP ifLastChange reports link transitions when there are none.3.7.6-3.7.16
2546225
CM-27627
When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support.
 
sudo onie-install -fai http://
sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image.
3.7.11-3.7.16, 4.0.0-4.4.5
2546203
CM-27620
When using QinQ with a traditional bridge, if you enable the LLDP dot1 TLV option, you see the following suboptimal behavior:
* Both the inner and outer VLAN information is sent as part of VLAN TLVs in the LLDP packet.
* If the outer VLAN ID is the same as the inner VLAN ID, only one VLAN TLV is sent with that VLAN ID in the LLDP packet.
3.7.11-3.7.16
2546131
CM-27581
On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present.
3.7.11-3.7.16, 4.0.0-4.4.5
2546010
CM-27530
When hal.bcm.per_vlan_router_mac_lookup is set to TRUE in the /etc/cumulus/switchd.conf file, inter-VLAN traffic is forwarded to the CPU when associated VNI interfaces exist.3.7.10-3.7.16
2545997
CM-27522
The NCLU command net show interface produces an error if bonds with no members exist.
To work around this issue, remove the empty Bond interfaces from the /etc/network/interfaces file and run sudo ifreload -a.
3.7.10-3.7.16
2545566
CM-27272
The Dell Z9100-ON switch incorrectly reports many sensors as ABSENT.3.7.12-4.0.14.1.0-4.4.5
2545446
CM-27192
If you use NCLU commands to add a non-MLAG bond, then add an MLAG configuration, the net commit command fails. However, a subsequent net commit command succeeds.3.7.10-3.7.16
2545125
CM-27018
If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address.3.7.10-3.7.16, 4.0.0-4.4.5
2544978
CM-26921
If you delete an undefined bond, then add a bond slave, the net commit command fails.3.7.9-3.7.16, 4.0.0-4.4.5
2544968
CM-26913
FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c “printf ‘interface 50\nvrf TEST description L3 routing interface\n’ » /etc/frr/frr.conf”

should be:

sudo sh -c “printf ‘interface 50 vrf TEST\ndescription L3 routing interface\n’ » /etc/frr/frr.conf”

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file.
3.7.9-3.7.16, 4.0.0-4.4.5
2544953
CM-26905
When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command.
3.7.10-3.7.16, 4.0.0-4.4.5
2544904
CM-26875
After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements.
To work around this issue, restart FRR after removing the IPv6 numbered configuration.
3.7.9-4.1.14.2.0-4.4.5
2544829
CM-26829
Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump.3.7.8-3.7.16
2544671
CM-26736
Package : sudoCVE ID : CVE-2019-14287Debian Bug : 942322Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID -1 or 4294967295. This could allow a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access
Details can be found in the upstream advisory at https://www.sudo.ws/alerts/minus_1_uid.html
We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudoVulnerable versions: < 1.8.27-1+deb10u1Fixed versions: >= 1.8.27-1+deb10u1To work around this iisue, disable (comment out) any sudoers entries in /etc/sudoers or files in /etc/sudoers.d that have entries with !root in them. Only root or other users with a uid of 0 that are affected.
3.7.9-3.7.164.0.0-4.4.5
2544556
CM-26655
If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:

net add time ntp server 1.2.3.4 iburst
net commit
net add time ntp server 1.2.3.4
net commit

If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options.
3.7.9-4.1.14.2.0-4.4.5
2544463
CM-26599
Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G.
3.7.9-3.7.16, 4.0.0-4.4.5
2544456
CM-26595
The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds.3.7.9-3.7.16, 4.0.0-4.4.5
2544311
CM-26516
Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host.3.7.5-3.7.16, 4.0.0-4.4.5
2544235
CM-26463
The following CVEs affect the linux kernel package:
CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
For the detailed security status of linux, refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux
3.7.10-3.7.16
2544155
CM-26423
NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

3.7.5-3.7.16, 4.0.0-4.4.5
2544113
CM-26412
Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file.
3.7.9-3.7.16, 4.0.0-4.4.5
2543900
CM-26288
On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address.3.7.8-3.7.16, 4.0.0-4.4.5
2543841
CM-26256
The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
3.7.8-3.7.16, 4.0.0-4.4.5
2543840
CM-26255
On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file.

3.7.6-3.7.16
2543800
CM-26230
When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface.
3.7.8-3.7.164.0.0-4.4.5
2543647
CM-26137
ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:

-A FORWARD -i vni10 -j erspan –src-ip 100.1.1.2 –dst-ip 100.1.1.1 –ttl 64
3.7.6-4.2.14.3.0-4.4.5
2543646
CM-26136
In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case).3.7.6-3.7.16, 4.0.0-4.4.5
2543627
CM-26126
Tomahawk 40G DACs cannot disable auto-negotiation.3.7.7-3.7.164.0.0-4.4.5
2543270
CM-25923
The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate.
3.7.8-4.1.14.2.0-4.4.5
2543211
CM-25890
In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
3.7.0-3.7.16, 4.0.0-4.4.5
2543164
CM-25859
The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command.
3.7.7-3.7.16, 4.0.0-4.4.5
2543096
CM-25815
When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
3.7.6-3.7.16, 4.0.0-4.4.5
2543058
CM-25798
The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.
To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces.
3.7.7-3.7.164.0.0-4.4.5
2543052
CM-25796
Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as “inactive” in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR.
To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:

ifdown vlan123 ; sleep 2 ; ifup vlan123

You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI.
3.7.5-3.7.164.0.0-4.4.5
2543044
CM-25794
Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up.
3.7.2-3.7.164.0.0-4.4.5
2542979
CM-25766
On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work.3.7.7-4.1.14.2.0-4.4.5
2542945
CM-25740
On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
3.7.6-3.7.16, 4.0.0-4.4.5
2542310
CM-25404
hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
3.7.6-3.7.16
2542305
CM-25400
If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
3.7.6-3.7.16, 4.0.0-4.4.5
2542301
CM-25397
When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
3.7.3-3.7.16, 4.0.0-4.4.5
2541212
CM-24894
The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded.3.7.5-3.7.16, 4.0.0-4.4.5
2541165
CM-24878
On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, poectl reports that four_pair_mode_enabled is true. However, this configuration is not supported on the port so poectl should report that four_pair_mode_enabled is false.
3.7.6-3.7.16
2541029
CM-24799
On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped.
This issue only affects QinQ configurations.
3.7.5-3.7.16, 4.0.0-4.4.5
2540950
CM-24751
On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status.
3.7.3-4.1.14.2.0-4.4.5
2540885
CM-24703
The Dell N3048EP-ON switch does not support 1G Base-T modules in the SFP ports.3.7.7-3.7.16
2540863
CM-24686
On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number.
3.7.3-3.7.16
2540753
CM-24618
If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
 
ERROR: No closing quotation
See /var/log/netd.log for more details.

3.7.5-3.7.16, 4.0.0-4.4.5
2540444
CM-24473
SNMP incorrectly requires engine ID specification.
3.7.4-3.7.16, 4.0.0-4.4.5
2540352
CM-24435
When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect:
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct:
 
net add routing route-map Proxy-ARP permit 25 match interface swp9
net add routing route-map Proxy-ARP permit 30 match interface swp10

3.7.2-3.7.16, 4.0.0-4.4.5
2540340
CM-24426
NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example:
 
cumulus@switch:~$ net add vrf mgmt


Tab completion for the net add vrf ip address
command works correctly.
3.7.4-3.7.16, 4.0.0-4.4.5
2540274
CM-24379
On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route.3.7.5-3.7.16, 4.0.0-4.4.5
2540204
CM-24350
When links come up after FRR is started, VRF connected routes do not get redistributed.3.7.4-3.7.16, 4.0.0-4.4.5
2540192
CM-24343
The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value.
3.7.4-3.7.16, 4.0.0-4.4.5
2540155
CM-24332
On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
3.7.3-3.7.16, 4.0.0-4.4.5
2540042
CM-24272
When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface br0.100
switch(config-if)# vrrp 1 priority 110
switch(config-if)# vrrp 1 advertisement-interval
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540041
CM-24271
On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU.
To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface vlan100
switch(config-if)# vrrp 1 priority 110
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540040
CM-24270
Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface swp4
switch(config-if)# vrrp 1 version 2
switch(config-if)# no vrrp 1 preempt
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540031
CM-24262
NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist.
3.7.3-3.7.16, 4.0.0-4.4.5
2539994
CM-24241
When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
 
cumulus@switch:~$ net del bgp neighbor fabric peer-group
‘router bgp 65001’ configuration does not have ‘neighbor fabric peer-group’

3.7.2-3.7.16, 4.0.0-4.4.5
2539962
CM-24222
When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error.
3.7.0-3.7.16, 4.0.0-4.4.5
2539670
CM-24035
On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type.
3.7.2-3.7.16, 4.0.0-4.4.5
2539124
CM-23825
The net add interface ptm-enable command adds no ptm-enable for that interface in the frr.conf file.
Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh.
3.7.2-3.7.16, 4.0.0-4.4.5
2539081
CM-23792
When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.
To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command.
3.7.0-3.7.164.0.0-4.4.5
2538875
CM-23696
IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file.
3.7.2-3.7.16
2538790
CM-23665
NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan bridge access . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.
To restore connectivity, remove the VLAN ID from the bridge.
3.7.2-3.7.16, 4.0.0-4.4.5
2538590
CM-23584
When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain.
3.7.2-3.7.16, 4.0.0-4.4.5
2538562
CM-23570
On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G.
3.7.2-3.7.16, 4.0.0-4.4.5
2538302
CM-23422
portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap.
3.7.0-3.7.16
2538294
CM-23417
If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid.3.7.0-3.7.16, 4.0.0-4.4.5
2538256
CM-23397
On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
3.7.2-4.0.14.1.0-4.4.5
2537820
CM-23123
When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
3.7.2-3.7.164.0.0-4.4.5
2537699
CM-23075
There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
3.7.1-3.7.16, 4.0.0-4.4.5
2537544
CM-23021
When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB.3.7.1-3.7.16, 4.0.0-4.4.5
2537378
CM-22937
NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
3.7.1-3.7.16
2537188
CM-22849
When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.
This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
3.7.2-3.7.16
2537104
CM-22808
When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
3.7.1-3.7.164.0.0-4.4.5
2537061
CM-22794
The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
3.7.1-4.0.14.1.0-4.4.5
2536608
CM-22583
Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
3.7.0-3.7.16
2536384
CM-22386
The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
3.7.0-3.7.16, 4.0.0-4.4.5
2536179
CM-22228
On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working.3.7.0-3.7.16, 4.0.0-4.4.5
2535986
CM-22041
At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart.
3.7.0-3.7.16, 4.0.0-4.4.5
2535965
CM-22020
On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic.
3.7.0-3.7.16, 4.0.0-4.4.5
2533691
CM-19788
If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict.
To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface.
3.7.12-3.7.16, 4.0.0-4.4.5
2532017
CM-18192
In FRR, bgp_snmp does not show all BGP peers when peer groups used.3.7.11-4.0.14.1.0-4.4.5

Fixed Issues in 3.7.15

Issue IDDescriptionAffects
2635951
The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1
Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened
Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3
3.7.0-3.7.14.2
2628515
CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service
Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3
3.7.14-3.7.14.2, 4.3.0-4.3.1
2617009
CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code
Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1
3.7.0-3.7.14.2
2617008
CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data
Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5
3.7.0-3.7.14.2
2617007
CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited
Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10
3.7.0-3.7.14.2
2617006
CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute
Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4
3.7.0-3.7.14.2
2617005
CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 CVE-2020-25687: several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server that could result in denial of service, cache poisoning or the execution of arbitrary code
Vulnerable: <= 2.72-3+deb8u5Fixed: 2.72-3+deb8u6
3.7.14-3.7.14.2
2617002
CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact
Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23
3.7.0-3.7.14.2
2599607
CM-33013
Cumulus Linux learns remote MAC addresses as local entries on the bridge with the wrong remote VTEP IP address even when bridge learning is off on the VTEP and ARP suppression is enabled.4.4.0-4.4.3
2595889
CM-31120
In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface.3.7.10-3.7.14.2, 4.0.0-4.2.1
2595816
CM-31222
Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address.3.7.12-3.7.14.2, 4.0.0-4.2.1
2589747
CM-32226
If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers.3.7.12-3.7.14.2, 4.0.0-4.2.1
2589570
The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input
Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3
3.7.0-3.7.14.2
2589567
The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations
CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size
Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6
3.7.0-3.7.14.2
2574294
CVE-2021-3410: A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context
Vulnerable: <= 0.99.beta19-2+deb8u1Fixed: 0.99.beta19-2+deb8u2
3.7.14-3.7.14.2
2566880
CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.3.7.14-3.7.14.2, 4.0.0-4.3.1
2562511
hostapd does not fail over to secondary RADIUS servers for 802.1x authentication when the primary radius is reachable but not responding to Access-Requests
If the primary RADIUS server is having a problem servicing requests, you can remove it from the configuration temporarily to force requests to be sent to alternate servers.
3.7.10-3.7.14.2
2562396
CVE-2020-27824: Global buffer overflow on irreversible conversion when too many decomposition levels are specified.
CVE-2020-27841: Crafted input to be processed by the openjpeg encoder could cause an out-of-bounds read.
CVE-2020-27845: Crafted input can cause out-of-bounds-read.
Vulnerable: <= 2.1.0-2+deb8u11
Fixed: 2.1.0-2+deb8u12
3.7.14-3.7.14.2
2562301
CVE-2021-26937: encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence.
Vulnerable: <= 4.2.1-3+deb8u1
Fixed: 4.2.1-3+deb8u2
3.7.14-3.7.14.2
2556815
CM-33419
When ARP suppression is enabled, RARP packets sometimes get dropped and are not flooded by the local VTEP.
To work around this issue, disable ARP suppression.
3.7.14-3.7.14.2, 4.3.0
2556782
CM-33398
CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution.
Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1
3.7.14-3.7.14.2, 4.0.0-4.3.1
2556780
CM-33397
CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets.
Vulnerable: <= 2.4.40+dfsg-1+deb8u9
Fixed: 2.4.40+dfsg-1+deb8u10
3.7.14-3.7.14.2
2556779
CM-33396
CVE-2020-8625: Buffer overflow attack in the bind9 DNS server caused by an issue in the GSSAPI (“Generic Security Services”) security policy negotiation.
Vulnerable: <= 9.9.5.dfsg-9+deb8u20
Fixed: 9.9.5.dfsg-9+deb8u21
3.7.14-3.7.14.2
2556763
CM-33385
In a configuration with both traditional and vlan-aware bridges, the VLAN membership check on a vlan-aware switch does not drop PVST BPBUs that come from a traditional bridge.3.7.14-3.7.14.2, 4.0.0-4.3.0
2556743
CM-33370
CVE-2019-20367: An issue has been found in libbsd, a library with utility functions from BSD systems. A non-NUL terminated symbol name in the string table might result in an out-of-bounds read.
Vulnerable: <= 0.7.0-2+deb8u1
Fixed: 0.7.0-2+deb8u2
3.7.14-3.7.14.2
2556742
CM-33369
The following vulnerabilities have been announced in the openssl package:
CVE-2021-23840: an issue where “Digital EnVeloPe” EVP-related calls could cause applications to behave incorrectly or even crash.
CVE-2021-23841: an issue in the X509 certificate parsing caused by the lack of error handling while ingesting the “issuer” field.
Vulnerable: <= 1.0.1t-1+deb8u13
Fixed: 1.0.1t-1+deb8u14
3.7.14-3.7.14.2
2556689
CM-33333
CVE-2020-15469 A MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.
CVE-2020-15859 QEMU has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data’s address set to the e1000e’s MMIO address.
CVE-2020-25084 QEMU has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.
CVE-2020-28916 hw/net/e1000e_core.c has an infinite loop via an RX descriptor with a NULL buffer address.
CVE-2020-29130 slirp.c has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2020-29443 ide_atapi_cmd_reply_end in hw/ide/atapi.c allows out-of-bounds read access because a buffer index is not validated.
CVE-2021-20181 9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU privilege escalation vulnerability.
CVE-2021-20221 aarch64: GIC: out-of-bound heap buffer access via an interrupt ID field.
Vulnerable: <= 2.1+dfsg-12+deb8u18
Fixed: 2.1+dfsg-12+deb8u19
3.7.14-3.7.14.2
2556612
CM-33311
CVE-2021-27135: xterm through Patch #365 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted UTF-8 character sequence.
Vulnerable: 312-2
Fixed: 312-2+deb8u1.
3.7.14-3.7.14.2
2556585
CM-33295
CVE-2021-26926: A heap buffer overflow vulnerability was discovered in JasPer, through jp2_dec.c in the jp2_decode() function.
CVE-2021-26927: A null pointer access was discovered in JasPer, through jp2_dec.c in the jp2_decode() function.
Vulnerable: <= 1.900.1-debian1-2.4+deb8u8
Fixed: 1.900.1-debian1-2.4+deb8u9
3.7.14-3.7.14.2
2556530
CM-33272
CVE-2020-0256: In LoadPartitionTable of gpt.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed.
CVE-2021-0308: In ReadLogicalParts of basicmbr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no
additional execution privileges needed.
Vulnerable: 0.8.10-2
Fixed: 0.8.10-2+deb8u1
3.7.14-3.7.14.2
2556525
CM-33270
CVE-2020-27351: Various memory and file descriptor leaks were discovered in the Python interface to the APT package management runtime library, which could result in denial of service.
Vulnerable: <= 0.9.3.13
Fixed: 0.9.3.14
3.7.14-3.7.14.2
2556504
CM-33260
CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230: Several vulnerabilities were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash, infinite loops) via specially crafted packets.
Vulnerable: <= 2.4.40+dfsg-1+deb8u8
Fixed: 2.4.40+dfsg-1+deb8u9
3.7.14-3.7.14.2
2556473
CM-33246
CVE-2021-3272: jp2_decode in jp2/jp2_dec.c in libjasper in JasPer has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components.
Vulnerable: <= 1.900.1-debian1-2.4+deb8u6
Fixed: 1.900.1-debian1-2.4+deb8u7
3.7.14-3.7.14.2
2556364
CM-33191
CVE-2020-35512: An issue has been found in dbus, a simple interprocess messaging system. On a system having multiple usernames sharing the same UID a use-after-free might happen, that could result in a denial of service or undefined behaviour, possibly including incorrect authorization decisions.
Vulnerable: <= 1.8.22-0+deb8u3
Fixed: 1.8.22-0+deb8u4
3.7.14-3.7.14.2
2556287
CM-33165
CVE-2021-3156: A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the bug.
Vulnerable: <= 1.8.10p4-cl3.7.14u1
Fixed: 1.8.10p4-cl3.7.15u1
Note: security scanners may not recognize 1.8.10p4-cl3.7.15u1 as fixed and therefore incorrectly list it as vulnerable.
3.7.14
2556233
CM-33129
Some ECMP next-hops might fail installation into hardware at high ECMP group and route scale. The following log message will be observed when this condition occurs:WARN xx routes reverted to non-ECMP due to NH table capacity3.7.9-3.7.14.2
2556218
CM-33117
The following vulnerability affects lldpd:
CVE-2020-27827: A packet that contains multiple instances of certain TLVs will cause lldpd to continually allocate memory and leak the old memory. As an example, multiple instances of system name TLV will cause old values to be dropped by the decoding routine.
Fixed: 1.0.4-0-cl4.3.0u2
3.7.14-3.7.14.2, 4.0.0-4.2.1
2556031
CM-33008
Several security vulnerabilities were found in ImageMagick, a suite of image manipulation programs. An attacker could cause denial of service and execution of arbitrary code when a crafted image file is processed.
CVE-2020-19667 Stack-based buffer overflow and unconditional jump in ReadXPMImage in coders/xpm.c
CVE-2020-25665 The PALM image coder at coders/palm.c makes an improper call to AcquireQuantumMemory() in routine WritePALMImage() because it needs to be offset by 256. This can cause a out-of-bounds read later on in the routine. This could cause impact to reliability.
CVE-2020-25674 WriteOnePNGImage() from coders/png.c (the PNG coder) has a for loop with an improper exit condition that can allow an out-of-bounds READ via heap-buffer-overflow. This occurs because it is possible for the colormap to have less than 256 valid values but the loop condition will loop 256 times, attempting to pass invalid colormap data to the event logger.
CVE-2020-27560 ImageMagick allows Division by Zero in OptimizeLayerFrames in MagickCore/layer.c, which may cause a denial of service.
CVE-2020-27750 A flaw was found in MagickCore/colorspace-private.h and MagickCore/quantum.h. An attacker who submits a crafted file that is processedcould trigger undefined behavior in the form of values outside the range of type unsigned char and math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior.
CVE-2020-27760 In GammaImage() of /MagickCore/enhance.c, depending on the gamma value, it’s possible to trigger a divide-by-zero condition when a crafted input file is processed by ImageMagick. This could lead to an impact to application availability.
CVE-2020-27763 A flaw was found in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior.
CVE-2020-27765 A flaw was found in MagickCore/segment.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior.
CVE-2020-27773 A flaw was found in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char or division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior.
CVE-2020-29599 ImageMagick mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.
Vulnerable: <= 6.8.9.9-5+deb8u21
Fixed: 6.8.9.9-5+deb8u22
3.7.14-3.7.14.2
2556030
CM-33007
The following vulnerability was announced in the apt packages:
CVE-2020-27350: Missing input validation in the ar/tar implementations of APT, the high level package manager, could cause out-of-bounds reads or infinite loops, resulting in denial of service when processing malformed deb files.
Vulnerable: <= 1.0.9.8.6
Fixed: 1.0.9.8.7
3.7.14-3.7.14.2
2556023
CM-33000
After upgrading Cumulus Linux with the apt-upgrade command, then rebooting an MLAG pair, if there are no bonds configured with a clag-id, the clagd service has difficulty peering, and holds all MLAG interfaces and VNIs in a proto down state
To work around this issue, after upgrading both switches, restart the clagd service with the sudo systemctl restart clagd command on each MLAG pair.
3.7.14-3.7.14.2
2556011
CM-32994
On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash.3.7.14, 4.0.0-4.2.1
2555691
CM-32829
The NET-SNMP-EXTEND-MIB, disabled in Cumulus Linux 4.2.1 and 3.7.14 to prevent security vulnerability CVE-2020-15862, is re-enabled read-only.3.7.14-3.7.14.2, 4.2.1
2555654
CM-32810
The following vulnerability has been announced in the libflac8 package:
CVE-2020-0499: In FLAC__bitreader_read_rice_signed_block of bitreader.c, there is a possible out-of-bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. However, user interaction is needed for exploitation.
Vulnerable: 1.3.0-3
Fixed: 1.3.0-3+deb8u1
3.7.14-3.7.14.2
2555627
CM-32797
The following vulnerabilities have been announced in curl:
CVE-2020-8284: Vulnerability to malicious FTP server with PASV response with different IP address.
CVE-2020-8285: Wildcard matching is vulnerable to denial of service by running out of stack space.
Vulnerable: <= 7.38.0-4+deb8u18
Fixed: 7.38.0-4+deb8u19
3.7.14
2555553
CM-32757
It was discovered that the clean_html() function of lxml, a Python library for HTML and XML processing, performed insufficient sanitisation for embedded Javascript code. This might lead to cross-site scripting or possibly the execution of arbitrary code.
Vulnerable: <= 3.4.0-1+deb8u2
Fixed: 3.4.0-1+deb8u3
3.7.14-3.7.14.2
2555532
CM-32753
QinQ (802.1Q) packets routed to a layer 3 subinterface are still double tagged with the VLAN of the subinterface and the original inner VLAN when they leave the subinterface.4.2.0-4.2.1
2555507
CM-32734
CVE-2018-0734: A minor timing side channel attack was found in the OpenSSL DSA
signature algorithm. The fix for that introduced a more severe regression that could also be exploited as a timing side channel attack. This update fixes both the original problem and the subsequent issue.
CVE-2020-1971: A flaw in the GENERAL_NAME_cmp() function could cause a NULL dereference, resulting in denial of service.
Vulnerable: <= 1.0.1t-1+deb8u12
Fixed: 1.0.1t-1+deb8u13
3.7.14
2555435
CM-32689
CVE-2018-19139: Fix memory leaks by registering jpc_unk_destroyparms.
CVE-2020-27828: Avoid maxrlvls more than upper bound to cause heap-buffer-overflow.
CVE-2018-19543 and CVE-2017-9782: There is a heap-based buffer over-read of size 8 in the function jp2_decode in libjasper/jp2/jp2_dec.c.
Vulnerable: <= 1.900.1-debian1-2.4+deb8u6
Fixed: 1.900.1-debian1-2.4+deb8u7
3.7.14-3.7.14.2
2555401
CM-32661
On the Edgecore AS7312 switch, eth0 and swp use the same MAC address.3.7.14-3.7.14.2, 4.0.0-4.2.1
2555314
CM-32609
CVE-2020-25709, CVE-2020-25710: Vulnerabilities in the certificate list syntax verification and in the handling of CSN normalization were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash) via specially crafted packets.
Vulnerable: <= 2.4.40+dfsg-1+deb8u7
Fixed: 2.4.40+dfsg-1+deb8u8
3.7.14
2555278
CM-32597
When you change the anycast address for the MLAG pair (clagd-vxlan-anycast-ip), high peak traffic occurs on the peer link interface of all MLAG switches.3.7.13-3.7.14.2
2555196
CM-32537
CVE-2018-19787, CVE-2020-27783: The clean_html() function of lxml, a Python library for HTML and XML processing, performed insufficient sanitisation for embedded Javascript code. This could lead to cross-site scripting or possibly the execution of arbitrary code.
Vulnerable: <= 3.4.0-1+deb8u1
Fixed: 3.4.0-1+deb8u2
3.7.14-3.7.14.2
2555177
CM-32529
On Mellanox switches, the ASIC temperature sensor reading reports zeros. As a result, the fan speed is higher than normal.
You can see the temperature reading in the output of the sensors command.
3.7.14
2555147
CM-32515
Some issues have been found in qemu, a fast processor emulator.
CVE-2020-25085 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723 CVE-2020-27617: All issues are related to assertion failures, out-of-bounds access failures or bad handling of return codes.
Vulnerable: <= 2.1+dfsg-12+deb8u17
Fixed: 2.1+dfsg-12+deb8u18
3.7.14-3.7.14.2
2554991
CM-32420
When running traditional mode bridges at scale (for example, when you have more than 200 bridges and a large number of MAC addresses), MLAG bonds flap intermittently from dual to single connected, then back to dual connected, which causes a layer 2 loop and STP state changes.
To work around this issue, either shut down one side of the MLAG bond or prune out VLANS over the bond.
3.7.13-3.7.14.2, 4.0.0-4.2.1
2554804
CM-32291
On Mellanox SN2010 and SN2100 switches, the maximum fan speed is exceeded by fifteen percent.3.7.14-3.7.14.2
2554719
CM-32225
A slow memory leak is observed (1% per 14 hours) in kmalloc-256.
To work around this issue, reboot the switch.
3.7.12-3.7.14.2
2553748
CM-31627
On switches with the Spectrum ASIC, the IPv6 default route might be present in the kernel but missing in hardware when IPv6 RAs are received on SVIs configured with ip-forward off.3.7.11-3.7.14.2, 4.2.1
2552213
CM-30832
The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages.3.7.11-3.7.14, 4.1.1-4.3.0
2550600
CM-29978
The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged.3.7.8-3.7.14.2, 4.0.0-4.3.0
2549226
CM-29259
You might see the following gport error messages in switchd.log:

2020-04-10T19:50:01.011224+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x800007a find failed
2020-04-10T19:50:01.011631+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x8000009 find failed

These messages are harmless and can be ignored.
3.7.12-3.7.14.2, 4.0.0-4.2.1

3.7.14.2 Release Notes

Open Issues in 3.7.14.2

Issue IDDescriptionAffectsFixed
3418046
None
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.3.7.0-5.4.05.5.0-5.6.0
3376798
On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected.
3.7.0-3.7.16, 4.3.1-4.4.5
3330705
When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present.3.7.0-5.3.15.4.0-5.6.0
3327477
If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password.3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0
3216922
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users).3.7.0-5.2.15.3.0-5.6.0
3216921
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
3.7.0-3.7.16, 4.3.0-4.4.5
3209699
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
3.7.0-4.3.0, 4.4.0-5.2.14.3.1, 5.3.0-5.6.0
3073668
On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap.3.7.12-3.7.16, 4.3.0-4.4.5
3017190
When you power cycle the switch, multiple interfaces came up in a PoE disabled state
To work around this issue, run the sudo poectl -a | grep disabled command to find ports with disabled POE. Run the sudo poectl -e swp1-swp48 command to enable POE on affected ports.
3.7.10-3.7.16
2959454
CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact
Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7
3.7.0-3.7.153.7.16
2959444
CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information
Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5
3.7.0-3.7.153.7.16
2959067
ECMP produces errors indicating No More Resources and switchd crashes even when ECMP utilization is low.3.7.14.2-4.2.14.3.0-4.4.5
2959024
ACL rules do not always install in hardware after switch reboot
To work around this issue, run the sudo cl-acltool -i command to reinstall the ACL rules.
3.7.14.2-3.7.153.7.16
2957684
CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability
Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4
3.7.0-3.7.153.7.16
2949602
CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.3.7.0-3.7.153.7.16
2949586
CVE-2022-21699: ipython may execute untrusted files in the current working directory
Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1
3.7.0-3.7.153.7.16
2949585
CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog.3.7.0-3.7.153.7.16
2949584
CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service
Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16
3.7.0-3.7.153.7.16
2941560
CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed
Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u
3.7.0-3.7.153.7.16
2934940
CM-32683
When you change the SVI vlan-id value in the /etc/network/interfaces file, then run ifreload -a, the 802.1Q ID for the SVI in the kernel does not change.
This operation is not supported in the kernel without recreating the SVI. To apply the change, run ifdown, then ifup for the SVI to recreate the interface.
3.7.13-3.7.15, 4.2.13.7.16, 4.3.0-4.4.5
2934939
When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
aggregate-address 10.10.0.0/16 summary-only
redistribute connected
After:
ip route 10.10.0.0/16 Null0
!
address-family ipv4 unicast
redistribute connected route-map DENY-COMPONENTS
redistribute static
exit-address-family
ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
!
route-map DENY-COMPONENTS deny 10
match ip address prefix-list NO-COMPONENTS
!
route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed.
3.7.12-3.7.16
2934935
{switchd can cause a memory leak.3.7.14.2-3.7.153.7.16, 4.3.1-4.4.5
2910862
CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file”
Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3
3.7.0-3.7.153.7.16
2910861
CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse
CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods
Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13
3.7.0-3.7.153.7.16
2885241
CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code
Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14
3.7.0-3.7.153.7.16
2885239
CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms
Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1
3.7.0-3.7.153.7.16
2885238
The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data
CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response
CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash
Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4
3.7.0-3.7.153.7.16
2866111
CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c.3.7.0-3.7.153.7.16
2866096
CM-33416
Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file.3.7.12-3.7.15, 4.1.1-4.3.03.7.16, 4.3.1-4.4.5, 5.0.0-5.6.0
2866084
When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb del
dev [dst|via] <interface|IP> command, then add “vxlan-learning”: “off” in the /etc/network/ifupdown2/policy.d/vxlan.json file:
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
{
“vxlan”: {
“module_globals”: { “vxlan-purge-remotes”: “no” },
“defaults”: {
“vxlan-ageing”: “1800”,
“vxlan-port”: “4789”, <==== This comma needs to be added at the end of this line
“vxlan-learning”: “off” <= This line needs to be added
}
}
}
Reboot the affected switches.
3.7.12-4.3.04.3.1-4.4.5
2862269
CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established
Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5
3.7.0-3.7.153.7.16
2855881
A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger
CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value
CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections
CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow
Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9
3.7.0-3.7.153.7.16
2855879
The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem
CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server
CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server
Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11
3.7.0-3.7.153.7.16
2850806
CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts)
Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23
3.7.0-3.7.153.7.16
2845540
CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling
Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9
3.7.0-3.7.153.7.16
2841003
CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference
Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3
3.7.0-3.7.153.7.16
2835994
CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function
Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16
3.7.0-3.7.153.7.16
2823255
CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode)
Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9
3.7.0-3.7.153.7.16
2821981
The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename
CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions)
CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12
3.7.0-3.7.153.7.16
2820758
The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected
CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data
Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22
3.7.0-3.7.153.7.16
2815592
In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence.3.7.12-4.3.0, 4.4.2-5.0.14.3.1, 5.1.0-5.6.0
2813826
Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop”
CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’
Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12
3.7.0-3.7.153.7.16
2813823
Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash
CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer
CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may
CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user
Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19
3.7.0-3.7.153.7.16
2803044
In an EVPN configuration with IP or MAC mobility, higher MM EVPN routes do not remove the old ARP entries during VIP migration between VTEP racks.3.7.14.2-3.7.15, 4.3.0-4.4.53.7.16
2801262
On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart
To work around this issue, load the port configuration in a staggered manner (groups of five downlink ports).
3.7.12-4.3.0, 4.4.2-4.4.54.3.1, 5.0.0-5.6.0
2801126
CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures
Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3
3.7.0-3.7.153.7.16
2801125
OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01
Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15
3.7.0-3.7.153.7.16
2801124
GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01
Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2
3.7.0-3.7.153.7.16
2799742
CM-33032
On the Edgecore AS4610 switch, the historic CPU usage displayed in /run/sysmonitor/history sometimes shows as a negative value.3.7.12-3.7.153.7.16, 4.3.1-4.4.5
2798139
CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions
Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4
3.7.0-3.7.153.7.16
2794750
CM-29043
When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering.
3.7.12-3.7.15, 4.0.0-4.2.13.7.16, 4.3.0-4.4.5
2770226
In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges.3.7.14.2-3.7.15, 4.3.0-4.4.53.7.16, 5.0.0-5.6.0
2769687
CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library
Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21
3.7.0-3.7.153.7.16
2769633
CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames
Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3
3.7.0-3.7.153.7.16
2769632
CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made
Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5
3.7.0-3.7.153.7.16
2769631
CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data
Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2
3.7.0-3.7.153.7.16
2754791
Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP.3.7.14.2-3.7.16, 4.3.0-4.4.5
2743132
CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code
Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6
3.7.0-3.7.153.7.16
2736265
After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes.3.7.12-3.7.15, 4.2.1-4.3.03.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5
2736247
CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u113.7.0-3.7.153.7.16
2736245
CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems
Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8
3.7.0-3.7.153.7.16
2734107
When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs.3.7.12-4.3.0, 4.4.0-4.4.14.3.1, 4.4.2-4.4.5
2728207
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-3.7.16, 4.0.0-4.4.5
2728206
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-3.7.16, 4.0.0-4.4.5
2728205
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-4.4.14.4.2-4.4.5
2726776
CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour
Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18
3.7.0-3.7.153.7.16
2717312
When you modify a prefix list with NCLU commands, the bgpd service crashes.3.7.14.2-3.7.153.7.16
2716841
CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository
Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2
3.7.0-3.7.153.7.16
2705169
CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed
Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11
3.7.0-3.7.153.7.16
2705168
CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access
Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3
3.7.0-3.7.153.7.16
2702519
CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt
Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9
3.7.0-3.7.153.7.16
2700767
Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration.3.7.12-3.7.15, 4.3.0-4.4.53.7.16
2699464
In a VXLAN fabric with ToR switches configured in a MLAG pair, BUM traffic received on a VXLAN tunnel is decapsulated and forwarded on the peer link bond. The BUM traffic is then encapsulated by the peer switch and sent back to the fabric. The issue has been seen in environments where the following conditions exist at the same time:1) high VNI scale2) switchd is busy processing updates3) clagd is in a transition state, such as Up, then Down, then Up. For example, when clagd restarts, the switch reboots, and so on
The problem is seen on the switch that experiences the clagd state transition.
3.7.12-3.7.153.7.16
2687332
When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
aggregate-address 10.10.0.0/16 summary-only
redistribute connected
After:
ip route 10.10.0.0/16 Null0
!
address-family ipv4 unicast
redistribute connected route-map DENY-COMPONENTS
redistribute static
exit-address-family
ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
!
route-map DENY-COMPONENTS deny 10
match ip address prefix-list NO-COMPONENTS
!
route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed.
3.7.12-4.2.14.3.0-4.4.5
2684452
When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst|via] <interface|IP> command2. Add “vxlan-learning”: “off” under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
{
“vxlan”: {
“module_globals”: { “vxlan-purge-remotes”: “no” },
“defaults”: {
“vxlan-ageing”: “1800”,
“vxlan-port”: “4789”, <==== This comma needs to be added at the end of this line
“vxlan-learning”: “off” <= This line needs to be added
}
}
}
3. Reboot the affected switch(es)
3.7.12-3.7.16
2684404
CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9
3.7.0-3.7.153.7.16
2679950
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1
3.7.0-3.7.15, 4.0.0-4.3.13.7.16, 4.4.0-4.4.5
2677063
CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11
3.7.0-3.7.153.7.16
2677061
CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8
3.7.0-3.7.153.7.16
2677060
CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7
3.7.0-3.7.153.7.16
2669858
CM-32169
OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf.
This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper.
3.7.14-3.7.16, 4.0.0-4.4.5
2669831
If you try to remove BFD configuration with systemctl reload frr, the FRR service fails. The reload action results in a TypeError: expected string or bytes-like object error
You see this issue only if there is default configuration, such as configuration in the /etc/frr/frr.conf file that is suppressed from view in the FRR running configuration
To work around this issue, remove the default configuration lines; for example:
username cumulus nopassword
3.7.14.2-3.7.153.7.16
2668477
CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions
Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5
3.7.0-3.7.153.7.16
2660693
CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request
Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20
3.7.0-3.7.153.7.16
2660582
In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure)
To recover restart the clagd service with sudo systemctl restart clagd.service
3.7.8-3.7.153.7.16
2658233
The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file
CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file
Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1
3.7.0-3.7.153.7.16
2656291
The following CVEs affect the linux kernel package:
CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
For the detailed security status of linux, refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux
3.7.12-3.7.164.0.0-4.4.5
2654684
CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files
Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10
3.7.0-3.7.153.7.16
2653521
CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code
Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1
3.7.0-3.7.153.7.16
2653400
None
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration.3.7.10-3.7.16
2652003
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static FDB entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration.3.7.10-4.3.04.3.1-4.4.5
2646974
The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service
CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query
CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries
Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22
3.7.0-3.7.153.7.16
2646968
CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service
Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24
3.7.0-3.7.153.7.16
2645846
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration.3.7.10-3.7.153.7.16, 4.3.1-4.4.5
2638137
When you delete a static route using NCLU, the configuration is not deleted from the running configuration or from the /etc/frr/frr.conf file.3.7.13-3.7.16
2635951
The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1
Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened
Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3
3.7.0-3.7.14.23.7.15-3.7.16
2633245
On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle.3.7.10-3.7.16
2628515
CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service
Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3
3.7.14-3.7.14.2, 4.3.0-4.3.13.7.15-3.7.16, 4.4.0-4.4.5
2617009
CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code
Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1
3.7.0-3.7.14.23.7.15-3.7.16
2617008
CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data
Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5
3.7.0-3.7.14.23.7.15-3.7.16
2617007
CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited
Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10
3.7.0-3.7.14.23.7.15-3.7.16
2617006
CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute
Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4
3.7.0-3.7.14.23.7.15-3.7.16
2617005
CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 CVE-2020-25687: several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server that could result in denial of service, cache poisoning or the execution of arbitrary code
Vulnerable: <= 2.72-3+deb8u5Fixed: 2.72-3+deb8u6
3.7.14-3.7.14.23.7.15-3.7.16
2617002
CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact
Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23
3.7.0-3.7.14.23.7.15-3.7.16
2607965
On the EdgeCore AS7726 switch, when you run the NCLU net show system command, you see the error Command not found.3.7.14.2-3.7.16
2595889
CM-31120
In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface.3.7.10-3.7.14.2, 4.0.0-4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2595816
CM-31222
Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address.3.7.12-3.7.14.2, 4.0.0-4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2589747
CM-32226
If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers.3.7.12-3.7.14.2, 4.0.0-4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2589570
The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input
Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3
3.7.0-3.7.14.23.7.15-3.7.16
2589567
The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations
CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size
Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6
3.7.0-3.7.14.23.7.15-3.7.16
2581473
When netq-agent is installed on the Dell N3048EP platform, switchd might crash if pluggables are installed in the SFP+ ports.3.7.13-3.7.153.7.16
2574294
CVE-2021-3410: A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context
Vulnerable: <= 0.99.beta19-2+deb8u1Fixed: 0.99.beta19-2+deb8u2
3.7.14-3.7.14.23.7.15-3.7.16
2566880
CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.3.7.14-3.7.14.2, 4.0.0-4.3.13.7.15-3.7.16, 4.4.0-4.4.5
2562511
hostapd does not fail over to secondary RADIUS servers for 802.1x authentication when the primary radius is reachable but not responding to Access-Requests
If the primary RADIUS server is having a problem servicing requests, you can remove it from the configuration temporarily to force requests to be sent to alternate servers.
3.7.10-3.7.14.23.7.15-3.7.16
2562396
CVE-2020-27824: Global buffer overflow on irreversible conversion when too many decomposition levels are specified.
CVE-2020-27841: Crafted input to be processed by the openjpeg encoder could cause an out-of-bounds read.
CVE-2020-27845: Crafted input can cause out-of-bounds-read.
Vulnerable: <= 2.1.0-2+deb8u11
Fixed: 2.1.0-2+deb8u12
3.7.14-3.7.14.23.7.15-3.7.16
2562347
When you bring VXLAN interfaces up and down physically or administratively, the MTU for the SVIs changes to 1550 (the default value).3.7.14.2-3.7.16
2562301
CVE-2021-26937: encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence.
Vulnerable: <= 4.2.1-3+deb8u1
Fixed: 4.2.1-3+deb8u2
3.7.14-3.7.14.23.7.15-3.7.16
2556815
CM-33419
When ARP suppression is enabled, RARP packets sometimes get dropped and are not flooded by the local VTEP.
To work around this issue, disable ARP suppression.
3.7.14-4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2556782
CM-33398
CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution.
Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1
3.7.14-3.7.14.2, 4.0.0-4.3.13.7.15-3.7.16, 4.4.0-4.4.5
2556780
CM-33397
CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets.
Vulnerable: <= 2.4.40+dfsg-1+deb8u9
Fixed: 2.4.40+dfsg-1+deb8u10
3.7.14-3.7.14.23.7.15-3.7.16
2556779
CM-33396
CVE-2020-8625: Buffer overflow attack in the bind9 DNS server caused by an issue in the GSSAPI (“Generic Security Services”) security policy negotiation.
Vulnerable: <= 9.9.5.dfsg-9+deb8u20
Fixed: 9.9.5.dfsg-9+deb8u21
3.7.14-3.7.14.23.7.15-3.7.16
2556763
CM-33385
In a configuration with both traditional and vlan-aware bridges, the VLAN membership check on a vlan-aware switch does not drop PVST BPBUs that come from a traditional bridge.3.7.14-4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2556743
CM-33370
CVE-2019-20367: An issue has been found in libbsd, a library with utility functions from BSD systems. A non-NUL terminated symbol name in the string table might result in an out-of-bounds read.
Vulnerable: <= 0.7.0-2+deb8u1
Fixed: 0.7.0-2+deb8u2
3.7.14-3.7.14.23.7.15-3.7.16
2556742
CM-33369
The following vulnerabilities have been announced in the openssl package:
CVE-2021-23840: an issue where “Digital EnVeloPe” EVP-related calls could cause applications to behave incorrectly or even crash.
CVE-2021-23841: an issue in the X509 certificate parsing caused by the lack of error handling while ingesting the “issuer” field.
Vulnerable: <= 1.0.1t-1+deb8u13
Fixed: 1.0.1t-1+deb8u14
3.7.14-3.7.14.23.7.15-3.7.16
2556689
CM-33333
CVE-2020-15469 A MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.
CVE-2020-15859 QEMU has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data’s address set to the e1000e’s MMIO address.
CVE-2020-25084 QEMU has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.
CVE-2020-28916 hw/net/e1000e_core.c has an infinite loop via an RX descriptor with a NULL buffer address.
CVE-2020-29130 slirp.c has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2020-29443 ide_atapi_cmd_reply_end in hw/ide/atapi.c allows out-of-bounds read access because a buffer index is not validated.
CVE-2021-20181 9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU privilege escalation vulnerability.
CVE-2021-20221 aarch64: GIC: out-of-bound heap buffer access via an interrupt ID field.
Vulnerable: <= 2.1+dfsg-12+deb8u18
Fixed: 2.1+dfsg-12+deb8u19
3.7.14-3.7.14.23.7.15-3.7.16
2556612
CM-33311
CVE-2021-27135: xterm through Patch #365 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted UTF-8 character sequence.
Vulnerable: 312-2
Fixed: 312-2+deb8u1.
3.7.14-3.7.14.23.7.15-3.7.16
2556585
CM-33295
CVE-2021-26926: A heap buffer overflow vulnerability was discovered in JasPer, through jp2_dec.c in the jp2_decode() function.
CVE-2021-26927: A null pointer access was discovered in JasPer, through jp2_dec.c in the jp2_decode() function.
Vulnerable: <= 1.900.1-debian1-2.4+deb8u8
Fixed: 1.900.1-debian1-2.4+deb8u9
3.7.14-3.7.14.23.7.15-3.7.16
2556530
CM-33272
CVE-2020-0256: In LoadPartitionTable of gpt.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed.
CVE-2021-0308: In ReadLogicalParts of basicmbr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no
additional execution privileges needed.
Vulnerable: 0.8.10-2
Fixed: 0.8.10-2+deb8u1
3.7.14-3.7.14.23.7.15-3.7.16
2556525
CM-33270
CVE-2020-27351: Various memory and file descriptor leaks were discovered in the Python interface to the APT package management runtime library, which could result in denial of service.
Vulnerable: <= 0.9.3.13
Fixed: 0.9.3.14
3.7.14-3.7.14.23.7.15-3.7.16
2556504
CM-33260
CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230: Several vulnerabilities were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash, infinite loops) via specially crafted packets.
Vulnerable: <= 2.4.40+dfsg-1+deb8u8
Fixed: 2.4.40+dfsg-1+deb8u9
3.7.14-3.7.14.23.7.15-3.7.16
2556473
CM-33246
CVE-2021-3272: jp2_decode in jp2/jp2_dec.c in libjasper in JasPer has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components.
Vulnerable: <= 1.900.1-debian1-2.4+deb8u6
Fixed: 1.900.1-debian1-2.4+deb8u7
3.7.14-3.7.14.23.7.15-3.7.16
2556364
CM-33191
CVE-2020-35512: An issue has been found in dbus, a simple interprocess messaging system. On a system having multiple usernames sharing the same UID a use-after-free might happen, that could result in a denial of service or undefined behaviour, possibly including incorrect authorization decisions.
Vulnerable: <= 1.8.22-0+deb8u3
Fixed: 1.8.22-0+deb8u4
3.7.14-3.7.14.23.7.15-3.7.16
2556233
CM-33129
Some ECMP next-hops might fail installation into hardware at high ECMP group and route scale. The following log message will be observed when this condition occurs:WARN xx routes reverted to non-ECMP due to NH table capacity3.7.9-3.7.14.23.7.15-3.7.16
2556218
CM-33117
The following vulnerability affects lldpd:
CVE-2020-27827: A packet that contains multiple instances of certain TLVs will cause lldpd to continually allocate memory and leak the old memory. As an example, multiple instances of system name TLV will cause old values to be dropped by the decoding routine.
Fixed: 1.0.4-0-cl4.3.0u2
3.7.14-3.7.14.2, 4.0.0-4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2556037
CM-33012
After you add an interface to the bridge, an OSPF session flap might occur
3.7.9-4.2.04.2.1-4.4.5
2556031
CM-33008
Several security vulnerabilities were found in ImageMagick, a suite of image manipulation programs. An attacker could cause denial of service and execution of arbitrary code when a crafted image file is processed.
CVE-2020-19667 Stack-based buffer overflow and unconditional jump in ReadXPMImage in coders/xpm.c
CVE-2020-25665 The PALM image coder at coders/palm.c makes an improper call to AcquireQuantumMemory() in routine WritePALMImage() because it needs to be offset by 256. This can cause a out-of-bounds read later on in the routine. This could cause impact to reliability.
CVE-2020-25674 WriteOnePNGImage() from coders/png.c (the PNG coder) has a for loop with an improper exit condition that can allow an out-of-bounds READ via heap-buffer-overflow. This occurs because it is possible for the colormap to have less than 256 valid values but the loop condition will loop 256 times, attempting to pass invalid colormap data to the event logger.
CVE-2020-27560 ImageMagick allows Division by Zero in OptimizeLayerFrames in MagickCore/layer.c, which may cause a denial of service.
CVE-2020-27750 A flaw was found in MagickCore/colorspace-private.h and MagickCore/quantum.h. An attacker who submits a crafted file that is processedcould trigger undefined behavior in the form of values outside the range of type unsigned char and math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior.
CVE-2020-27760 In GammaImage() of /MagickCore/enhance.c, depending on the gamma value, it’s possible to trigger a divide-by-zero condition when a crafted input file is processed by ImageMagick. This could lead to an impact to application availability.
CVE-2020-27763 A flaw was found in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior.
CVE-2020-27765 A flaw was found in MagickCore/segment.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior.
CVE-2020-27773 A flaw was found in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char or division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior.
CVE-2020-29599 ImageMagick mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.
Vulnerable: <= 6.8.9.9-5+deb8u21
Fixed: 6.8.9.9-5+deb8u22
3.7.14-3.7.14.23.7.15-3.7.16
2556030
CM-33007
The following vulnerability was announced in the apt packages:
CVE-2020-27350: Missing input validation in the ar/tar implementations of APT, the high level package manager, could cause out-of-bounds reads or infinite loops, resulting in denial of service when processing malformed deb files.
Vulnerable: <= 1.0.9.8.6
Fixed: 1.0.9.8.7
3.7.14-3.7.14.23.7.15-3.7.16
2556023
CM-33000
After upgrading Cumulus Linux with the apt-upgrade command, then rebooting an MLAG pair, if there are no bonds configured with a clag-id, the clagd service has difficulty peering, and holds all MLAG interfaces and VNIs in a proto down state
To work around this issue, after upgrading both switches, restart the clagd service with the sudo systemctl restart clagd command on each MLAG pair.
3.7.14-3.7.14.23.7.15-3.7.16
2555908
CM-32940
If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up
To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command.
3.7.12-4.0.14.1.0-4.4.5
2555691
CM-32829
The NET-SNMP-EXTEND-MIB, disabled in Cumulus Linux 4.2.1 and 3.7.14 to prevent security vulnerability CVE-2020-15862, is re-enabled read-only.3.7.14-3.7.14.2, 4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2555654
CM-32810
The following vulnerability has been announced in the libflac8 package:
CVE-2020-0499: In FLAC__bitreader_read_rice_signed_block of bitreader.c, there is a possible out-of-bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. However, user interaction is needed for exploitation.
Vulnerable: 1.3.0-3
Fixed: 1.3.0-3+deb8u1
3.7.14-3.7.14.23.7.15-3.7.16
2555553
CM-32757
It was discovered that the clean_html() function of lxml, a Python library for HTML and XML processing, performed insufficient sanitisation for embedded Javascript code. This might lead to cross-site scripting or possibly the execution of arbitrary code.
Vulnerable: <= 3.4.0-1+deb8u2
Fixed: 3.4.0-1+deb8u3
3.7.14-3.7.14.23.7.15-3.7.16
2555528
CM-32750
In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer’s ARP policer.
To work around this issue, increase the burst value of the ARP policers to 200 or higher.
3.7.14-4.2.14.3.0-4.4.5
2555435
CM-32689
CVE-2018-19139: Fix memory leaks by registering jpc_unk_destroyparms.
CVE-2020-27828: Avoid maxrlvls more than upper bound to cause heap-buffer-overflow.
CVE-2018-19543 and CVE-2017-9782: There is a heap-based buffer over-read of size 8 in the function jp2_decode in libjasper/jp2/jp2_dec.c.
Vulnerable: <= 1.900.1-debian1-2.4+deb8u6
Fixed: 1.900.1-debian1-2.4+deb8u7
3.7.14-3.7.14.23.7.15-3.7.16
2555401
CM-32661
On the Edgecore AS7312 switch, eth0 and swp use the same MAC address.3.7.14-3.7.14.2, 4.0.0-4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2555278
CM-32597
When you change the anycast address for the MLAG pair (clagd-vxlan-anycast-ip), high peak traffic occurs on the peer link interface of all MLAG switches.3.7.13-3.7.14.23.7.15-3.7.16, 4.0.0-4.4.5
2555196
CM-32537
CVE-2018-19787, CVE-2020-27783: The clean_html() function of lxml, a Python library for HTML and XML processing, performed insufficient sanitisation for embedded Javascript code. This could lead to cross-site scripting or possibly the execution of arbitrary code.
Vulnerable: <= 3.4.0-1+deb8u1
Fixed: 3.4.0-1+deb8u2
3.7.14-3.7.14.23.7.15-3.7.16
2555147
CM-32515
Some issues have been found in qemu, a fast processor emulator.
CVE-2020-25085 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723 CVE-2020-27617: All issues are related to assertion failures, out-of-bounds access failures or bad handling of return codes.
Vulnerable: <= 2.1+dfsg-12+deb8u17
Fixed: 2.1+dfsg-12+deb8u18
3.7.14-3.7.14.23.7.15-3.7.16
2554991
CM-32420
When running traditional mode bridges at scale (for example, when you have more than 200 bridges and a large number of MAC addresses), MLAG bonds flap intermittently from dual to single connected, then back to dual connected, which causes a layer 2 loop and STP state changes.
To work around this issue, either shut down one side of the MLAG bond or prune out VLANS over the bond.
3.7.13-4.2.14.3.0-4.4.5
2554804
CM-32291
On Mellanox SN2010 and SN2100 switches, the maximum fan speed is exceeded by fifteen percent.3.7.14-3.7.14.23.7.15-3.7.16
2554785
CM-32275
After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:
Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!
To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor
2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX=“cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command
4. Reboot the switch.
3.7.11-4.2.14.3.0-4.4.5
2554719
CM-32225
A slow memory leak is observed (1% per 14 hours) in kmalloc-256.
To work around this issue, reboot the switch.
3.7.12-3.7.14.23.7.15-3.7.16
2554709
CM-32217
The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.
To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM.
3.7.13-3.7.16, 4.2.1-4.4.5
2554588
CM-32149
If you try to reconfigure a DHCP server after you delete the switch configuration with the net del all command, the dhcpd service fails because a duplicate process is running
To work around this issue, edit the /usr/lib/python2.7/dist-packages/nclu/plugins/dhcp.py file to change:
DHCPD_PID="-pf {0}” 
to:
DHCPD_PID="-pf {1}"
3.7.13-4.2.14.3.0-4.4.5
2554369
CM-32006
Certain Dell S4048-ON switches show an incorrect vendor name and hang when you issue the reboot command.3.7.12-4.2.14.3.0-4.4.5
2553887
CM-31700
When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server.
3.7.7-3.7.16, 4.0.0-4.4.5
2553748
CM-31627
On switches with the Spectrum ASIC, the IPv6 default route might be present in the kernel but missing in hardware when IPv6 RAs are received on SVIs configured with ip-forward off.3.7.11-3.7.14.2, 4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2553677
CM-31605
When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config –create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:
createUser userSHAwithAES SHA “shaauthpass” AES “aesprivpass”
adding the following line to /snmp/snmpd.conf:
rwuser userSHAwithAES
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation.
3.7.13-3.7.16, 4.0.0-4.4.5
2553219
CM-31407
You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters.3.7.12-4.2.14.3.0-4.4.5
2553116
CM-31357
When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool.
3.7.12-3.7.16, 4.0.0-4.4.5
2553050
CM-31322
SNMP status might incorrectly reflect that a BGP neighbor is down due to an issue between bgpd and SNMP AgentX when the IP-FORWARD-MIB is also polled.
To work around this issue, avoid polling IP-FORWARD-MIB objects.
3.7.12-3.7.16
2553015
CM-31300
If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail.3.7.10-3.7.16, 4.2.0-4.4.5
2552939
CM-31263
RX_DRP on a bond interface increases without any data traffic while the slave port does not increase.3.7.12-4.2.14.3.0-4.4.5
2552869
CM-31231
On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.
To work around this issue, use the ethtool -m command.
3.7.13-4.2.14.3.0-4.4.5
2552742
CM-31150
On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd.
3.7.12-4.2.14.3.0-4.4.5
2552739
CM-31148
Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor.3.7.2-3.7.16
2552610
CM-31057
The following vulnerability has been announced:
CVE-2019-11360: A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c.
3.7.13-4.2.04.2.1-4.4.5
2552294
CM-30879
NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
3.7.12-3.7.16, 4.0.0-4.4.5
2552266
CM-30863
OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files.
The two scenarios where an exploit may be useful to an attacker:
-The user is authorized to scp but not ssh (based on the command option in the authorized_keys file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so.
-An attacker plants a maliciously named file in a directory tree that someone later uses scp -r to copy over to the target computer.
Be aware that restricting users to scp by using the command option in the authorized_keys file is not effective in preventing those users from executing arbitrary commands on the server.
If you want to use scp -r to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with tar, zip, or a similar program, then copying the archive over to be extracted on the server avoids having to use scp -r altogether. In addition, OpenSSH provides sftp, which you can use instead of scp to copy files.
To disable scp completely, use /bin/chmod 0 /usr/bin/scp .
3.7.14-3.7.16, 4.0.0-4.4.5
2551912
CM-30580
ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down.3.7.12-4.2.04.2.1-4.4.5
2551578
CM-30422
When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error.3.7.12-3.7.16, 4.0.0-4.4.5
2551565
CM-30414
If you toggle VRRP priority values between VRRP routers, then restart switchd, a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affected
To work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands.
3.7.13-3.7.16, 4.2.0-4.4.5
2551554
CM-30408
Customers running security scans on Cumulus Linux 4 may encounter the listing of an incorrect version of u-boot 2014.10+dfsg1-4 with the following vulnerabilities:CVE-2017-3225CVE-2017-3226CVE-2018-18440CVE-2019-11690CVE-2019-13103CVE-2019-14192CVE-2019-14193CVE-2019-14194CVE-2019-14195CVE-2019-14196CVE-2019-14197CVE-2019-14198CVE-2019-14199CVE-2019-14200CVE-2019-14201CVE-2019-14202CVE-2019-14203CVE-2019-14204CVE-2020-10648The u-boot-tools package is not installed on the switch by default, but is available in the repository for optional installation. On Cumulus Linux 4, the version is at least 2019.01+dfsg-7. However, the older versions available for optional installation on Cumulus Linux 3 may be vulnerable
According to https://security-tracker.debian.org/tracker/source-package/u-boot , all except the following are fixed in 2019.01+dfsg-7:CVE-2017-3225: https://security-tracker.debian.org/tracker/CVE-2017-3225 says “Negligible security impact”
CVE-2017-3226: https://security-tracker.debian.org/tracker/CVE-2017-3226 says “Negligible security impact”
CVE-2018-18440: https://security-tracker.debian.org/tracker/CVE-2018-18440 says “No security impact as supported/packaged in Debian”.
3.7.12-3.7.164.0.0-4.4.5
2551305
CM-30296
The net show configuration command provides the wrong net add command for ACL under the VLAN interface.

3.7.12-3.7.16, 4.1.0-4.4.5
2551288
CM-30286
When you remove BFD configuration by editing the /etc/frr/frr.conf file and restarting FRR, you see a traceback.
To work around this issue, either use NCLU or vtysh commands to remove the BFD configuration, or restart FRR with the new /etc/frr/frr.conf file.
3.7.7-3.7.164.0.0-4.4.5
2550974
CM-30195
On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured.3.7.11-3.7.16, 4.1.1-4.4.5
2550942
CM-30178
NCLU tab completion for net show displays the text add help text instead of system Information for the system option.3.7.11-4.2.04.2.1-4.4.5
2550796
CM-30103
On a Broadcom switch with the Trident2+ ASIC, ACL rules for VLANs are not applied after a reboot and the counters remain at zero.
To work around this issue, either do not set acl.non_atomic_update_mode = TRUE in the /etc/cumulus/switchd.conf file or run the cl-acltool -i command after the reboot to install the ACLs.
3.7.12-4.2.14.3.0-4.4.5
2550793
CM-30101
The NCLU net show bridge spanning-tree command displays the aging timer incorrectly.3.7.12-3.7.16, 4.0.0-4.4.5
2550600
CM-29978
The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged.3.7.8-4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2550479
CM-29899
VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches.3.7.7-4.2.04.2.1-4.4.5, 4.3.0-4.4.5
2550444
CM-29872
Tab completion for the net show rollback description command returns information about a snapshot instead of context help.
To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command.
3.7.12-3.7.16, 4.0.0-4.4.5
2550443
CM-29871
The net show rollback description command returns an error even if the string matches a commit description.
To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead.
3.7.12-3.7.16, 4.0.0-4.4.5
2550276
CM-29779
In LLDP, the snmp subagent loses all subsequent lldpRemSysName (1.0.8802.1.1.2.1.4.1.1.9) entries after an entry with a missing SysName is added.
All the information from lldpctl is correct. Only the entries after the entry that is missing a SysName in lldpRemSysName disappear from the snmp subagent.
3.7.12-4.2.14.3.0-4.4.5
2550243
CM-29759
When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.
To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service. For example:

#Requires=nginx.service restserver.socket
3.7.12-3.7.16, 4.0.0-4.4.5
2550056
CM-29652
The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:

error: invalid signature.
Press any key to continue…
3.7.12-3.7.16, 4.1.1-4.4.5
2549925
CM-29594
When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:

error: swp1s1.2: netlink: cannot set link swp1s1.2 up: operation failed with ‘Network is down’ (100)
warning: cmd ‘/bin/ip addr del 10.0.0.1/24 dev eth0’ failed: returned 2 (RTNETLINK answers: Cannot assign requested address

To work around this issue, run the ifreload -a command a second time.
3.7.12-3.7.16, 4.0.0-4.4.5
2549872
CM-29562
If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error.3.7.12-3.7.16, 4.1.1-4.4.5
2549838
CM-29546
In vtysh, if you configure, then remove a layer 3 VNI for a VRF, the VNI is removed from zebra even if the VNI interface still exists in the kernel.
If you configure a layer 2 VNI as a layer 3 VNI by mistake, removing the layer 3 VNI binding removes it from zebra but EVPN-learned MACs and neighbors are not installed into the kernel.
To work around this issue, delete, then re-add the missing VNI. For example:

cumulus@switch:~$ sudo ifdown vni10100
cumulus@switch:~$ sudo ifup vni10100

If you flap the link with the ip link set vni10100 down; ip link set vni10100 up commands, zebra does not re-add the VNI.
3.7.12-4.2.14.3.0-4.4.5
2549782
CM-29519
The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state.3.7.12-3.7.16, 4.0.0-4.4.5
2549731
CM-29492
When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:

[ebtables]
-A FORWARD –in-interface swp10 -j span –dport swp1
3.7.12-3.7.16, 4.1.1-4.4.5
2549472
CM-29367
On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic.3.7.11-4.1.14.2.0-4.4.5
2549371
CM-29309
When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive.3.7.11-4.3.14.4.0-4.4.5
2549307
The following vulnerabilities affect git, which is available in the repository for optional installation:
CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host.
CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted.
3.7.12-4.1.14.2.0-4.4.5
2549226
CM-29259
You might see the following gport error messages in switchd.log:

2020-04-10T19:50:01.011224+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x800007a find failed
2020-04-10T19:50:01.011631+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x8000009 find failed

These messages are harmless and can be ignored.
3.7.12-3.7.14.2, 4.0.0-4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2548962
CM-29165
With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table.3.7.12-4.1.14.2.0-4.4.5
2548930
CM-29148
On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware.3.7.11-4.2.14.3.0-4.4.5
2548746
CM-29068
On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect.3.7.11-4.1.14.2.0-4.4.5
2548657
CM-29035
When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:

W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

You can safely ignore these error messages.
3.7.12-3.7.16, 4.0.0-4.4.5
2548490
CM-28944
A change in a route map prefix list that should remove a route might not be reflected in the ospf6 database or in peers, and the route might not be deleted.
To work around this issue, reenter the redistribute <connected|static> route-map statement in the configuration.
3.7.11-4.1.14.2.0-4.4.5
2548485
CM-28940
If you configure the aggregate-address
summary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:
router bgp 1
address-family ipv4 unicast
aggregate-address 50.0.0.0/8 summary-only
exit-address-family
If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path*> 50.0.0.0 0.0.0.0 32768 is> 50.0.0.1/32 0.0.0.0 0 32768 i
Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Paths> 50.0.0.1/32 0.0.0.0 0 32768 i
To work around this issue, remove, then re-add the component prefix routes.
3.7.12-4.2.14.3.0-4.4.5
2548315
CM-28816
The following security advisory has been announced for bash:
CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability
When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.
To work around this issue, do not make bash or bash scripts setuid.
3.7.12-3.7.16, 4.0.0-4.4.5
2548243
CM-28754
On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules.3.7.3-3.7.16, 4.0.0-4.4.5
2548155
CM-28685
The net show bgp neighbor swpX json command shows negative output for the bgpTimerUpMsec timer.3.7.10-3.7.164.0.0-4.4.5
2548117
CM-28659
In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX.3.7.12-3.7.16, 4.0.0-4.4.5
2548044
CM-28608
When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor.3.7.12-3.7.15, 4.0.0-4.4.53.7.16
2548024
CM-28596
On the Dell Z9100 switch, 100G-SR4 modules might not link up reliably in certain ports.
swp1, 2, 3, 9, 10, 23, 24, 30, 31, and 32 might be affected
To work around this issue, move 100G SR4 modules to one of the ports not affected by this issue.
3.7.11-4.1.14.2.0-4.4.5
2547942
CM-28533
On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl.3.7.11-4.0.14.1.0-4.4.5
2547878
The following vulnerability has been found in the libgcrypt20 cryptographic library.
CVE-2019-13627: there was a ECDSA timing attack.
For more information, see https://www.debian.org/lts/security/2020/dla-1931-2.en.html
Vulnerable: 1.6.3-2+deb8u7
Fixed: 1.6.3-2+deb8u8
3.7.11-3.7.16
2547876
The following vulnerability affects libxml2:
CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c has a memory leak related to newDoc->oldNs. This can lead to a denial of service.
For more information, see https://www.debian.org/lts/security/2019/dla-2048.en.html .
Vulnerable: 2.9.1+dfsg1-5+deb8u7
Fixed: 2.9.1+dfsg1-5+deb8u8
3.7.11-3.7.16
2547874
The following vulnerability affects libbsd, a package containing utility functions from BSD systems.
CVE-2016-2090: In function fgetwln() an off-by-one error could triggers a heap buffer overflow.
For more information, see https://www.debian.org/lts/security/2019/dla-2052.en.html .
Vulnerable: 0.7.0-2
Fixed: 0.7.0-2+deb8u1
3.7.11-3.7.16
2547839
CM-28465
When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error.3.7.11-4.1.14.2.0-4.4.5
2547782
CM-28441
If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns.3.7.11-3.7.16, 4.0.0-4.4.5
2547706
CM-28397
When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch.
3.7.11-3.7.16, 4.0.0-4.4.5
2547659
CM-28372
On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise.3.7.11-4.0.14.1.0-4.4.5
2547573
CM-28322
On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU.3.7.9-3.7.16
2547443
CM-28248
On the Dell N3248PXE-ON switch, 25G SFP ports do not work in 10G mode.3.7.11-4.0.14.1.0-4.4.5
2547381
CM-28212
The hsflowd service sends an undefined header protocol 0 in the sampled flow sample to the collector, which is not recognized by the sFlow tool. You see errors similar to the following:

Dec 20 08:43:27 netflow-nms sfcapd[3991]: SFLOW: readFlowSample_header() undefined headerProtocol = 0

3.7.11-3.7.164.0.0-4.4.5
2547349
CM-28193
When you change an interface IP address, then change it back, static routes are misprogrammed
One of the following actions recovers the routes:- Bounce both layer 3 interfaces- Remove or add static routes in FRR- Restart FRR
3.7.11-3.7.164.0.0-4.4.5
2547123
CM-28078
On the Broadcom switch with the Trident3 ASC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect.3.7.11-4.1.14.2.0-4.4.5
2547120
CM-28076
After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command.3.7.11-3.7.16, 4.0.0-4.4.5
2547118
The following security vulnerabilities have been announced in the libtiff5 library on Cumulus Linux 4.0:
CVE-2019-14973, CVE-2019-17546: Multiple integer overflows have been discovered in the libtiff library and the included tools.
Vulnerable: 4.0.10-4
Fixed: 4.1.0+git191117-2~deb10u1
3.7.10-4.0.14.1.0-4.4.5
2547100
CM-28061
On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic.3.7.11-4.1.14.2.0-4.4.5
2547068
CM-28046
Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly
To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below
To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off”, change it to GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0”2. Run sudo update-grub
3. Reboot the system with sudo reboot
To disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci3
2. Disable C-states by running the command ./cpupower idle-set -d 2
C-states are disabled by default in Cumulus Linux 4.3.0 and later.
3.7.9-4.2.14.3.0-4.4.5
2546991
CM-28003
The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code.
3.7.11-3.7.16, 4.0.0-4.4.5
2546895
CM-27957
If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command.
3.7.11-3.7.16, 4.0.0-4.4.5
2546451
CM-27737
On the EdgeCore AS7326-56X switch, you might see the RPM of certain fans run over the maximum threshold.3.7.11-3.7.16
2546385
CM-27698
SNMP ifLastChange reports link transitions when there are none.3.7.6-3.7.16
2546225
CM-27627
When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support.
 
sudo onie-install -fai http://
sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image.
3.7.11-3.7.16, 4.0.0-4.4.5
2546203
CM-27620
When using QinQ with a traditional bridge, if you enable the LLDP dot1 TLV option, you see the following suboptimal behavior:
* Both the inner and outer VLAN information is sent as part of VLAN TLVs in the LLDP packet.
* If the outer VLAN ID is the same as the inner VLAN ID, only one VLAN TLV is sent with that VLAN ID in the LLDP packet.
3.7.11-3.7.16
2546131
CM-27581
On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present.
3.7.11-3.7.16, 4.0.0-4.4.5
2546010
CM-27530
When hal.bcm.per_vlan_router_mac_lookup is set to TRUE in the /etc/cumulus/switchd.conf file, inter-VLAN traffic is forwarded to the CPU when associated VNI interfaces exist.3.7.10-3.7.16
2545997
CM-27522
The NCLU command net show interface produces an error if bonds with no members exist.
To work around this issue, remove the empty Bond interfaces from the /etc/network/interfaces file and run sudo ifreload -a.
3.7.10-3.7.16
2545566
CM-27272
The Dell Z9100-ON switch incorrectly reports many sensors as ABSENT.3.7.12-4.0.14.1.0-4.4.5
2545446
CM-27192
If you use NCLU commands to add a non-MLAG bond, then add an MLAG configuration, the net commit command fails. However, a subsequent net commit command succeeds.3.7.10-3.7.16
2545125
CM-27018
If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address.3.7.10-3.7.16, 4.0.0-4.4.5
2544978
CM-26921
If you delete an undefined bond, then add a bond slave, the net commit command fails.3.7.9-3.7.16, 4.0.0-4.4.5
2544968
CM-26913
FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c “printf ‘interface 50\nvrf TEST description L3 routing interface\n’ » /etc/frr/frr.conf”

should be:

sudo sh -c “printf ‘interface 50 vrf TEST\ndescription L3 routing interface\n’ » /etc/frr/frr.conf”

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file.
3.7.9-3.7.16, 4.0.0-4.4.5
2544953
CM-26905
When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command.
3.7.10-3.7.16, 4.0.0-4.4.5
2544904
CM-26875
After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements.
To work around this issue, restart FRR after removing the IPv6 numbered configuration.
3.7.9-4.1.14.2.0-4.4.5
2544829
CM-26829
Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump.3.7.8-3.7.16
2544671
CM-26736
Package : sudoCVE ID : CVE-2019-14287Debian Bug : 942322Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID -1 or 4294967295. This could allow a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access
Details can be found in the upstream advisory at https://www.sudo.ws/alerts/minus_1_uid.html
We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudoVulnerable versions: < 1.8.27-1+deb10u1Fixed versions: >= 1.8.27-1+deb10u1To work around this iisue, disable (comment out) any sudoers entries in /etc/sudoers or files in /etc/sudoers.d that have entries with !root in them. Only root or other users with a uid of 0 that are affected.
3.7.9-3.7.164.0.0-4.4.5
2544556
CM-26655
If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:

net add time ntp server 1.2.3.4 iburst
net commit
net add time ntp server 1.2.3.4
net commit

If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options.
3.7.9-4.1.14.2.0-4.4.5
2544463
CM-26599
Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G.
3.7.9-3.7.16, 4.0.0-4.4.5
2544456
CM-26595
The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds.3.7.9-3.7.16, 4.0.0-4.4.5
2544311
CM-26516
Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host.3.7.5-3.7.16, 4.0.0-4.4.5
2544235
CM-26463
The following CVEs affect the linux kernel package:
CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
For the detailed security status of linux, refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux
3.7.10-3.7.16
2544155
CM-26423
NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

3.7.5-3.7.16, 4.0.0-4.4.5
2544113
CM-26412
Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file.
3.7.9-3.7.16, 4.0.0-4.4.5
2543900
CM-26288
On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address.3.7.8-3.7.16, 4.0.0-4.4.5
2543841
CM-26256
The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
3.7.8-3.7.16, 4.0.0-4.4.5
2543840
CM-26255
On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file.

3.7.6-3.7.16
2543800
CM-26230
When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface.
3.7.8-3.7.164.0.0-4.4.5
2543647
CM-26137
ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:

-A FORWARD -i vni10 -j erspan –src-ip 100.1.1.2 –dst-ip 100.1.1.1 –ttl 64
3.7.6-4.2.14.3.0-4.4.5
2543646
CM-26136
In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case).3.7.6-3.7.16, 4.0.0-4.4.5
2543627
CM-26126
Tomahawk 40G DACs cannot disable auto-negotiation.3.7.7-3.7.164.0.0-4.4.5
2543270
CM-25923
The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate.
3.7.8-4.1.14.2.0-4.4.5
2543211
CM-25890
In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
3.7.0-3.7.16, 4.0.0-4.4.5
2543164
CM-25859
The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command.
3.7.7-3.7.16, 4.0.0-4.4.5
2543096
CM-25815
When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
3.7.6-3.7.16, 4.0.0-4.4.5
2543058
CM-25798
The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.
To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces.
3.7.7-3.7.164.0.0-4.4.5
2543052
CM-25796
Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as “inactive” in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR.
To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:

ifdown vlan123 ; sleep 2 ; ifup vlan123

You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI.
3.7.5-3.7.164.0.0-4.4.5
2543044
CM-25794
Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up.
3.7.2-3.7.164.0.0-4.4.5
2542979
CM-25766
On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work.3.7.7-4.1.14.2.0-4.4.5
2542945
CM-25740
On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
3.7.6-3.7.16, 4.0.0-4.4.5
2542310
CM-25404
hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
3.7.6-3.7.16
2542305
CM-25400
If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
3.7.6-3.7.16, 4.0.0-4.4.5
2542301
CM-25397
When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
3.7.3-3.7.16, 4.0.0-4.4.5
2541212
CM-24894
The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded.3.7.5-3.7.16, 4.0.0-4.4.5
2541165
CM-24878
On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, poectl reports that four_pair_mode_enabled is true. However, this configuration is not supported on the port so poectl should report that four_pair_mode_enabled is false.
3.7.6-3.7.16
2541029
CM-24799
On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped.
This issue only affects QinQ configurations.
3.7.5-3.7.16, 4.0.0-4.4.5
2540950
CM-24751
On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status.
3.7.3-4.1.14.2.0-4.4.5
2540885
CM-24703
The Dell N3048EP-ON switch does not support 1G Base-T modules in the SFP ports.3.7.7-3.7.16
2540863
CM-24686
On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number.
3.7.3-3.7.16
2540753
CM-24618
If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
 
ERROR: No closing quotation
See /var/log/netd.log for more details.

3.7.5-3.7.16, 4.0.0-4.4.5
2540444
CM-24473
SNMP incorrectly requires engine ID specification.
3.7.4-3.7.16, 4.0.0-4.4.5
2540352
CM-24435
When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect:
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct:
 
net add routing route-map Proxy-ARP permit 25 match interface swp9
net add routing route-map Proxy-ARP permit 30 match interface swp10

3.7.2-3.7.16, 4.0.0-4.4.5
2540340
CM-24426
NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example:
 
cumulus@switch:~$ net add vrf mgmt


Tab completion for the net add vrf ip address
command works correctly.
3.7.4-3.7.16, 4.0.0-4.4.5
2540274
CM-24379
On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route.3.7.5-3.7.16, 4.0.0-4.4.5
2540204
CM-24350
When links come up after FRR is started, VRF connected routes do not get redistributed.3.7.4-3.7.16, 4.0.0-4.4.5
2540192
CM-24343
The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value.
3.7.4-3.7.16, 4.0.0-4.4.5
2540155
CM-24332
On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
3.7.3-3.7.16, 4.0.0-4.4.5
2540042
CM-24272
When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface br0.100
switch(config-if)# vrrp 1 priority 110
switch(config-if)# vrrp 1 advertisement-interval
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540041
CM-24271
On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU.
To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface vlan100
switch(config-if)# vrrp 1 priority 110
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540040
CM-24270
Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface swp4
switch(config-if)# vrrp 1 version 2
switch(config-if)# no vrrp 1 preempt
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540031
CM-24262
NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist.
3.7.3-3.7.16, 4.0.0-4.4.5
2539994
CM-24241
When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
 
cumulus@switch:~$ net del bgp neighbor fabric peer-group
‘router bgp 65001’ configuration does not have ‘neighbor fabric peer-group’

3.7.2-3.7.16, 4.0.0-4.4.5
2539962
CM-24222
When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error.
3.7.0-3.7.16, 4.0.0-4.4.5
2539670
CM-24035
On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type.
3.7.2-3.7.16, 4.0.0-4.4.5
2539124
CM-23825
The net add interface ptm-enable command adds no ptm-enable for that interface in the frr.conf file.
Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh.
3.7.2-3.7.16, 4.0.0-4.4.5
2539081
CM-23792
When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.
To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command.
3.7.0-3.7.164.0.0-4.4.5
2538875
CM-23696
IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file.
3.7.2-3.7.16
2538790
CM-23665
NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan bridge access . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.
To restore connectivity, remove the VLAN ID from the bridge.
3.7.2-3.7.16, 4.0.0-4.4.5
2538590
CM-23584
When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain.
3.7.2-3.7.16, 4.0.0-4.4.5
2538562
CM-23570
On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G.
3.7.2-3.7.16, 4.0.0-4.4.5
2538302
CM-23422
portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap.
3.7.0-3.7.16
2538294
CM-23417
If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid.3.7.0-3.7.16, 4.0.0-4.4.5
2538256
CM-23397
On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
3.7.2-4.0.14.1.0-4.4.5
2537820
CM-23123
When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
3.7.2-3.7.164.0.0-4.4.5
2537699
CM-23075
There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
3.7.1-3.7.16, 4.0.0-4.4.5
2537544
CM-23021
When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB.3.7.1-3.7.16, 4.0.0-4.4.5
2537378
CM-22937
NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
3.7.1-3.7.16
2537188
CM-22849
When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.
This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
3.7.2-3.7.16
2537104
CM-22808
When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
3.7.1-3.7.164.0.0-4.4.5
2537061
CM-22794
The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
3.7.1-4.0.14.1.0-4.4.5
2536608
CM-22583
Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
3.7.0-3.7.16
2536384
CM-22386
The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
3.7.0-3.7.16, 4.0.0-4.4.5
2536179
CM-22228
On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working.3.7.0-3.7.16, 4.0.0-4.4.5
2535986
CM-22041
At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart.
3.7.0-3.7.16, 4.0.0-4.4.5
2535965
CM-22020
On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic.
3.7.0-3.7.16, 4.0.0-4.4.5
2533691
CM-19788
If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict.
To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface.
3.7.12-3.7.16, 4.0.0-4.4.5
2532017
CM-18192
In FRR, bgp_snmp does not show all BGP peers when peer groups used.3.7.11-4.0.14.1.0-4.4.5

Fixed Issues in 3.7.14.2

Issue IDDescriptionAffects
2556287
CM-33165
CVE-2021-3156: A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the bug.
Vulnerable: <= 1.8.10p4-cl3.7.14u1
Fixed: 1.8.10p4-cl3.7.15u1
Note: security scanners may not recognize 1.8.10p4-cl3.7.15u1 as fixed and therefore incorrectly list it as vulnerable.
3.7.14
2556011
CM-32994
On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash.3.7.14, 4.0.0-4.2.1
2555627
CM-32797
The following vulnerabilities have been announced in curl:
CVE-2020-8284: Vulnerability to malicious FTP server with PASV response with different IP address.
CVE-2020-8285: Wildcard matching is vulnerable to denial of service by running out of stack space.
Vulnerable: <= 7.38.0-4+deb8u18
Fixed: 7.38.0-4+deb8u19
3.7.14
2555507
CM-32734
CVE-2018-0734: A minor timing side channel attack was found in the OpenSSL DSA
signature algorithm. The fix for that introduced a more severe regression that could also be exploited as a timing side channel attack. This update fixes both the original problem and the subsequent issue.
CVE-2020-1971: A flaw in the GENERAL_NAME_cmp() function could cause a NULL dereference, resulting in denial of service.
Vulnerable: <= 1.0.1t-1+deb8u12
Fixed: 1.0.1t-1+deb8u13
3.7.14
2555494
CM-32728
On Broadcom switches, when WARN level switchd log messages are generated, switchd might crash resulting in a core file generated on the system.3.7.14
2555314
CM-32609
CVE-2020-25709, CVE-2020-25710: Vulnerabilities in the certificate list syntax verification and in the handling of CSN normalization were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash) via specially crafted packets.
Vulnerable: <= 2.4.40+dfsg-1+deb8u7
Fixed: 2.4.40+dfsg-1+deb8u8
3.7.14
2555177
CM-32529
On Mellanox switches, the ASIC temperature sensor reading reports zeros. As a result, the fan speed is higher than normal.
You can see the temperature reading in the output of the sensors command.
3.7.14
2552214
CM-30832
The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages.3.7.11-3.7.14, 4.1.1-4.3.0

3.7.14 Release Notes

Open Issues in 3.7.14

Issue IDDescriptionAffectsFixed
3418046
None
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.3.7.0-5.4.05.5.0-5.6.0
3376798
On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected.
3.7.0-3.7.16, 4.3.1-4.4.5
3330705
When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present.3.7.0-5.3.15.4.0-5.6.0
3327477
If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password.3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0
3216922
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users).3.7.0-5.2.15.3.0-5.6.0
3216921
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
3.7.0-3.7.16, 4.3.0-4.4.5
3209699
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
3.7.0-4.3.0, 4.4.0-5.2.14.3.1, 5.3.0-5.6.0
3073668
On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap.3.7.12-3.7.16, 4.3.0-4.4.5
3017190
When you power cycle the switch, multiple interfaces came up in a PoE disabled state
To work around this issue, run the sudo poectl -a | grep disabled command to find ports with disabled POE. Run the sudo poectl -e swp1-swp48 command to enable POE on affected ports.
3.7.10-3.7.16
2959454
CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact
Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7
3.7.0-3.7.153.7.16
2959444
CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information
Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5
3.7.0-3.7.153.7.16
2957684
CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability
Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4
3.7.0-3.7.153.7.16
2949602
CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.3.7.0-3.7.153.7.16
2949586
CVE-2022-21699: ipython may execute untrusted files in the current working directory
Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1
3.7.0-3.7.153.7.16
2949585
CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog.3.7.0-3.7.153.7.16
2949584
CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service
Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16
3.7.0-3.7.153.7.16
2941560
CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed
Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u
3.7.0-3.7.153.7.16
2934940
CM-32683
When you change the SVI vlan-id value in the /etc/network/interfaces file, then run ifreload -a, the 802.1Q ID for the SVI in the kernel does not change.
This operation is not supported in the kernel without recreating the SVI. To apply the change, run ifdown, then ifup for the SVI to recreate the interface.
3.7.13-3.7.15, 4.2.13.7.16, 4.3.0-4.4.5
2934939
When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
aggregate-address 10.10.0.0/16 summary-only
redistribute connected
After:
ip route 10.10.0.0/16 Null0
!
address-family ipv4 unicast
redistribute connected route-map DENY-COMPONENTS
redistribute static
exit-address-family
ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
!
route-map DENY-COMPONENTS deny 10
match ip address prefix-list NO-COMPONENTS
!
route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed.
3.7.12-3.7.16
2910862
CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file”
Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3
3.7.0-3.7.153.7.16
2910861
CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse
CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods
Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13
3.7.0-3.7.153.7.16
2885241
CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code
Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14
3.7.0-3.7.153.7.16
2885239
CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms
Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1
3.7.0-3.7.153.7.16
2885238
The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data
CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response
CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash
Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4
3.7.0-3.7.153.7.16
2866111
CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c.3.7.0-3.7.153.7.16
2866096
CM-33416
Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file.3.7.12-3.7.15, 4.1.1-4.3.03.7.16, 4.3.1-4.4.5, 5.0.0-5.6.0
2866084
When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb del
dev [dst|via] <interface|IP> command, then add “vxlan-learning”: “off” in the /etc/network/ifupdown2/policy.d/vxlan.json file:
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
{
“vxlan”: {
“module_globals”: { “vxlan-purge-remotes”: “no” },
“defaults”: {
“vxlan-ageing”: “1800”,
“vxlan-port”: “4789”, <==== This comma needs to be added at the end of this line
“vxlan-learning”: “off” <= This line needs to be added
}
}
}
Reboot the affected switches.
3.7.12-4.3.04.3.1-4.4.5
2862269
CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established
Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5
3.7.0-3.7.153.7.16
2855881
A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger
CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value
CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections
CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow
Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9
3.7.0-3.7.153.7.16
2855879
The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem
CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server
CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server
Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11
3.7.0-3.7.153.7.16
2850806
CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts)
Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23
3.7.0-3.7.153.7.16
2845540
CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling
Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9
3.7.0-3.7.153.7.16
2841003
CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference
Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3
3.7.0-3.7.153.7.16
2835994
CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function
Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16
3.7.0-3.7.153.7.16
2823255
CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode)
Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9
3.7.0-3.7.153.7.16
2821981
The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename
CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions)
CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12
3.7.0-3.7.153.7.16
2820758
The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected
CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data
Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22
3.7.0-3.7.153.7.16
2815592
In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence.3.7.12-4.3.0, 4.4.2-5.0.14.3.1, 5.1.0-5.6.0
2813826
Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop”
CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’
Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12
3.7.0-3.7.153.7.16
2813823
Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash
CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer
CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may
CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user
Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19
3.7.0-3.7.153.7.16
2801262
On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart
To work around this issue, load the port configuration in a staggered manner (groups of five downlink ports).
3.7.12-4.3.0, 4.4.2-4.4.54.3.1, 5.0.0-5.6.0
2801126
CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures
Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3
3.7.0-3.7.153.7.16
2801125
OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01
Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15
3.7.0-3.7.153.7.16
2801124
GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01
Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2
3.7.0-3.7.153.7.16
2799742
CM-33032
On the Edgecore AS4610 switch, the historic CPU usage displayed in /run/sysmonitor/history sometimes shows as a negative value.3.7.12-3.7.153.7.16, 4.3.1-4.4.5
2798139
CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions
Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4
3.7.0-3.7.153.7.16
2794750
CM-29043
When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering.
3.7.12-3.7.15, 4.0.0-4.2.13.7.16, 4.3.0-4.4.5
2769687
CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library
Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21
3.7.0-3.7.153.7.16
2769633
CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames
Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3
3.7.0-3.7.153.7.16
2769632
CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made
Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5
3.7.0-3.7.153.7.16
2769631
CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data
Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2
3.7.0-3.7.153.7.16
2743132
CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code
Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6
3.7.0-3.7.153.7.16
2736265
After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes.3.7.12-3.7.15, 4.2.1-4.3.03.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5
2736247
CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u113.7.0-3.7.153.7.16
2736245
CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems
Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8
3.7.0-3.7.153.7.16
2734107
When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs.3.7.12-4.3.0, 4.4.0-4.4.14.3.1, 4.4.2-4.4.5
2728207
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-3.7.16, 4.0.0-4.4.5
2728206
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-3.7.16, 4.0.0-4.4.5
2728205
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-4.4.14.4.2-4.4.5
2726776
CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour
Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18
3.7.0-3.7.153.7.16
2716841
CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository
Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2
3.7.0-3.7.153.7.16
2705169
CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed
Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11
3.7.0-3.7.153.7.16
2705168
CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access
Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3
3.7.0-3.7.153.7.16
2702519
CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt
Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9
3.7.0-3.7.153.7.16
2700767
Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration.3.7.12-3.7.15, 4.3.0-4.4.53.7.16
2699464
In a VXLAN fabric with ToR switches configured in a MLAG pair, BUM traffic received on a VXLAN tunnel is decapsulated and forwarded on the peer link bond. The BUM traffic is then encapsulated by the peer switch and sent back to the fabric. The issue has been seen in environments where the following conditions exist at the same time:1) high VNI scale2) switchd is busy processing updates3) clagd is in a transition state, such as Up, then Down, then Up. For example, when clagd restarts, the switch reboots, and so on
The problem is seen on the switch that experiences the clagd state transition.
3.7.12-3.7.153.7.16
2687332
When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
aggregate-address 10.10.0.0/16 summary-only
redistribute connected
After:
ip route 10.10.0.0/16 Null0
!
address-family ipv4 unicast
redistribute connected route-map DENY-COMPONENTS
redistribute static
exit-address-family
ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
!
route-map DENY-COMPONENTS deny 10
match ip address prefix-list NO-COMPONENTS
!
route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed.
3.7.12-4.2.14.3.0-4.4.5
2684452
When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst|via] <interface|IP> command2. Add “vxlan-learning”: “off” under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
{
“vxlan”: {
“module_globals”: { “vxlan-purge-remotes”: “no” },
“defaults”: {
“vxlan-ageing”: “1800”,
“vxlan-port”: “4789”, <==== This comma needs to be added at the end of this line
“vxlan-learning”: “off” <= This line needs to be added
}
}
}
3. Reboot the affected switch(es)
3.7.12-3.7.16
2684404
CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9
3.7.0-3.7.153.7.16
2679950
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1
3.7.0-3.7.15, 4.0.0-4.3.13.7.16, 4.4.0-4.4.5
2677063
CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11
3.7.0-3.7.153.7.16
2677061
CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8
3.7.0-3.7.153.7.16
2677060
CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7
3.7.0-3.7.153.7.16
2669858
CM-32169
OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf.
This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper.
3.7.14-3.7.16, 4.0.0-4.4.5
2668477
CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions
Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5
3.7.0-3.7.153.7.16
2660693
CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request
Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20
3.7.0-3.7.153.7.16
2660582
In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure)
To recover restart the clagd service with sudo systemctl restart clagd.service
3.7.8-3.7.153.7.16
2658233
The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file
CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file
Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1
3.7.0-3.7.153.7.16
2656291
The following CVEs affect the linux kernel package:
CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
For the detailed security status of linux, refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux
3.7.12-3.7.164.0.0-4.4.5
2654684
CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files
Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10
3.7.0-3.7.153.7.16
2653521
CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code
Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1
3.7.0-3.7.153.7.16
2653400
None
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration.3.7.10-3.7.16
2652003
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static FDB entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration.3.7.10-4.3.04.3.1-4.4.5
2646974
The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service
CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query
CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries
Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22
3.7.0-3.7.153.7.16
2646968
CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service
Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24
3.7.0-3.7.153.7.16
2645846
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration.3.7.10-3.7.153.7.16, 4.3.1-4.4.5
2638137
When you delete a static route using NCLU, the configuration is not deleted from the running configuration or from the /etc/frr/frr.conf file.3.7.13-3.7.16
2635951
The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1
Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened
Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3
3.7.0-3.7.14.23.7.15-3.7.16
2633245
On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle.3.7.10-3.7.16
2628515
CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service
Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3
3.7.14-3.7.14.2, 4.3.0-4.3.13.7.15-3.7.16, 4.4.0-4.4.5
2617009
CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code
Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1
3.7.0-3.7.14.23.7.15-3.7.16
2617008
CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data
Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5
3.7.0-3.7.14.23.7.15-3.7.16
2617007
CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited
Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10
3.7.0-3.7.14.23.7.15-3.7.16
2617006
CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute
Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4
3.7.0-3.7.14.23.7.15-3.7.16
2617005
CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 CVE-2020-25687: several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server that could result in denial of service, cache poisoning or the execution of arbitrary code
Vulnerable: <= 2.72-3+deb8u5Fixed: 2.72-3+deb8u6
3.7.14-3.7.14.23.7.15-3.7.16
2617002
CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact
Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23
3.7.0-3.7.14.23.7.15-3.7.16
2595889
CM-31120
In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface.3.7.10-3.7.14.2, 4.0.0-4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2595816
CM-31222
Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address.3.7.12-3.7.14.2, 4.0.0-4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2589747
CM-32226
If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers.3.7.12-3.7.14.2, 4.0.0-4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2589570
The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input
Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3
3.7.0-3.7.14.23.7.15-3.7.16
2589567
The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations
CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size
Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6
3.7.0-3.7.14.23.7.15-3.7.16
2581473
When netq-agent is installed on the Dell N3048EP platform, switchd might crash if pluggables are installed in the SFP+ ports.3.7.13-3.7.153.7.16
2574294
CVE-2021-3410: A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context
Vulnerable: <= 0.99.beta19-2+deb8u1Fixed: 0.99.beta19-2+deb8u2
3.7.14-3.7.14.23.7.15-3.7.16
2566880
CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.3.7.14-3.7.14.2, 4.0.0-4.3.13.7.15-3.7.16, 4.4.0-4.4.5
2562511
hostapd does not fail over to secondary RADIUS servers for 802.1x authentication when the primary radius is reachable but not responding to Access-Requests
If the primary RADIUS server is having a problem servicing requests, you can remove it from the configuration temporarily to force requests to be sent to alternate servers.
3.7.10-3.7.14.23.7.15-3.7.16
2562396
CVE-2020-27824: Global buffer overflow on irreversible conversion when too many decomposition levels are specified.
CVE-2020-27841: Crafted input to be processed by the openjpeg encoder could cause an out-of-bounds read.
CVE-2020-27845: Crafted input can cause out-of-bounds-read.
Vulnerable: <= 2.1.0-2+deb8u11
Fixed: 2.1.0-2+deb8u12
3.7.14-3.7.14.23.7.15-3.7.16
2562301
CVE-2021-26937: encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence.
Vulnerable: <= 4.2.1-3+deb8u1
Fixed: 4.2.1-3+deb8u2
3.7.14-3.7.14.23.7.15-3.7.16
2556815
CM-33419
When ARP suppression is enabled, RARP packets sometimes get dropped and are not flooded by the local VTEP.
To work around this issue, disable ARP suppression.
3.7.14-4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2556782
CM-33398
CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution.
Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1
3.7.14-3.7.14.2, 4.0.0-4.3.13.7.15-3.7.16, 4.4.0-4.4.5
2556780
CM-33397
CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets.
Vulnerable: <= 2.4.40+dfsg-1+deb8u9
Fixed: 2.4.40+dfsg-1+deb8u10
3.7.14-3.7.14.23.7.15-3.7.16
2556779
CM-33396
CVE-2020-8625: Buffer overflow attack in the bind9 DNS server caused by an issue in the GSSAPI (“Generic Security Services”) security policy negotiation.
Vulnerable: <= 9.9.5.dfsg-9+deb8u20
Fixed: 9.9.5.dfsg-9+deb8u21
3.7.14-3.7.14.23.7.15-3.7.16
2556763
CM-33385
In a configuration with both traditional and vlan-aware bridges, the VLAN membership check on a vlan-aware switch does not drop PVST BPBUs that come from a traditional bridge.3.7.14-4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2556743
CM-33370
CVE-2019-20367: An issue has been found in libbsd, a library with utility functions from BSD systems. A non-NUL terminated symbol name in the string table might result in an out-of-bounds read.
Vulnerable: <= 0.7.0-2+deb8u1
Fixed: 0.7.0-2+deb8u2
3.7.14-3.7.14.23.7.15-3.7.16
2556742
CM-33369
The following vulnerabilities have been announced in the openssl package:
CVE-2021-23840: an issue where “Digital EnVeloPe” EVP-related calls could cause applications to behave incorrectly or even crash.
CVE-2021-23841: an issue in the X509 certificate parsing caused by the lack of error handling while ingesting the “issuer” field.
Vulnerable: <= 1.0.1t-1+deb8u13
Fixed: 1.0.1t-1+deb8u14
3.7.14-3.7.14.23.7.15-3.7.16
2556689
CM-33333
CVE-2020-15469 A MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.
CVE-2020-15859 QEMU has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data’s address set to the e1000e’s MMIO address.
CVE-2020-25084 QEMU has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.
CVE-2020-28916 hw/net/e1000e_core.c has an infinite loop via an RX descriptor with a NULL buffer address.
CVE-2020-29130 slirp.c has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2020-29443 ide_atapi_cmd_reply_end in hw/ide/atapi.c allows out-of-bounds read access because a buffer index is not validated.
CVE-2021-20181 9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU privilege escalation vulnerability.
CVE-2021-20221 aarch64: GIC: out-of-bound heap buffer access via an interrupt ID field.
Vulnerable: <= 2.1+dfsg-12+deb8u18
Fixed: 2.1+dfsg-12+deb8u19
3.7.14-3.7.14.23.7.15-3.7.16
2556612
CM-33311
CVE-2021-27135: xterm through Patch #365 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted UTF-8 character sequence.
Vulnerable: 312-2
Fixed: 312-2+deb8u1.
3.7.14-3.7.14.23.7.15-3.7.16
2556585
CM-33295
CVE-2021-26926: A heap buffer overflow vulnerability was discovered in JasPer, through jp2_dec.c in the jp2_decode() function.
CVE-2021-26927: A null pointer access was discovered in JasPer, through jp2_dec.c in the jp2_decode() function.
Vulnerable: <= 1.900.1-debian1-2.4+deb8u8
Fixed: 1.900.1-debian1-2.4+deb8u9
3.7.14-3.7.14.23.7.15-3.7.16
2556530
CM-33272
CVE-2020-0256: In LoadPartitionTable of gpt.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed.
CVE-2021-0308: In ReadLogicalParts of basicmbr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no
additional execution privileges needed.
Vulnerable: 0.8.10-2
Fixed: 0.8.10-2+deb8u1
3.7.14-3.7.14.23.7.15-3.7.16
2556525
CM-33270
CVE-2020-27351: Various memory and file descriptor leaks were discovered in the Python interface to the APT package management runtime library, which could result in denial of service.
Vulnerable: <= 0.9.3.13
Fixed: 0.9.3.14
3.7.14-3.7.14.23.7.15-3.7.16
2556504
CM-33260
CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230: Several vulnerabilities were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash, infinite loops) via specially crafted packets.
Vulnerable: <= 2.4.40+dfsg-1+deb8u8
Fixed: 2.4.40+dfsg-1+deb8u9
3.7.14-3.7.14.23.7.15-3.7.16
2556473
CM-33246
CVE-2021-3272: jp2_decode in jp2/jp2_dec.c in libjasper in JasPer has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components.
Vulnerable: <= 1.900.1-debian1-2.4+deb8u6
Fixed: 1.900.1-debian1-2.4+deb8u7
3.7.14-3.7.14.23.7.15-3.7.16
2556364
CM-33191
CVE-2020-35512: An issue has been found in dbus, a simple interprocess messaging system. On a system having multiple usernames sharing the same UID a use-after-free might happen, that could result in a denial of service or undefined behaviour, possibly including incorrect authorization decisions.
Vulnerable: <= 1.8.22-0+deb8u3
Fixed: 1.8.22-0+deb8u4
3.7.14-3.7.14.23.7.15-3.7.16
2556287
CM-33165
CVE-2021-3156: A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the bug.
Vulnerable: <= 1.8.10p4-cl3.7.14u1
Fixed: 1.8.10p4-cl3.7.15u1
Note: security scanners may not recognize 1.8.10p4-cl3.7.15u1 as fixed and therefore incorrectly list it as vulnerable.
3.7.143.7.14.2-3.7.16
2556233
CM-33129
Some ECMP next-hops might fail installation into hardware at high ECMP group and route scale. The following log message will be observed when this condition occurs:WARN xx routes reverted to non-ECMP due to NH table capacity3.7.9-3.7.14.23.7.15-3.7.16
2556218
CM-33117
The following vulnerability affects lldpd:
CVE-2020-27827: A packet that contains multiple instances of certain TLVs will cause lldpd to continually allocate memory and leak the old memory. As an example, multiple instances of system name TLV will cause old values to be dropped by the decoding routine.
Fixed: 1.0.4-0-cl4.3.0u2
3.7.14-3.7.14.2, 4.0.0-4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2556037
CM-33012
After you add an interface to the bridge, an OSPF session flap might occur
3.7.9-4.2.04.2.1-4.4.5
2556031
CM-33008
Several security vulnerabilities were found in ImageMagick, a suite of image manipulation programs. An attacker could cause denial of service and execution of arbitrary code when a crafted image file is processed.
CVE-2020-19667 Stack-based buffer overflow and unconditional jump in ReadXPMImage in coders/xpm.c
CVE-2020-25665 The PALM image coder at coders/palm.c makes an improper call to AcquireQuantumMemory() in routine WritePALMImage() because it needs to be offset by 256. This can cause a out-of-bounds read later on in the routine. This could cause impact to reliability.
CVE-2020-25674 WriteOnePNGImage() from coders/png.c (the PNG coder) has a for loop with an improper exit condition that can allow an out-of-bounds READ via heap-buffer-overflow. This occurs because it is possible for the colormap to have less than 256 valid values but the loop condition will loop 256 times, attempting to pass invalid colormap data to the event logger.
CVE-2020-27560 ImageMagick allows Division by Zero in OptimizeLayerFrames in MagickCore/layer.c, which may cause a denial of service.
CVE-2020-27750 A flaw was found in MagickCore/colorspace-private.h and MagickCore/quantum.h. An attacker who submits a crafted file that is processedcould trigger undefined behavior in the form of values outside the range of type unsigned char and math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior.
CVE-2020-27760 In GammaImage() of /MagickCore/enhance.c, depending on the gamma value, it’s possible to trigger a divide-by-zero condition when a crafted input file is processed by ImageMagick. This could lead to an impact to application availability.
CVE-2020-27763 A flaw was found in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior.
CVE-2020-27765 A flaw was found in MagickCore/segment.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior.
CVE-2020-27773 A flaw was found in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char or division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior.
CVE-2020-29599 ImageMagick mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.
Vulnerable: <= 6.8.9.9-5+deb8u21
Fixed: 6.8.9.9-5+deb8u22
3.7.14-3.7.14.23.7.15-3.7.16
2556030
CM-33007
The following vulnerability was announced in the apt packages:
CVE-2020-27350: Missing input validation in the ar/tar implementations of APT, the high level package manager, could cause out-of-bounds reads or infinite loops, resulting in denial of service when processing malformed deb files.
Vulnerable: <= 1.0.9.8.6
Fixed: 1.0.9.8.7
3.7.14-3.7.14.23.7.15-3.7.16
2556023
CM-33000
After upgrading Cumulus Linux with the apt-upgrade command, then rebooting an MLAG pair, if there are no bonds configured with a clag-id, the clagd service has difficulty peering, and holds all MLAG interfaces and VNIs in a proto down state
To work around this issue, after upgrading both switches, restart the clagd service with the sudo systemctl restart clagd command on each MLAG pair.
3.7.14-3.7.14.23.7.15-3.7.16
2556011
CM-32994
On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash.3.7.14, 4.0.0-4.2.13.7.14.2-3.7.16, 4.3.0-4.4.5
2555908
CM-32940
If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up
To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command.
3.7.12-4.0.14.1.0-4.4.5
2555691
CM-32829
The NET-SNMP-EXTEND-MIB, disabled in Cumulus Linux 4.2.1 and 3.7.14 to prevent security vulnerability CVE-2020-15862, is re-enabled read-only.3.7.14-3.7.14.2, 4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2555654
CM-32810
The following vulnerability has been announced in the libflac8 package:
CVE-2020-0499: In FLAC__bitreader_read_rice_signed_block of bitreader.c, there is a possible out-of-bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. However, user interaction is needed for exploitation.
Vulnerable: 1.3.0-3
Fixed: 1.3.0-3+deb8u1
3.7.14-3.7.14.23.7.15-3.7.16
2555627
CM-32797
The following vulnerabilities have been announced in curl:
CVE-2020-8284: Vulnerability to malicious FTP server with PASV response with different IP address.
CVE-2020-8285: Wildcard matching is vulnerable to denial of service by running out of stack space.
Vulnerable: <= 7.38.0-4+deb8u18
Fixed: 7.38.0-4+deb8u19
3.7.143.7.14.2-3.7.16
2555553
CM-32757
It was discovered that the clean_html() function of lxml, a Python library for HTML and XML processing, performed insufficient sanitisation for embedded Javascript code. This might lead to cross-site scripting or possibly the execution of arbitrary code.
Vulnerable: <= 3.4.0-1+deb8u2
Fixed: 3.4.0-1+deb8u3
3.7.14-3.7.14.23.7.15-3.7.16
2555528
CM-32750
In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer’s ARP policer.
To work around this issue, increase the burst value of the ARP policers to 200 or higher.
3.7.14-4.2.14.3.0-4.4.5
2555507
CM-32734
CVE-2018-0734: A minor timing side channel attack was found in the OpenSSL DSA
signature algorithm. The fix for that introduced a more severe regression that could also be exploited as a timing side channel attack. This update fixes both the original problem and the subsequent issue.
CVE-2020-1971: A flaw in the GENERAL_NAME_cmp() function could cause a NULL dereference, resulting in denial of service.
Vulnerable: <= 1.0.1t-1+deb8u12
Fixed: 1.0.1t-1+deb8u13
3.7.143.7.14.2-3.7.16
2555494
CM-32728
On Broadcom switches, when WARN level switchd log messages are generated, switchd might crash resulting in a core file generated on the system.3.7.143.7.14.2-3.7.16, 4.3.0-4.4.5
2555435
CM-32689
CVE-2018-19139: Fix memory leaks by registering jpc_unk_destroyparms.
CVE-2020-27828: Avoid maxrlvls more than upper bound to cause heap-buffer-overflow.
CVE-2018-19543 and CVE-2017-9782: There is a heap-based buffer over-read of size 8 in the function jp2_decode in libjasper/jp2/jp2_dec.c.
Vulnerable: <= 1.900.1-debian1-2.4+deb8u6
Fixed: 1.900.1-debian1-2.4+deb8u7
3.7.14-3.7.14.23.7.15-3.7.16
2555401
CM-32661
On the Edgecore AS7312 switch, eth0 and swp use the same MAC address.3.7.14-3.7.14.2, 4.0.0-4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2555314
CM-32609
CVE-2020-25709, CVE-2020-25710: Vulnerabilities in the certificate list syntax verification and in the handling of CSN normalization were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash) via specially crafted packets.
Vulnerable: <= 2.4.40+dfsg-1+deb8u7
Fixed: 2.4.40+dfsg-1+deb8u8
3.7.143.7.14.2-3.7.16
2555278
CM-32597
When you change the anycast address for the MLAG pair (clagd-vxlan-anycast-ip), high peak traffic occurs on the peer link interface of all MLAG switches.3.7.13-3.7.14.23.7.15-3.7.16, 4.0.0-4.4.5
2555196
CM-32537
CVE-2018-19787, CVE-2020-27783: The clean_html() function of lxml, a Python library for HTML and XML processing, performed insufficient sanitisation for embedded Javascript code. This could lead to cross-site scripting or possibly the execution of arbitrary code.
Vulnerable: <= 3.4.0-1+deb8u1
Fixed: 3.4.0-1+deb8u2
3.7.14-3.7.14.23.7.15-3.7.16
2555177
CM-32529
On Mellanox switches, the ASIC temperature sensor reading reports zeros. As a result, the fan speed is higher than normal.
You can see the temperature reading in the output of the sensors command.
3.7.143.7.14.2-3.7.16
2555147
CM-32515
Some issues have been found in qemu, a fast processor emulator.
CVE-2020-25085 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723 CVE-2020-27617: All issues are related to assertion failures, out-of-bounds access failures or bad handling of return codes.
Vulnerable: <= 2.1+dfsg-12+deb8u17
Fixed: 2.1+dfsg-12+deb8u18
3.7.14-3.7.14.23.7.15-3.7.16
2554991
CM-32420
When running traditional mode bridges at scale (for example, when you have more than 200 bridges and a large number of MAC addresses), MLAG bonds flap intermittently from dual to single connected, then back to dual connected, which causes a layer 2 loop and STP state changes.
To work around this issue, either shut down one side of the MLAG bond or prune out VLANS over the bond.
3.7.13-4.2.14.3.0-4.4.5
2554804
CM-32291
On Mellanox SN2010 and SN2100 switches, the maximum fan speed is exceeded by fifteen percent.3.7.14-3.7.14.23.7.15-3.7.16
2554785
CM-32275
After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:
Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!
To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor
2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX=“cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command
4. Reboot the switch.
3.7.11-4.2.14.3.0-4.4.5
2554719
CM-32225
A slow memory leak is observed (1% per 14 hours) in kmalloc-256.
To work around this issue, reboot the switch.
3.7.12-3.7.14.23.7.15-3.7.16
2554709
CM-32217
The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.
To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM.
3.7.13-3.7.16, 4.2.1-4.4.5
2554588
CM-32149
If you try to reconfigure a DHCP server after you delete the switch configuration with the net del all command, the dhcpd service fails because a duplicate process is running
To work around this issue, edit the /usr/lib/python2.7/dist-packages/nclu/plugins/dhcp.py file to change:
DHCPD_PID="-pf {0}” 
to:
DHCPD_PID="-pf {1}"
3.7.13-4.2.14.3.0-4.4.5
2554369
CM-32006
Certain Dell S4048-ON switches show an incorrect vendor name and hang when you issue the reboot command.3.7.12-4.2.14.3.0-4.4.5
2553887
CM-31700
When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server.
3.7.7-3.7.16, 4.0.0-4.4.5
2553748
CM-31627
On switches with the Spectrum ASIC, the IPv6 default route might be present in the kernel but missing in hardware when IPv6 RAs are received on SVIs configured with ip-forward off.3.7.11-3.7.14.2, 4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2553677
CM-31605
When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config –create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:
createUser userSHAwithAES SHA “shaauthpass” AES “aesprivpass”
adding the following line to /snmp/snmpd.conf:
rwuser userSHAwithAES
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation.
3.7.13-3.7.16, 4.0.0-4.4.5
2553219
CM-31407
You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters.3.7.12-4.2.14.3.0-4.4.5
2553116
CM-31357
When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool.
3.7.12-3.7.16, 4.0.0-4.4.5
2553050
CM-31322
SNMP status might incorrectly reflect that a BGP neighbor is down due to an issue between bgpd and SNMP AgentX when the IP-FORWARD-MIB is also polled.
To work around this issue, avoid polling IP-FORWARD-MIB objects.
3.7.12-3.7.16
2553015
CM-31300
If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail.3.7.10-3.7.16, 4.2.0-4.4.5
2552939
CM-31263
RX_DRP on a bond interface increases without any data traffic while the slave port does not increase.3.7.12-4.2.14.3.0-4.4.5
2552869
CM-31231
On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.
To work around this issue, use the ethtool -m command.
3.7.13-4.2.14.3.0-4.4.5
2552742
CM-31150
On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd.
3.7.12-4.2.14.3.0-4.4.5
2552739
CM-31148
Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor.3.7.2-3.7.16
2552610
CM-31057
The following vulnerability has been announced:
CVE-2019-11360: A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c.
3.7.13-4.2.04.2.1-4.4.5
2552294
CM-30879
NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
3.7.12-3.7.16, 4.0.0-4.4.5
2552266
CM-30863
OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files.
The two scenarios where an exploit may be useful to an attacker:
-The user is authorized to scp but not ssh (based on the command option in the authorized_keys file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so.
-An attacker plants a maliciously named file in a directory tree that someone later uses scp -r to copy over to the target computer.
Be aware that restricting users to scp by using the command option in the authorized_keys file is not effective in preventing those users from executing arbitrary commands on the server.
If you want to use scp -r to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with tar, zip, or a similar program, then copying the archive over to be extracted on the server avoids having to use scp -r altogether. In addition, OpenSSH provides sftp, which you can use instead of scp to copy files.
To disable scp completely, use /bin/chmod 0 /usr/bin/scp .
3.7.14-3.7.16, 4.0.0-4.4.5
2552214
CM-30832
The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages.3.7.11-3.7.14.2, 4.1.1-4.3.03.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5
2551912
CM-30580
ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down.3.7.12-4.2.04.2.1-4.4.5
2551578
CM-30422
When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error.3.7.12-3.7.16, 4.0.0-4.4.5
2551565
CM-30414
If you toggle VRRP priority values between VRRP routers, then restart switchd, a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affected
To work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands.
3.7.13-3.7.16, 4.2.0-4.4.5
2551554
CM-30408
Customers running security scans on Cumulus Linux 4 may encounter the listing of an incorrect version of u-boot 2014.10+dfsg1-4 with the following vulnerabilities:CVE-2017-3225CVE-2017-3226CVE-2018-18440CVE-2019-11690CVE-2019-13103CVE-2019-14192CVE-2019-14193CVE-2019-14194CVE-2019-14195CVE-2019-14196CVE-2019-14197CVE-2019-14198CVE-2019-14199CVE-2019-14200CVE-2019-14201CVE-2019-14202CVE-2019-14203CVE-2019-14204CVE-2020-10648The u-boot-tools package is not installed on the switch by default, but is available in the repository for optional installation. On Cumulus Linux 4, the version is at least 2019.01+dfsg-7. However, the older versions available for optional installation on Cumulus Linux 3 may be vulnerable
According to https://security-tracker.debian.org/tracker/source-package/u-boot , all except the following are fixed in 2019.01+dfsg-7:CVE-2017-3225: https://security-tracker.debian.org/tracker/CVE-2017-3225 says “Negligible security impact”
CVE-2017-3226: https://security-tracker.debian.org/tracker/CVE-2017-3226 says “Negligible security impact”
CVE-2018-18440: https://security-tracker.debian.org/tracker/CVE-2018-18440 says “No security impact as supported/packaged in Debian”.
3.7.12-3.7.164.0.0-4.4.5
2551305
CM-30296
The net show configuration command provides the wrong net add command for ACL under the VLAN interface.

3.7.12-3.7.16, 4.1.0-4.4.5
2551288
CM-30286
When you remove BFD configuration by editing the /etc/frr/frr.conf file and restarting FRR, you see a traceback.
To work around this issue, either use NCLU or vtysh commands to remove the BFD configuration, or restart FRR with the new /etc/frr/frr.conf file.
3.7.7-3.7.164.0.0-4.4.5
2550974
CM-30195
On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured.3.7.11-3.7.16, 4.1.1-4.4.5
2550942
CM-30178
NCLU tab completion for net show displays the text add help text instead of system Information for the system option.3.7.11-4.2.04.2.1-4.4.5
2550796
CM-30103
On a Broadcom switch with the Trident2+ ASIC, ACL rules for VLANs are not applied after a reboot and the counters remain at zero.
To work around this issue, either do not set acl.non_atomic_update_mode = TRUE in the /etc/cumulus/switchd.conf file or run the cl-acltool -i command after the reboot to install the ACLs.
3.7.12-4.2.14.3.0-4.4.5
2550793
CM-30101
The NCLU net show bridge spanning-tree command displays the aging timer incorrectly.3.7.12-3.7.16, 4.0.0-4.4.5
2550600
CM-29978
The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged.3.7.8-4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2550479
CM-29899
VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches.3.7.7-4.2.04.2.1-4.4.5, 4.3.0-4.4.5
2550444
CM-29872
Tab completion for the net show rollback description command returns information about a snapshot instead of context help.
To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command.
3.7.12-3.7.16, 4.0.0-4.4.5
2550443
CM-29871
The net show rollback description command returns an error even if the string matches a commit description.
To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead.
3.7.12-3.7.16, 4.0.0-4.4.5
2550276
CM-29779
In LLDP, the snmp subagent loses all subsequent lldpRemSysName (1.0.8802.1.1.2.1.4.1.1.9) entries after an entry with a missing SysName is added.
All the information from lldpctl is correct. Only the entries after the entry that is missing a SysName in lldpRemSysName disappear from the snmp subagent.
3.7.12-4.2.14.3.0-4.4.5
2550243
CM-29759
When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.
To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service. For example:

#Requires=nginx.service restserver.socket
3.7.12-3.7.16, 4.0.0-4.4.5
2550056
CM-29652
The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:

error: invalid signature.
Press any key to continue…
3.7.12-3.7.16, 4.1.1-4.4.5
2549925
CM-29594
When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:

error: swp1s1.2: netlink: cannot set link swp1s1.2 up: operation failed with ‘Network is down’ (100)
warning: cmd ‘/bin/ip addr del 10.0.0.1/24 dev eth0’ failed: returned 2 (RTNETLINK answers: Cannot assign requested address

To work around this issue, run the ifreload -a command a second time.
3.7.12-3.7.16, 4.0.0-4.4.5
2549872
CM-29562
If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error.3.7.12-3.7.16, 4.1.1-4.4.5
2549838
CM-29546
In vtysh, if you configure, then remove a layer 3 VNI for a VRF, the VNI is removed from zebra even if the VNI interface still exists in the kernel.
If you configure a layer 2 VNI as a layer 3 VNI by mistake, removing the layer 3 VNI binding removes it from zebra but EVPN-learned MACs and neighbors are not installed into the kernel.
To work around this issue, delete, then re-add the missing VNI. For example:

cumulus@switch:~$ sudo ifdown vni10100
cumulus@switch:~$ sudo ifup vni10100

If you flap the link with the ip link set vni10100 down; ip link set vni10100 up commands, zebra does not re-add the VNI.
3.7.12-4.2.14.3.0-4.4.5
2549782
CM-29519
The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state.3.7.12-3.7.16, 4.0.0-4.4.5
2549731
CM-29492
When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:

[ebtables]
-A FORWARD –in-interface swp10 -j span –dport swp1
3.7.12-3.7.16, 4.1.1-4.4.5
2549472
CM-29367
On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic.3.7.11-4.1.14.2.0-4.4.5
2549371
CM-29309
When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive.3.7.11-4.3.14.4.0-4.4.5
2549307
The following vulnerabilities affect git, which is available in the repository for optional installation:
CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host.
CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted.
3.7.12-4.1.14.2.0-4.4.5
2549226
CM-29259
You might see the following gport error messages in switchd.log:

2020-04-10T19:50:01.011224+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x800007a find failed
2020-04-10T19:50:01.011631+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x8000009 find failed

These messages are harmless and can be ignored.
3.7.12-3.7.14.2, 4.0.0-4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2548962
CM-29165
With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table.3.7.12-4.1.14.2.0-4.4.5
2548930
CM-29148
On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware.3.7.11-4.2.14.3.0-4.4.5
2548746
CM-29068
On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect.3.7.11-4.1.14.2.0-4.4.5
2548657
CM-29035
When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:

W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

You can safely ignore these error messages.
3.7.12-3.7.16, 4.0.0-4.4.5
2548490
CM-28944
A change in a route map prefix list that should remove a route might not be reflected in the ospf6 database or in peers, and the route might not be deleted.
To work around this issue, reenter the redistribute <connected|static> route-map statement in the configuration.
3.7.11-4.1.14.2.0-4.4.5
2548485
CM-28940
If you configure the aggregate-address
summary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:
router bgp 1
address-family ipv4 unicast
aggregate-address 50.0.0.0/8 summary-only
exit-address-family
If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path*> 50.0.0.0 0.0.0.0 32768 is> 50.0.0.1/32 0.0.0.0 0 32768 i
Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Paths> 50.0.0.1/32 0.0.0.0 0 32768 i
To work around this issue, remove, then re-add the component prefix routes.
3.7.12-4.2.14.3.0-4.4.5
2548315
CM-28816
The following security advisory has been announced for bash:
CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability
When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.
To work around this issue, do not make bash or bash scripts setuid.
3.7.12-3.7.16, 4.0.0-4.4.5
2548243
CM-28754
On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules.3.7.3-3.7.16, 4.0.0-4.4.5
2548155
CM-28685
The net show bgp neighbor swpX json command shows negative output for the bgpTimerUpMsec timer.3.7.10-3.7.164.0.0-4.4.5
2548117
CM-28659
In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX.3.7.12-3.7.16, 4.0.0-4.4.5
2548044
CM-28608
When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor.3.7.12-3.7.15, 4.0.0-4.4.53.7.16
2548024
CM-28596
On the Dell Z9100 switch, 100G-SR4 modules might not link up reliably in certain ports.
swp1, 2, 3, 9, 10, 23, 24, 30, 31, and 32 might be affected
To work around this issue, move 100G SR4 modules to one of the ports not affected by this issue.
3.7.11-4.1.14.2.0-4.4.5
2547942
CM-28533
On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl.3.7.11-4.0.14.1.0-4.4.5
2547878
The following vulnerability has been found in the libgcrypt20 cryptographic library.
CVE-2019-13627: there was a ECDSA timing attack.
For more information, see https://www.debian.org/lts/security/2020/dla-1931-2.en.html
Vulnerable: 1.6.3-2+deb8u7
Fixed: 1.6.3-2+deb8u8
3.7.11-3.7.16
2547876
The following vulnerability affects libxml2:
CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c has a memory leak related to newDoc->oldNs. This can lead to a denial of service.
For more information, see https://www.debian.org/lts/security/2019/dla-2048.en.html .
Vulnerable: 2.9.1+dfsg1-5+deb8u7
Fixed: 2.9.1+dfsg1-5+deb8u8
3.7.11-3.7.16
2547874
The following vulnerability affects libbsd, a package containing utility functions from BSD systems.
CVE-2016-2090: In function fgetwln() an off-by-one error could triggers a heap buffer overflow.
For more information, see https://www.debian.org/lts/security/2019/dla-2052.en.html .
Vulnerable: 0.7.0-2
Fixed: 0.7.0-2+deb8u1
3.7.11-3.7.16
2547839
CM-28465
When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error.3.7.11-4.1.14.2.0-4.4.5
2547782
CM-28441
If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns.3.7.11-3.7.16, 4.0.0-4.4.5
2547706
CM-28397
When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch.
3.7.11-3.7.16, 4.0.0-4.4.5
2547659
CM-28372
On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise.3.7.11-4.0.14.1.0-4.4.5
2547573
CM-28322
On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU.3.7.9-3.7.16
2547443
CM-28248
On the Dell N3248PXE-ON switch, 25G SFP ports do not work in 10G mode.3.7.11-4.0.14.1.0-4.4.5
2547381
CM-28212
The hsflowd service sends an undefined header protocol 0 in the sampled flow sample to the collector, which is not recognized by the sFlow tool. You see errors similar to the following:

Dec 20 08:43:27 netflow-nms sfcapd[3991]: SFLOW: readFlowSample_header() undefined headerProtocol = 0

3.7.11-3.7.164.0.0-4.4.5
2547349
CM-28193
When you change an interface IP address, then change it back, static routes are misprogrammed
One of the following actions recovers the routes:- Bounce both layer 3 interfaces- Remove or add static routes in FRR- Restart FRR
3.7.11-3.7.164.0.0-4.4.5
2547123
CM-28078
On the Broadcom switch with the Trident3 ASC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect.3.7.11-4.1.14.2.0-4.4.5
2547120
CM-28076
After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command.3.7.11-3.7.16, 4.0.0-4.4.5
2547118
The following security vulnerabilities have been announced in the libtiff5 library on Cumulus Linux 4.0:
CVE-2019-14973, CVE-2019-17546: Multiple integer overflows have been discovered in the libtiff library and the included tools.
Vulnerable: 4.0.10-4
Fixed: 4.1.0+git191117-2~deb10u1
3.7.10-4.0.14.1.0-4.4.5
2547100
CM-28061
On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic.3.7.11-4.1.14.2.0-4.4.5
2547068
CM-28046
Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly
To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below
To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off”, change it to GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0”2. Run sudo update-grub
3. Reboot the system with sudo reboot
To disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci3
2. Disable C-states by running the command ./cpupower idle-set -d 2
C-states are disabled by default in Cumulus Linux 4.3.0 and later.
3.7.9-4.2.14.3.0-4.4.5
2546991
CM-28003
The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code.
3.7.11-3.7.16, 4.0.0-4.4.5
2546895
CM-27957
If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command.
3.7.11-3.7.16, 4.0.0-4.4.5
2546451
CM-27737
On the EdgeCore AS7326-56X switch, you might see the RPM of certain fans run over the maximum threshold.3.7.11-3.7.16
2546385
CM-27698
SNMP ifLastChange reports link transitions when there are none.3.7.6-3.7.16
2546225
CM-27627
When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support.
 
sudo onie-install -fai http://
sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image.
3.7.11-3.7.16, 4.0.0-4.4.5
2546203
CM-27620
When using QinQ with a traditional bridge, if you enable the LLDP dot1 TLV option, you see the following suboptimal behavior:
* Both the inner and outer VLAN information is sent as part of VLAN TLVs in the LLDP packet.
* If the outer VLAN ID is the same as the inner VLAN ID, only one VLAN TLV is sent with that VLAN ID in the LLDP packet.
3.7.11-3.7.16
2546131
CM-27581
On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present.
3.7.11-3.7.16, 4.0.0-4.4.5
2546010
CM-27530
When hal.bcm.per_vlan_router_mac_lookup is set to TRUE in the /etc/cumulus/switchd.conf file, inter-VLAN traffic is forwarded to the CPU when associated VNI interfaces exist.3.7.10-3.7.16
2545997
CM-27522
The NCLU command net show interface produces an error if bonds with no members exist.
To work around this issue, remove the empty Bond interfaces from the /etc/network/interfaces file and run sudo ifreload -a.
3.7.10-3.7.16
2545566
CM-27272
The Dell Z9100-ON switch incorrectly reports many sensors as ABSENT.3.7.12-4.0.14.1.0-4.4.5
2545446
CM-27192
If you use NCLU commands to add a non-MLAG bond, then add an MLAG configuration, the net commit command fails. However, a subsequent net commit command succeeds.3.7.10-3.7.16
2545125
CM-27018
If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address.3.7.10-3.7.16, 4.0.0-4.4.5
2544978
CM-26921
If you delete an undefined bond, then add a bond slave, the net commit command fails.3.7.9-3.7.16, 4.0.0-4.4.5
2544968
CM-26913
FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c “printf ‘interface 50\nvrf TEST description L3 routing interface\n’ » /etc/frr/frr.conf”

should be:

sudo sh -c “printf ‘interface 50 vrf TEST\ndescription L3 routing interface\n’ » /etc/frr/frr.conf”

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file.
3.7.9-3.7.16, 4.0.0-4.4.5
2544953
CM-26905
When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command.
3.7.10-3.7.16, 4.0.0-4.4.5
2544904
CM-26875
After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements.
To work around this issue, restart FRR after removing the IPv6 numbered configuration.
3.7.9-4.1.14.2.0-4.4.5
2544829
CM-26829
Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump.3.7.8-3.7.16
2544671
CM-26736
Package : sudoCVE ID : CVE-2019-14287Debian Bug : 942322Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID -1 or 4294967295. This could allow a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access
Details can be found in the upstream advisory at https://www.sudo.ws/alerts/minus_1_uid.html
We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudoVulnerable versions: < 1.8.27-1+deb10u1Fixed versions: >= 1.8.27-1+deb10u1To work around this iisue, disable (comment out) any sudoers entries in /etc/sudoers or files in /etc/sudoers.d that have entries with !root in them. Only root or other users with a uid of 0 that are affected.
3.7.9-3.7.164.0.0-4.4.5
2544556
CM-26655
If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:

net add time ntp server 1.2.3.4 iburst
net commit
net add time ntp server 1.2.3.4
net commit

If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options.
3.7.9-4.1.14.2.0-4.4.5
2544463
CM-26599
Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G.
3.7.9-3.7.16, 4.0.0-4.4.5
2544456
CM-26595
The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds.3.7.9-3.7.16, 4.0.0-4.4.5
2544311
CM-26516
Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host.3.7.5-3.7.16, 4.0.0-4.4.5
2544235
CM-26463
The following CVEs affect the linux kernel package:
CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
For the detailed security status of linux, refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux
3.7.10-3.7.16
2544155
CM-26423
NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

3.7.5-3.7.16, 4.0.0-4.4.5
2544113
CM-26412
Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file.
3.7.9-3.7.16, 4.0.0-4.4.5
2543900
CM-26288
On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address.3.7.8-3.7.16, 4.0.0-4.4.5
2543841
CM-26256
The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
3.7.8-3.7.16, 4.0.0-4.4.5
2543840
CM-26255
On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file.

3.7.6-3.7.16
2543800
CM-26230
When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface.
3.7.8-3.7.164.0.0-4.4.5
2543647
CM-26137
ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:

-A FORWARD -i vni10 -j erspan –src-ip 100.1.1.2 –dst-ip 100.1.1.1 –ttl 64
3.7.6-4.2.14.3.0-4.4.5
2543646
CM-26136
In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case).3.7.6-3.7.16, 4.0.0-4.4.5
2543627
CM-26126
Tomahawk 40G DACs cannot disable auto-negotiation.3.7.7-3.7.164.0.0-4.4.5
2543270
CM-25923
The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate.
3.7.8-4.1.14.2.0-4.4.5
2543211
CM-25890
In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
3.7.0-3.7.16, 4.0.0-4.4.5
2543164
CM-25859
The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command.
3.7.7-3.7.16, 4.0.0-4.4.5
2543096
CM-25815
When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
3.7.6-3.7.16, 4.0.0-4.4.5
2543058
CM-25798
The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.
To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces.
3.7.7-3.7.164.0.0-4.4.5
2543052
CM-25796
Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as “inactive” in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR.
To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:

ifdown vlan123 ; sleep 2 ; ifup vlan123

You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI.
3.7.5-3.7.164.0.0-4.4.5
2543044
CM-25794
Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up.
3.7.2-3.7.164.0.0-4.4.5
2542979
CM-25766
On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work.3.7.7-4.1.14.2.0-4.4.5
2542945
CM-25740
On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
3.7.6-3.7.16, 4.0.0-4.4.5
2542310
CM-25404
hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
3.7.6-3.7.16
2542305
CM-25400
If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
3.7.6-3.7.16, 4.0.0-4.4.5
2542301
CM-25397
When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
3.7.3-3.7.16, 4.0.0-4.4.5
2541212
CM-24894
The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded.3.7.5-3.7.16, 4.0.0-4.4.5
2541165
CM-24878
On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, poectl reports that four_pair_mode_enabled is true. However, this configuration is not supported on the port so poectl should report that four_pair_mode_enabled is false.
3.7.6-3.7.16
2541029
CM-24799
On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped.
This issue only affects QinQ configurations.
3.7.5-3.7.16, 4.0.0-4.4.5
2540950
CM-24751
On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status.
3.7.3-4.1.14.2.0-4.4.5
2540885
CM-24703
The Dell N3048EP-ON switch does not support 1G Base-T modules in the SFP ports.3.7.7-3.7.16
2540863
CM-24686
On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number.
3.7.3-3.7.16
2540753
CM-24618
If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
 
ERROR: No closing quotation
See /var/log/netd.log for more details.

3.7.5-3.7.16, 4.0.0-4.4.5
2540444
CM-24473
SNMP incorrectly requires engine ID specification.
3.7.4-3.7.16, 4.0.0-4.4.5
2540352
CM-24435
When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect:
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct:
 
net add routing route-map Proxy-ARP permit 25 match interface swp9
net add routing route-map Proxy-ARP permit 30 match interface swp10

3.7.2-3.7.16, 4.0.0-4.4.5
2540340
CM-24426
NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example:
 
cumulus@switch:~$ net add vrf mgmt


Tab completion for the net add vrf ip address
command works correctly.
3.7.4-3.7.16, 4.0.0-4.4.5
2540274
CM-24379
On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route.3.7.5-3.7.16, 4.0.0-4.4.5
2540204
CM-24350
When links come up after FRR is started, VRF connected routes do not get redistributed.3.7.4-3.7.16, 4.0.0-4.4.5
2540192
CM-24343
The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value.
3.7.4-3.7.16, 4.0.0-4.4.5
2540155
CM-24332
On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
3.7.3-3.7.16, 4.0.0-4.4.5
2540042
CM-24272
When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface br0.100
switch(config-if)# vrrp 1 priority 110
switch(config-if)# vrrp 1 advertisement-interval
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540041
CM-24271
On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU.
To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface vlan100
switch(config-if)# vrrp 1 priority 110
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540040
CM-24270
Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface swp4
switch(config-if)# vrrp 1 version 2
switch(config-if)# no vrrp 1 preempt
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540031
CM-24262
NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist.
3.7.3-3.7.16, 4.0.0-4.4.5
2539994
CM-24241
When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
 
cumulus@switch:~$ net del bgp neighbor fabric peer-group
‘router bgp 65001’ configuration does not have ‘neighbor fabric peer-group’

3.7.2-3.7.16, 4.0.0-4.4.5
2539962
CM-24222
When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error.
3.7.0-3.7.16, 4.0.0-4.4.5
2539670
CM-24035
On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type.
3.7.2-3.7.16, 4.0.0-4.4.5
2539124
CM-23825
The net add interface ptm-enable command adds no ptm-enable for that interface in the frr.conf file.
Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh.
3.7.2-3.7.16, 4.0.0-4.4.5
2539081
CM-23792
When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.
To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command.
3.7.0-3.7.164.0.0-4.4.5
2538875
CM-23696
IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file.
3.7.2-3.7.16
2538790
CM-23665
NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan bridge access . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.
To restore connectivity, remove the VLAN ID from the bridge.
3.7.2-3.7.16, 4.0.0-4.4.5
2538590
CM-23584
When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain.
3.7.2-3.7.16, 4.0.0-4.4.5
2538562
CM-23570
On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G.
3.7.2-3.7.16, 4.0.0-4.4.5
2538302
CM-23422
portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap.
3.7.0-3.7.16
2538294
CM-23417
If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid.3.7.0-3.7.16, 4.0.0-4.4.5
2538256
CM-23397
On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
3.7.2-4.0.14.1.0-4.4.5
2537820
CM-23123
When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
3.7.2-3.7.164.0.0-4.4.5
2537699
CM-23075
There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
3.7.1-3.7.16, 4.0.0-4.4.5
2537544
CM-23021
When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB.3.7.1-3.7.16, 4.0.0-4.4.5
2537378
CM-22937
NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
3.7.1-3.7.16
2537188
CM-22849
When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.
This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
3.7.2-3.7.16
2537104
CM-22808
When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
3.7.1-3.7.164.0.0-4.4.5
2537061
CM-22794
The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
3.7.1-4.0.14.1.0-4.4.5
2536608
CM-22583
Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
3.7.0-3.7.16
2536384
CM-22386
The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
3.7.0-3.7.16, 4.0.0-4.4.5
2536179
CM-22228
On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working.3.7.0-3.7.16, 4.0.0-4.4.5
2535986
CM-22041
At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart.
3.7.0-3.7.16, 4.0.0-4.4.5
2535965
CM-22020
On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic.
3.7.0-3.7.16, 4.0.0-4.4.5
2533691
CM-19788
If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict.
To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface.
3.7.12-3.7.16, 4.0.0-4.4.5
2532017
CM-18192
In FRR, bgp_snmp does not show all BGP peers when peer groups used.3.7.11-4.0.14.1.0-4.4.5

Fixed Issues in 3.7.14

Issue IDDescriptionAffects
2556019
CM-32997
After you add an interface to a bridge using the NCLU net add bridge bridge ports command, the bridge can go down and its MAC address changes
To work around this issue, use Linux commands to add an interface to a bridge.
3.7.9-3.7.13
2554687
CM-32205
CVE-2020-28196: There is a denial of service vulnerability in the MIT Kerberos network authentication system, krb5. The lack of a limit in the “ASN.1” decoder could lead to infinite recursion and allow an attacker to overrun the stack and cause the process to crash.
Vulnerable: <= 1.12.1+dfsg-19+deb8u5
Fixed: 1.12.1+dfsg-19+deb8u6
3.7.13
2554454
CM-32057
The following vulnerability has been announced in the freetype / libfreetype6 packages:
CVE-2020-15999: heap-based buffer overflow vulnerability in the handling of embedded PNG bitmaps in FreeType. Opening malformed fonts may result in denial of service or the execution of arbitrary code.
Vulnerable: <= 2.5.2-3+deb8u4
Fixed: 2.5.2-3+deb8u5
3.7.13
2554332
CM-31981
In an EVPN active/active environment, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of the ARP messages might be dropped by the ARP policer of the MLAG peer.
To work around this issue, increase the burst value of the ARP policers to 200 or higher.
2554232
CM-31929
VXLAN encapsulated traffic is not routed to the next hop because the destination VTEP IP address is mis-programmed on the switch, which decapsulates the traffic unexpectedly.
To work around this issue, restart switchd.
3.7.12-3.7.13
2553876
CM-31695
The following vulnerability has been announced in the ruby2.1 packages:
CVE-2020-25613: WEBrick (bundled along with ruby2.1) was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to “smuggle” a request.
Vulnerable: <= 2.1.5-2+deb8u10
Fixed: 2.1.5-2+deb8u11.
3.7.13
2553847
CM-31674
The following vulnerabilities have been announced in the python3.4 packages:
CVE-2019-20907: Avoid infinite loop with crafted tar file by improving header validation.
CVE-2020-26116: Avoid injection of HTTP headers via the HTTP method without rejecting newline characters.
Vulnerable: <= 3.4.2-1+deb8u8
Fixed: 3.4.2-1+deb8u9
3.7.13
2553738
CM-31622
The following vulnerability has been announced in curl:
CVE-2020-8231: In rare circumstances, when using the multi API of curl in combination with CURLOPT_CONNECT_ONLY, the wrong connection might be used when transfering data later.
Vulnerable: <= 7.38.0-4+deb8u17
Fixed: 7.38.0-4+deb8u18
3.7.13
2553732
CM-31618
A ping via a dual-connected bond fails, and the audio stream is not routed or encapsulated through the layer 3 VNI.3.7.12-3.7.13, 4.0.0-4.2.1
2553588
CM-31565
Multicast traffic on a VPN is sent to remote VTEPs that are not part of the VPN and the remote VTEPs receive multicast traffic encapsulated in a VXLAN ID that doesn’t exist.
To work around this issue, disable IGMP snooping on the switch.
3.7.12-3.7.13, 4.0.0-4.2.1
2553530
CM-31545
In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

3.7.10-3.7.13, 4.1.1-4.2.1
2553450
CM-31504
On the the Dell N3248-PXE switch, when you insert two PSUs at different times, the newly inserted PSU is detected as OK but the fan and temp sensors are ABSENT.
To work around this issue, remove power to both PSUs at the same time, then reinsert power simultaneously.
3.7.12-3.7.13, 4.2.1
2553229
CM-31412
On the Dell N3248PXE switch, RJ45 fixed copper ports that auto-negotiate with a 100M or 10M neighbor incorrectly negotiate a half-duplex link that generates errors. Half duplex modes are not supported on this platform.3.7.12-3.7.13, 4.2.1
2553190
CM-31390
The following vulnerabilities have been announced in libxml2:
CVE-2017-8872: Global buffer-overflow in the htmlParseTryOrFinish function.
CVE-2019-20388: A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being
freed leading to a denial of service.
CVE-2020-24977: Out-of-bounds read restricted to xmllint –htmlout.
CVE-2020-7595: Infinite loop in xmlStringLenDecodeEntities can cause a denial of service.
Vulnerable: <= 2.9.1+dfsg1-5+deb8u8
Fixed: 2.9.1+dfsg1-5+deb8u9
3.7.13
2553151
CM-31378
The following security vulnerabilities have been announced in imagemagick:CVE-2017-12806: A memory exhaustion vulnerability was found in the function format8BIM, which allows attackers to cause a denial of service
CVE-2019-13308, CVE-2019-13391: Heap-based buffer overflow in MagickCore/fourier.c in ComplexImages may cause a denial-of-service or other unspecified results
Vulnerable: <= 6.8.9.9-5+deb8u20Fixed: 6.8.9.9-5+deb8u21
3.7.13
2553049
CM-31321
The following vulnerability has been announced in the libx11 libraries:
CVE-2020-14363: Integer overflow in the init_om function of libX11, the X11 client-side library, which could lead to a double free.
Vulnerable: <= 1.6.2-3+deb8u3
Fixed: 1.6.2-3+deb8u4
3.7.13
2553001
CM-31294
When the following conditions exist, clagd might fail to establish a TCP control session across the subinterface (such as, peerlink.4094):
* clagd uses an IPv6 link-local address (LLA) to establish the TCP connection (the clagd-peer-ip linklocal command configures an IPv6 LLA connection)

* Subsequent VLAN changes are made to VLAN sub-interfaces or adding or removing SVIs

This issue occurs because the hardware stores one entry per VRF to represent the IPv6 LLA. The hardware entry for the LLA is removed when another interface is changed because the software interfaces are represented by a single entity in hardware. As a result, packets destined to the local IPv6 LLA address are received on the port but do not get forwarded to CPU for further processing.

To workaround this issue, use IPv4 addresses under peerlink.4094 and configure clagd to peer on IPv4 addresses.
3.7.12-3.7.13
2552953
CM-31273
The following vulnerability has been announced in the bind9 packages:
CVE-2020-8622: Crafted responses to TSIG-signed requests could lead to an assertion failure, causing named, a Domain Name Server, to exit. This could be done by malicious server operators or guessing attackers.
Vulnerable: <= 9.9.5.dfsg-9+deb8u19
Fixed: 9.9.5.dfsg-9+deb8u20
3.7.13
2552952
CM-31272
The following vulnerability has been announced in the nss / libnss3 packages:
CVE-2020-12403: The ChaCha20 symmetric key cipher algorithm did not correctly enforce the tag length which may have led to an out-of-bounds read and a lack of confidentiality.
Vulnerable: <= 3.26-1+debu8u12
Fixed: 3.26-1+debu8u13
3.7.13
2552925
CM-31257
On the EdgeCore AS-6712-32X, AS5812-54X and AS5812-54T switch models, the temp sensors (DIMM temp sensor) show ABSENT. The amber diagnostic light on the front of the switch might also be turned on due to this issue.
These messages and the light are cosmetic issues only and do not otherwise impact the function of the switch.
3.7.12-3.7.13
2552881
CM-31238
IPv6 TCP or UDP connections (sourcing from an ephemeral port in the range 34048 to 35071) are not forwarded if the switch has more than one layer 2 VNI defined. The traffic might be locally switched on the bridge and dropped.
To work around this issue, disable ARP/ND suppression to remove the internal ACL rule that affects the ports.
3.7.13, 4.2.1
2552859
CM-31226
Mellanox switches with the Spectrum ASIC fail to read PSU Fan/Temp sensors and report them as Absent. The following messages are observed in syslog:

2020-08-21T07:17:39.068160+00:00 cumulus : /usr/sbin/smond : : PSU1Temp1(PSU1 Temp Sensor): state changed from UNKNOWN to ABSENT
2020-08-21T07:17:39.068911+00:00 cumulus : /usr/sbin/smond : : PSU2Temp1(PSU2 Temp Sensor): state changed from UNKNOWN to ABSENT
3.7.13
2552756
CM-31158
An issue has been found in python2.7, an interactive high-level object-oriented language.
CVE-2019-20907: Opening a crafted tar file could result in an infinite loop due to missing header validation.
Vulnerable: <= 2.7.9-2-ds1+deb8u5
Fixed: 2.7.9-2-ds1+deb8u6
3.7.13
2552647
CM-31086
When you add a member to a bond that has a subinterface configured (such as peerlink.4094), the new member is assigned only the VLAN of the subinterface for forwarding.
To work around this issue, bounce the bond or shutdown the new interface and use the remaining members over the bond.
3.7.10-3.7.13, 4.2.0
2552608
CM-31055
The following vulnerability has been announced:
CVE-2019-20892: net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request.
Fixed: 5.8.0-cl4.2.1u1, 5.8.0-cl3.7.14u1
3.7.13, 4.0.0-4.2.0
2552528
CM-31028
Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated.3.7.7-3.7.13, 4.0.0-4.2.1
2552506
CM-31016
Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file.
3.7.11-3.7.13, 4.0.0-4.2.0
2552352
CM-30914
The following security vulnerabilities have been announced in the nss / libnss3 packages:
CVE-2020-6829: Side channel attack on ECDSA signature generation
CVE-2020-12400: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function
CVE-2020-12401: ECDSA timing attack mitigation bypass
Vulnerable: <= 3.26-1+debu8u11
Fixed: 3.26-1+debu8u12
3.7.0-3.7.13
2552351
CM-30913
The following vulnerability has been announced in the libx11 packages:
CVE-2020-14344: The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method.
Vulnerable: <= 1.6.2-3+deb8u2
Fixed: 1.6.2-3+deb8u3
3.7.0-3.7.13
2552301
CM-30885
On a Mellanox switch with the Spectrum ASIC, you see LPC I2C driver errors similar to the following during boot:

Jul 30 23:49:41.651453 mlx-switch systemd[1]: Started udev Kernel Device Manager.
Jul 30 23:49:41.654978 mlx-switch systemd[1]: Starting LSB: Set preliminary keymap…
Jul 30 23:49:41.668214 mlx-switch kernel: LPCI2C ERR: Invalid flag 0x4 in msg 0
Jul 30 23:49:41.668265 mlx-switch kernel: LPCI2C ERR: Incorrect message

3.7.13
2552298
CM-30882
The following vulnerability has been announced in net-snmp:
CVE-2020-15862: A privilege escalation involving the NET-SNMP-EXTEND-MIB support (which is enabled by default at compile-time).
The fixed versions disable NET-SNMP-EXTEND-MIB support.

Vulnerable: <= 5.8.0-cl3u11, <= 5.8.0-cl4u4
Fixed: 5.8.0-cl3.7.14u3, 5.8.0-cl4.2.1u1
3.7.13, 4.0.0-4.2.0
2552250
CM-30858
A vulnerability was found in curl, a command line tool for transferring data with URL syntax. curl is installed by default on Cumulus Linux.
CVE-2020-8177: When using when using -J (–remote-header-name) and -i (–include) in the same command line, a malicious server could force curl to overwrite the contents of local files with incoming HTTP headers.
Vulnerable: <= 7.38.0-4+deb8u16
Fixed: 7.38.0-4+deb8u17
2552249
CM-30857
An issue has been found in luajit, a just in time compiler for Lua.

CVE-2020-15890: An out-of-bounds read could happen because __gc handler frame traversal is mishandled.

Vulnerable: 2.0.3+dfsg-3
Fixed: 2.0.3+dfsg-3+deb8u1
2552205
CM-30827
If the MAC address of an SVI changes, clagd does not update its permanent neighbor entry for the local interface, and it does not report the change to its MLAG peer. This leaves the MLAG peer in a state where its permanent neighbor for the MLAG peer’s SVI IP address continues to use the old MAC address, which causes routed traffic over this SVI to be dropped.
To work around this issue, ifdown/ifup the SVI when a MAC address changes.
3.7.12-3.7.13, 4.0.0-4.2.0
2551748
CM-30514
In OVSDB high availability mode, deleting > 200 VLAN bindings might cause ovs-vtepd to crash. Limit the deletion to 200 or fewer VLAN bindings.3.7.12-3.7.13, 4.0.0-4.2.1
2551731
CM-30504
When the OVSDB VTEP scale increases, the CPU utilization increases and eventually the switch (ptmd) fails to respond to the BFD, causing the BFD session to go down. As a result OVSDB cannot read the BFD socket status and outputs a warning in the ovs-vtepd debugs: PTM socket error: Bad file descriptor.3.7.12-3.7.13, 4.0.0-4.2.0
2551728
CM-30503
In OVSDB high availability mode, if you create, then delete a binding, the FDB entry is not replaced and you see an error.3.7.12-3.7.13, 4.0.0-4.2.0
2551714
CM-30498
There is a change to the default OVSDB bootstrapping process, where the script created now defaults to VLAN-aware bridge mode. If you want to use traditional bride mode, you need to force it by editing the ovs-vtep-ctl script generated by the bootstrap process.3.7.12-3.7.13, 4.0.0-4.2.0
2551693
CM-30486
A host migrated to an 802.1X MAB port within the same broadcast domain fails to have the correct FDB entry installed if a dynamic FDB entry for that MAC address exists from previous connectivity in the broadcast domain.
To work around this issue, manually delete the dynamic FDB entry that is associated with the uplink trunk port.
3.7.12-3.7.13, 4.1.1-4.2.0
2551675
CM-30479
When you restart clagd, the edge port setting on the peer link changes.3.7.2-3.7.13, 4.0.0-4.2.0
2551651
CM-30464
The net show dot1x interface summary command output shows a MAC address with all zeros associated with a port.3.7.12-3.7.13, 4.0.0-4.2.0
2550873
CM-30141
In an MLAG configuration with static VXLAN, static tunnels become unreachable.3.7.13, 4.1.1-4.2.0
2550606
CM-29982
A VRRP role change over the EVPN network causes excessive BGP updates and connectivity issues to VIP for about one minute.4.1.1-4.2.0
2550375
CM-29838
CPU utilization may increase when clag-managed bond interfaces are operationally/LACP down but the physical carrier remains up on the bond member switchports. This condition occurs when clag bond redirection is enabled and bond members remain up while the parent bond does not negotiate LACP.

This issue is resolved in Cumulus Linux 3.7.14.
3.7.9-3.7.13, 4.0.0-4.2.1
2550350
CM-29830
Unicast traffic from downlink hosts is flooded to multiple remote VTEPs, which might also cause high HwIfOutQDrops/TX_DRP on the uplink ports.
To work around this issue, restart switchd.
3.7.10-3.7.13, 4.0.0-4.1.1
2549794
CM-29525
The asic-monitor.service fails when you configure /etc/cumulus/datapath/monitor.conf with monitor.histogram_pg.collect.port_group_list = [all_packet_pg] and there is traffic passing through the buffer. When the service fails, you see the following traceback in journalctl:

asic-monitor[7389]: asic-monitor-module INFO: 2020-05-01 18:28:12.548734: Egress queue(s) greater than 500 bytes in monitor port group histogram_pg
asic-monitor[7389]: asic-monitor ERROR: ASIC monitor exception: sx_api_port_counter_tc_get failed: Parameter Error
asic-monitor[7389]: File “/usr/bin/asic-monitor”, line 139, in
asic-monitor[7389]: main(sys.argv[1:])
asic-monitor[7389]: File “/usr/bin/asic-monitor”, line 126, in main
asic-monitor[7389]: traceback.print_stack()
asic-monitor[7389]: Traceback (most recent call last):
asic-monitor[7389]: File “/usr/bin/asic-monitor”, line 117, in main
asic-monitor[7389]: monitor.run()
asic-monitor[7389]: File “/usr/lib/python2.7/dist-packages/cumulus/asic_monitor.py”, line 158, in run

3.7.11-3.7.13, 4.1.1-4.2.0
2548475
CM-28932
After you add a new VNI and a layer 3 SVI to a set of leafs, certain leafs might not be able to communicate on the layer 3 VNI.
To work around this issue, reboot the leaf switch or restart switchd.
3.7.6-3.7.13
2548152
CM-28682
On the Mellanox Spectrum switch in an EVPN symmetric configuration with MLAG, simultaneously shutting down the layer 3 interfaces that serve as uplinks to the VXLAN fabric might result in traffic loss of up to 15 seconds.4.1.0-4.1.1
2547799
CM-28451
An error similar to the following shows in syslog for Mellanox switches:

2020-02-12T19:59:22.208012+08:00 leaf01 sx_sdk: RM_TABLE: No resources available to add 1 entries to KVD hash Table HW resource
2020-02-12T19:59:22.208124+08:00 leaf01 sx_sdk: PORT: __port_vport_fid_set err = (No More Resources)

To work around this issue, reboot the switch.
3.7.11-3.7.13, 4.0.0-4.0.1
2547784
CM-28442
PTM mis-detects incorrect hostnames of LLDP neighbors and does not fail them as expected. Instead they end up in an N/A cabling status.3.7.11-3.7.13, 4.0.0-4.1.1
2547341
CM-28189
When host-resources and ucd-snmp-mib are polled, you see permission denied messages similar to the following:

Jan 30 19:22:53 switch123 snmpd[23172]: Cannot statfs /sys/kernel/debug/tracing: Permission denied
3.7.13, 4.0.0-4.1.1
2547246
CM-28136
The MLAG switch pair has VLANs defined that are not used on MLAG bonds. These VLANs still synchronize MAC addresses across to the peer switch. This results in log messages that indicate a MAC address is installed and the VLAN is not defined; for example:

RTM_NEWNEIGH with unconfigured vlan XXXX on port peerlink
3.7.10-3.7.13, 4.0.0-4.1.1
2546577
CM-27814
A traditional bridge with QinQ and a VNI does not work for tagged traffic.3.7.10-3.7.13, 4.0.0-4.0.1
2545934
CM-27489
Mellanox switches might experience higher CPU usage from the sx_sdk service or when BFD is in use.
To work around this issue, disable BFD to alleviate some of the CPU load.
3.7.13, 4.0.0-4.1.1
2545699
CM-27354
On the Celestica Pebble switch, if you use IPv6 routes with mask /65 to /127, the switchd log fills with errors.3.7.10-3.7.13
2545537
CM-27254
On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces.4.0.0-4.1.1
2545404
CM-27173
On the Trident3 switch, unicast ARP packets received on a VNI and forwarded to the CPU are not policed.3.7.10-3.7.13, 4.0.0-4.0.1
2535707
CM-21769
On the Mellanox switch, GRE tunneling does not work if the tunnel source is configured on an SVI interface. If the tunnel source is configured on a physical switch port, then tunneling works as expected.4.0.0-4.1.1
2534978
None
On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets.4.0.0-4.2.1
2529322
CM-15601
On a Mellanox switch in an MLAG configuration, routed packets that arrive on one switch to be forwarded to a destination MAC across the peer link are dropped due to MLAG loop prevention. This affects both routed unicast and multicast packets.

To work around this issue, modify the routing design or policy such that routes do not have a next hop of an MLAG peer switch that traverses the MLAG peer link.

3.7.13 Release Notes

Open Issues in 3.7.13

Issue IDDescriptionAffectsFixed
3418046
None
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.3.7.0-5.4.05.5.0-5.6.0
3376798
On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected.
3.7.0-3.7.16, 4.3.1-4.4.5
3330705
When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present.3.7.0-5.3.15.4.0-5.6.0
3327477
If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password.3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0
3216922
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users).3.7.0-5.2.15.3.0-5.6.0
3216921
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
3.7.0-3.7.16, 4.3.0-4.4.5
3209699
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
3.7.0-4.3.0, 4.4.0-5.2.14.3.1, 5.3.0-5.6.0
3073668
On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap.3.7.12-3.7.16, 4.3.0-4.4.5
3017190
When you power cycle the switch, multiple interfaces came up in a PoE disabled state
To work around this issue, run the sudo poectl -a | grep disabled command to find ports with disabled POE. Run the sudo poectl -e swp1-swp48 command to enable POE on affected ports.
3.7.10-3.7.16
2959454
CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact
Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7
3.7.0-3.7.153.7.16
2959444
CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information
Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5
3.7.0-3.7.153.7.16
2957684
CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability
Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4
3.7.0-3.7.153.7.16
2949602
CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.3.7.0-3.7.153.7.16
2949586
CVE-2022-21699: ipython may execute untrusted files in the current working directory
Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1
3.7.0-3.7.153.7.16
2949585
CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog.3.7.0-3.7.153.7.16
2949584
CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service
Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16
3.7.0-3.7.153.7.16
2941560
CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed
Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u
3.7.0-3.7.153.7.16
2934940
CM-32683
When you change the SVI vlan-id value in the /etc/network/interfaces file, then run ifreload -a, the 802.1Q ID for the SVI in the kernel does not change.
This operation is not supported in the kernel without recreating the SVI. To apply the change, run ifdown, then ifup for the SVI to recreate the interface.
3.7.13-3.7.15, 4.2.13.7.16, 4.3.0-4.4.5
2934939
When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
aggregate-address 10.10.0.0/16 summary-only
redistribute connected
After:
ip route 10.10.0.0/16 Null0
!
address-family ipv4 unicast
redistribute connected route-map DENY-COMPONENTS
redistribute static
exit-address-family
ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
!
route-map DENY-COMPONENTS deny 10
match ip address prefix-list NO-COMPONENTS
!
route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed.
3.7.12-3.7.16
2910862
CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file”
Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3
3.7.0-3.7.153.7.16
2910861
CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse
CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods
Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13
3.7.0-3.7.153.7.16
2885241
CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code
Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14
3.7.0-3.7.153.7.16
2885239
CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms
Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1
3.7.0-3.7.153.7.16
2885238
The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data
CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response
CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash
Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4
3.7.0-3.7.153.7.16
2866111
CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c.3.7.0-3.7.153.7.16
2866096
CM-33416
Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file.3.7.12-3.7.15, 4.1.1-4.3.03.7.16, 4.3.1-4.4.5, 5.0.0-5.6.0
2866084
When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb del
dev [dst|via] <interface|IP> command, then add “vxlan-learning”: “off” in the /etc/network/ifupdown2/policy.d/vxlan.json file:
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
{
“vxlan”: {
“module_globals”: { “vxlan-purge-remotes”: “no” },
“defaults”: {
“vxlan-ageing”: “1800”,
“vxlan-port”: “4789”, <==== This comma needs to be added at the end of this line
“vxlan-learning”: “off” <= This line needs to be added
}
}
}
Reboot the affected switches.
3.7.12-4.3.04.3.1-4.4.5
2862269
CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established
Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5
3.7.0-3.7.153.7.16
2855881
A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger
CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value
CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections
CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow
Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9
3.7.0-3.7.153.7.16
2855879
The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem
CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server
CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server
Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11
3.7.0-3.7.153.7.16
2850806
CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts)
Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23
3.7.0-3.7.153.7.16
2845540
CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling
Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9
3.7.0-3.7.153.7.16
2841003
CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference
Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3
3.7.0-3.7.153.7.16
2835994
CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function
Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16
3.7.0-3.7.153.7.16
2823255
CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode)
Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9
3.7.0-3.7.153.7.16
2821981
The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename
CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions)
CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12
3.7.0-3.7.153.7.16
2820758
The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected
CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data
Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22
3.7.0-3.7.153.7.16
2815592
In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence.3.7.12-4.3.0, 4.4.2-5.0.14.3.1, 5.1.0-5.6.0
2813826
Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop”
CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’
Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12
3.7.0-3.7.153.7.16
2813823
Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash
CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer
CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may
CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user
Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19
3.7.0-3.7.153.7.16
2801262
On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart
To work around this issue, load the port configuration in a staggered manner (groups of five downlink ports).
3.7.12-4.3.0, 4.4.2-4.4.54.3.1, 5.0.0-5.6.0
2801126
CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures
Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3
3.7.0-3.7.153.7.16
2801125
OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01
Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15
3.7.0-3.7.153.7.16
2801124
GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01
Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2
3.7.0-3.7.153.7.16
2799742
CM-33032
On the Edgecore AS4610 switch, the historic CPU usage displayed in /run/sysmonitor/history sometimes shows as a negative value.3.7.12-3.7.153.7.16, 4.3.1-4.4.5
2798139
CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions
Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4
3.7.0-3.7.153.7.16
2794750
CM-29043
When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering.
3.7.12-3.7.15, 4.0.0-4.2.13.7.16, 4.3.0-4.4.5
2769687
CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library
Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21
3.7.0-3.7.153.7.16
2769633
CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames
Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3
3.7.0-3.7.153.7.16
2769632
CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made
Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5
3.7.0-3.7.153.7.16
2769631
CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data
Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2
3.7.0-3.7.153.7.16
2743132
CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code
Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6
3.7.0-3.7.153.7.16
2736265
After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes.3.7.12-3.7.15, 4.2.1-4.3.03.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5
2736247
CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u113.7.0-3.7.153.7.16
2736245
CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems
Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8
3.7.0-3.7.153.7.16
2734107
When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs.3.7.12-4.3.0, 4.4.0-4.4.14.3.1, 4.4.2-4.4.5
2728207
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-3.7.16, 4.0.0-4.4.5
2728206
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-3.7.16, 4.0.0-4.4.5
2728205
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-4.4.14.4.2-4.4.5
2726776
CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour
Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18
3.7.0-3.7.153.7.16
2716841
CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository
Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2
3.7.0-3.7.153.7.16
2705169
CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed
Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11
3.7.0-3.7.153.7.16
2705168
CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access
Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3
3.7.0-3.7.153.7.16
2702519
CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt
Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9
3.7.0-3.7.153.7.16
2700767
Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration.3.7.12-3.7.15, 4.3.0-4.4.53.7.16
2699464
In a VXLAN fabric with ToR switches configured in a MLAG pair, BUM traffic received on a VXLAN tunnel is decapsulated and forwarded on the peer link bond. The BUM traffic is then encapsulated by the peer switch and sent back to the fabric. The issue has been seen in environments where the following conditions exist at the same time:1) high VNI scale2) switchd is busy processing updates3) clagd is in a transition state, such as Up, then Down, then Up. For example, when clagd restarts, the switch reboots, and so on
The problem is seen on the switch that experiences the clagd state transition.
3.7.12-3.7.153.7.16
2687332
When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
aggregate-address 10.10.0.0/16 summary-only
redistribute connected
After:
ip route 10.10.0.0/16 Null0
!
address-family ipv4 unicast
redistribute connected route-map DENY-COMPONENTS
redistribute static
exit-address-family
ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
!
route-map DENY-COMPONENTS deny 10
match ip address prefix-list NO-COMPONENTS
!
route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed.
3.7.12-4.2.14.3.0-4.4.5
2684452
When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst|via] <interface|IP> command2. Add “vxlan-learning”: “off” under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
{
“vxlan”: {
“module_globals”: { “vxlan-purge-remotes”: “no” },
“defaults”: {
“vxlan-ageing”: “1800”,
“vxlan-port”: “4789”, <==== This comma needs to be added at the end of this line
“vxlan-learning”: “off” <= This line needs to be added
}
}
}
3. Reboot the affected switch(es)
3.7.12-3.7.16
2684404
CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9
3.7.0-3.7.153.7.16
2679950
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1
3.7.0-3.7.15, 4.0.0-4.3.13.7.16, 4.4.0-4.4.5
2677063
CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11
3.7.0-3.7.153.7.16
2677061
CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8
3.7.0-3.7.153.7.16
2677060
CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7
3.7.0-3.7.153.7.16
2668477
CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions
Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5
3.7.0-3.7.153.7.16
2660693
CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request
Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20
3.7.0-3.7.153.7.16
2660582
In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure)
To recover restart the clagd service with sudo systemctl restart clagd.service
3.7.8-3.7.153.7.16
2658233
The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file
CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file
Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1
3.7.0-3.7.153.7.16
2656291
The following CVEs affect the linux kernel package:
CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
For the detailed security status of linux, refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux
3.7.12-3.7.164.0.0-4.4.5
2654684
CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files
Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10
3.7.0-3.7.153.7.16
2653521
CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code
Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1
3.7.0-3.7.153.7.16
2653400
None
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration.3.7.10-3.7.16
2652003
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static FDB entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration.3.7.10-4.3.04.3.1-4.4.5
2646974
The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service
CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query
CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries
Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22
3.7.0-3.7.153.7.16
2646968
CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service
Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24
3.7.0-3.7.153.7.16
2645846
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration.3.7.10-3.7.153.7.16, 4.3.1-4.4.5
2638137
When you delete a static route using NCLU, the configuration is not deleted from the running configuration or from the /etc/frr/frr.conf file.3.7.13-3.7.16
2635951
The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1
Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened
Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3
3.7.0-3.7.14.23.7.15-3.7.16
2633245
On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle.3.7.10-3.7.16
2617009
CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code
Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1
3.7.0-3.7.14.23.7.15-3.7.16
2617008
CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data
Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5
3.7.0-3.7.14.23.7.15-3.7.16
2617007
CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited
Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10
3.7.0-3.7.14.23.7.15-3.7.16
2617006
CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute
Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4
3.7.0-3.7.14.23.7.15-3.7.16
2617002
CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact
Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23
3.7.0-3.7.14.23.7.15-3.7.16
2595889
CM-31120
In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface.3.7.10-3.7.14.2, 4.0.0-4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2595816
CM-31222
Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address.3.7.12-3.7.14.2, 4.0.0-4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2589747
CM-32226
If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers.3.7.12-3.7.14.2, 4.0.0-4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2589570
The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input
Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3
3.7.0-3.7.14.23.7.15-3.7.16
2589567
The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations
CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size
Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6
3.7.0-3.7.14.23.7.15-3.7.16
2581473
When netq-agent is installed on the Dell N3048EP platform, switchd might crash if pluggables are installed in the SFP+ ports.3.7.13-3.7.153.7.16
2562511
hostapd does not fail over to secondary RADIUS servers for 802.1x authentication when the primary radius is reachable but not responding to Access-Requests
If the primary RADIUS server is having a problem servicing requests, you can remove it from the configuration temporarily to force requests to be sent to alternate servers.
3.7.10-3.7.14.23.7.15-3.7.16
2556233
CM-33129
Some ECMP next-hops might fail installation into hardware at high ECMP group and route scale. The following log message will be observed when this condition occurs:WARN xx routes reverted to non-ECMP due to NH table capacity3.7.9-3.7.14.23.7.15-3.7.16
2556037
CM-33012
After you add an interface to the bridge, an OSPF session flap might occur
3.7.9-4.2.04.2.1-4.4.5
2556019
CM-32997
After you add an interface to a bridge using the NCLU net add bridge bridge ports command, the bridge can go down and its MAC address changes
To work around this issue, use Linux commands to add an interface to a bridge.
3.7.9-3.7.133.7.14-3.7.16
2555908
CM-32940
If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up
To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command.
3.7.12-4.0.14.1.0-4.4.5
2555278
CM-32597
When you change the anycast address for the MLAG pair (clagd-vxlan-anycast-ip), high peak traffic occurs on the peer link interface of all MLAG switches.3.7.13-3.7.14.23.7.15-3.7.16, 4.0.0-4.4.5
2554991
CM-32420
When running traditional mode bridges at scale (for example, when you have more than 200 bridges and a large number of MAC addresses), MLAG bonds flap intermittently from dual to single connected, then back to dual connected, which causes a layer 2 loop and STP state changes.
To work around this issue, either shut down one side of the MLAG bond or prune out VLANS over the bond.
3.7.13-4.2.14.3.0-4.4.5
2554785
CM-32275
After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:
Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!
To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor
2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX=“cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command
4. Reboot the switch.
3.7.11-4.2.14.3.0-4.4.5
2554719
CM-32225
A slow memory leak is observed (1% per 14 hours) in kmalloc-256.
To work around this issue, reboot the switch.
3.7.12-3.7.14.23.7.15-3.7.16
2554709
CM-32217
The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.
To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM.
3.7.13-3.7.16, 4.2.1-4.4.5
2554687
CM-32205
CVE-2020-28196: There is a denial of service vulnerability in the MIT Kerberos network authentication system, krb5. The lack of a limit in the “ASN.1” decoder could lead to infinite recursion and allow an attacker to overrun the stack and cause the process to crash.
Vulnerable: <= 1.12.1+dfsg-19+deb8u5
Fixed: 1.12.1+dfsg-19+deb8u6
3.7.133.7.14-3.7.16
2554588
CM-32149
If you try to reconfigure a DHCP server after you delete the switch configuration with the net del all command, the dhcpd service fails because a duplicate process is running
To work around this issue, edit the /usr/lib/python2.7/dist-packages/nclu/plugins/dhcp.py file to change:
DHCPD_PID="-pf {0}” 
to:
DHCPD_PID="-pf {1}"
3.7.13-4.2.14.3.0-4.4.5
2554454
CM-32057
The following vulnerability has been announced in the freetype / libfreetype6 packages:
CVE-2020-15999: heap-based buffer overflow vulnerability in the handling of embedded PNG bitmaps in FreeType. Opening malformed fonts may result in denial of service or the execution of arbitrary code.
Vulnerable: <= 2.5.2-3+deb8u4
Fixed: 2.5.2-3+deb8u5
3.7.133.7.14-3.7.16
2554369
CM-32006
Certain Dell S4048-ON switches show an incorrect vendor name and hang when you issue the reboot command.3.7.12-4.2.14.3.0-4.4.5
2554232
CM-31929
VXLAN encapsulated traffic is not routed to the next hop because the destination VTEP IP address is mis-programmed on the switch, which decapsulates the traffic unexpectedly.
To work around this issue, restart switchd.
3.7.12-3.7.133.7.14-3.7.16
2553887
CM-31700
When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server.
3.7.7-3.7.16, 4.0.0-4.4.5
2553876
CM-31695
The following vulnerability has been announced in the ruby2.1 packages:
CVE-2020-25613: WEBrick (bundled along with ruby2.1) was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to “smuggle” a request.
Vulnerable: <= 2.1.5-2+deb8u10
Fixed: 2.1.5-2+deb8u11.
3.7.133.7.14-3.7.16
2553847
CM-31674
The following vulnerabilities have been announced in the python3.4 packages:
CVE-2019-20907: Avoid infinite loop with crafted tar file by improving header validation.
CVE-2020-26116: Avoid injection of HTTP headers via the HTTP method without rejecting newline characters.
Vulnerable: <= 3.4.2-1+deb8u8
Fixed: 3.4.2-1+deb8u9
3.7.133.7.14-3.7.16
2553748
CM-31627
On switches with the Spectrum ASIC, the IPv6 default route might be present in the kernel but missing in hardware when IPv6 RAs are received on SVIs configured with ip-forward off.3.7.11-3.7.14.2, 4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2553738
CM-31622
The following vulnerability has been announced in curl:
CVE-2020-8231: In rare circumstances, when using the multi API of curl in combination with CURLOPT_CONNECT_ONLY, the wrong connection might be used when transfering data later.
Vulnerable: <= 7.38.0-4+deb8u17
Fixed: 7.38.0-4+deb8u18
3.7.133.7.14-3.7.16
2553732
CM-31618
A ping via a dual-connected bond fails, and the audio stream is not routed or encapsulated through the layer 3 VNI.3.7.12-3.7.13, 4.0.0-4.2.13.7.14-3.7.16, 4.3.0-4.4.5
2553677
CM-31605
When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config –create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:
createUser userSHAwithAES SHA “shaauthpass” AES “aesprivpass”
adding the following line to /snmp/snmpd.conf:
rwuser userSHAwithAES
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation.
3.7.13-3.7.16, 4.0.0-4.4.5
2553588
CM-31565
Multicast traffic on a VPN is sent to remote VTEPs that are not part of the VPN and the remote VTEPs receive multicast traffic encapsulated in a VXLAN ID that doesn’t exist.
To work around this issue, disable IGMP snooping on the switch.
3.7.12-3.7.13, 4.0.0-4.2.13.7.14-3.7.16, 4.3.0-4.4.5
2553530
CM-31545
In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

3.7.10-3.7.13, 4.1.1-4.2.13.7.14-3.7.16, 4.3.0-4.4.5
2553450
CM-31504
On the the Dell N3248-PXE switch, when you insert two PSUs at different times, the newly inserted PSU is detected as OK but the fan and temp sensors are ABSENT.
To work around this issue, remove power to both PSUs at the same time, then reinsert power simultaneously.
3.7.12-3.7.13, 4.2.13.7.14-3.7.16, 4.3.0-4.4.5
2553229
CM-31412
On the Dell N3248PXE switch, RJ45 fixed copper ports that auto-negotiate with a 100M or 10M neighbor incorrectly negotiate a half-duplex link that generates errors. Half duplex modes are not supported on this platform.3.7.12-3.7.13, 4.2.13.7.14-3.7.16, 4.3.0-4.4.5
2553219
CM-31407
You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters.3.7.12-4.2.14.3.0-4.4.5
2553190
CM-31390
The following vulnerabilities have been announced in libxml2:
CVE-2017-8872: Global buffer-overflow in the htmlParseTryOrFinish function.
CVE-2019-20388: A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being
freed leading to a denial of service.
CVE-2020-24977: Out-of-bounds read restricted to xmllint –htmlout.
CVE-2020-7595: Infinite loop in xmlStringLenDecodeEntities can cause a denial of service.
Vulnerable: <= 2.9.1+dfsg1-5+deb8u8
Fixed: 2.9.1+dfsg1-5+deb8u9
3.7.133.7.14-3.7.16
2553151
CM-31378
The following security vulnerabilities have been announced in imagemagick:CVE-2017-12806: A memory exhaustion vulnerability was found in the function format8BIM, which allows attackers to cause a denial of service
CVE-2019-13308, CVE-2019-13391: Heap-based buffer overflow in MagickCore/fourier.c in ComplexImages may cause a denial-of-service or other unspecified results
Vulnerable: <= 6.8.9.9-5+deb8u20Fixed: 6.8.9.9-5+deb8u21
3.7.133.7.14-3.7.16
2553116
CM-31357
When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool.
3.7.12-3.7.16, 4.0.0-4.4.5
2553050
CM-31322
SNMP status might incorrectly reflect that a BGP neighbor is down due to an issue between bgpd and SNMP AgentX when the IP-FORWARD-MIB is also polled.
To work around this issue, avoid polling IP-FORWARD-MIB objects.
3.7.12-3.7.16
2553049
CM-31321
The following vulnerability has been announced in the libx11 libraries:
CVE-2020-14363: Integer overflow in the init_om function of libX11, the X11 client-side library, which could lead to a double free.
Vulnerable: <= 1.6.2-3+deb8u3
Fixed: 1.6.2-3+deb8u4
3.7.133.7.14-3.7.16
2553015
CM-31300
If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail.3.7.10-3.7.16, 4.2.0-4.4.5
2553001
CM-31294
When the following conditions exist, clagd might fail to establish a TCP control session across the subinterface (such as, peerlink.4094):
* clagd uses an IPv6 link-local address (LLA) to establish the TCP connection (the clagd-peer-ip linklocal command configures an IPv6 LLA connection)

* Subsequent VLAN changes are made to VLAN sub-interfaces or adding or removing SVIs

This issue occurs because the hardware stores one entry per VRF to represent the IPv6 LLA. The hardware entry for the LLA is removed when another interface is changed because the software interfaces are represented by a single entity in hardware. As a result, packets destined to the local IPv6 LLA address are received on the port but do not get forwarded to CPU for further processing.

To workaround this issue, use IPv4 addresses under peerlink.4094 and configure clagd to peer on IPv4 addresses.
3.7.12-3.7.133.7.14-3.7.16, 4.2.0-4.4.5
2552953
CM-31273
The following vulnerability has been announced in the bind9 packages:
CVE-2020-8622: Crafted responses to TSIG-signed requests could lead to an assertion failure, causing named, a Domain Name Server, to exit. This could be done by malicious server operators or guessing attackers.
Vulnerable: <= 9.9.5.dfsg-9+deb8u19
Fixed: 9.9.5.dfsg-9+deb8u20
3.7.133.7.14-3.7.16
2552952
CM-31272
The following vulnerability has been announced in the nss / libnss3 packages:
CVE-2020-12403: The ChaCha20 symmetric key cipher algorithm did not correctly enforce the tag length which may have led to an out-of-bounds read and a lack of confidentiality.
Vulnerable: <= 3.26-1+debu8u12
Fixed: 3.26-1+debu8u13
3.7.133.7.14-3.7.16
2552939
CM-31263
RX_DRP on a bond interface increases without any data traffic while the slave port does not increase.3.7.12-4.2.14.3.0-4.4.5
2552925
CM-31257
On the EdgeCore AS-6712-32X, AS5812-54X and AS5812-54T switch models, the temp sensors (DIMM temp sensor) show ABSENT. The amber diagnostic light on the front of the switch might also be turned on due to this issue.
These messages and the light are cosmetic issues only and do not otherwise impact the function of the switch.
3.7.12-3.7.133.7.14-3.7.16
2552881
CM-31238
IPv6 TCP or UDP connections (sourcing from an ephemeral port in the range 34048 to 35071) are not forwarded if the switch has more than one layer 2 VNI defined. The traffic might be locally switched on the bridge and dropped.
To work around this issue, disable ARP/ND suppression to remove the internal ACL rule that affects the ports.
3.7.13, 4.2.13.7.14-3.7.16, 4.3.0-4.4.5
2552869
CM-31231
On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.
To work around this issue, use the ethtool -m command.
3.7.13-4.2.14.3.0-4.4.5
2552859
CM-31226
Mellanox switches with the Spectrum ASIC fail to read PSU Fan/Temp sensors and report them as Absent. The following messages are observed in syslog:

2020-08-21T07:17:39.068160+00:00 cumulus : /usr/sbin/smond : : PSU1Temp1(PSU1 Temp Sensor): state changed from UNKNOWN to ABSENT
2020-08-21T07:17:39.068911+00:00 cumulus : /usr/sbin/smond : : PSU2Temp1(PSU2 Temp Sensor): state changed from UNKNOWN to ABSENT
3.7.13-3.7.16
2552756
CM-31158
An issue has been found in python2.7, an interactive high-level object-oriented language.
CVE-2019-20907: Opening a crafted tar file could result in an infinite loop due to missing header validation.
Vulnerable: <= 2.7.9-2-ds1+deb8u5
Fixed: 2.7.9-2-ds1+deb8u6
3.7.133.7.14-3.7.16
2552742
CM-31150
On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd.
3.7.12-4.2.14.3.0-4.4.5
2552739
CM-31148
Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor.3.7.2-3.7.16
2552647
CM-31086
When you add a member to a bond that has a subinterface configured (such as peerlink.4094), the new member is assigned only the VLAN of the subinterface for forwarding.
To work around this issue, bounce the bond or shutdown the new interface and use the remaining members over the bond.
3.7.10-3.7.13, 4.2.03.7.14-3.7.16, 4.2.1-4.4.5
2552610
CM-31057
The following vulnerability has been announced:
CVE-2019-11360: A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c.
3.7.13-4.2.04.2.1-4.4.5
2552608
CM-31055
The following vulnerability has been announced:
CVE-2019-20892: net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request.
Fixed: 5.8.0-cl4.2.1u1, 5.8.0-cl3.7.14u1
3.7.13, 4.0.0-4.2.03.7.14-3.7.16, 4.2.1-4.4.5
2552528
CM-31028
Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated.3.7.7-3.7.13, 4.0.0-4.2.13.7.14-3.7.16, 4.3.0-4.4.5
2552506
CM-31016
Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file.
3.7.11-3.7.13, 4.0.0-4.2.03.7.14-3.7.16, 4.2.1-4.4.5
2552352
CM-30914
The following security vulnerabilities have been announced in the nss / libnss3 packages:
CVE-2020-6829: Side channel attack on ECDSA signature generation
CVE-2020-12400: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function
CVE-2020-12401: ECDSA timing attack mitigation bypass
Vulnerable: <= 3.26-1+debu8u11
Fixed: 3.26-1+debu8u12
3.7.0-3.7.133.7.14-3.7.16
2552351
CM-30913
The following vulnerability has been announced in the libx11 packages:
CVE-2020-14344: The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method.
Vulnerable: <= 1.6.2-3+deb8u2
Fixed: 1.6.2-3+deb8u3
3.7.0-3.7.133.7.14-3.7.16
2552301
CM-30885
On a Mellanox switch with the Spectrum ASIC, you see LPC I2C driver errors similar to the following during boot:

Jul 30 23:49:41.651453 mlx-switch systemd[1]: Started udev Kernel Device Manager.
Jul 30 23:49:41.654978 mlx-switch systemd[1]: Starting LSB: Set preliminary keymap…
Jul 30 23:49:41.668214 mlx-switch kernel: LPCI2C ERR: Invalid flag 0x4 in msg 0
Jul 30 23:49:41.668265 mlx-switch kernel: LPCI2C ERR: Incorrect message

3.7.13-3.7.16
2552298
CM-30882
The following vulnerability has been announced in net-snmp:
CVE-2020-15862: A privilege escalation involving the NET-SNMP-EXTEND-MIB support (which is enabled by default at compile-time).
The fixed versions disable NET-SNMP-EXTEND-MIB support.

Vulnerable: <= 5.8.0-cl3u11, <= 5.8.0-cl4u4
Fixed: 5.8.0-cl3.7.14u3, 5.8.0-cl4.2.1u1
3.7.13, 4.0.0-4.2.03.7.14-3.7.16, 4.2.1-4.4.5
2552294
CM-30879
NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
3.7.12-3.7.16, 4.0.0-4.4.5
2552214
CM-30832
The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages.3.7.11-3.7.14.2, 4.1.1-4.3.03.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5
2552205
CM-30827
If the MAC address of an SVI changes, clagd does not update its permanent neighbor entry for the local interface, and it does not report the change to its MLAG peer. This leaves the MLAG peer in a state where its permanent neighbor for the MLAG peer’s SVI IP address continues to use the old MAC address, which causes routed traffic over this SVI to be dropped.
To work around this issue, ifdown/ifup the SVI when a MAC address changes.
3.7.12-4.2.04.2.1-4.4.5
2551912
CM-30580
ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down.3.7.12-4.2.04.2.1-4.4.5
2551748
CM-30514
In OVSDB high availability mode, deleting > 200 VLAN bindings might cause ovs-vtepd to crash. Limit the deletion to 200 or fewer VLAN bindings.3.7.12-3.7.13, 4.0.0-4.2.13.7.14-3.7.16, 4.3.0-4.4.5
2551731
CM-30504
When the OVSDB VTEP scale increases, the CPU utilization increases and eventually the switch (ptmd) fails to respond to the BFD, causing the BFD session to go down. As a result OVSDB cannot read the BFD socket status and outputs a warning in the ovs-vtepd debugs: PTM socket error: Bad file descriptor.3.7.12-4.2.04.2.1-4.4.5
2551728
CM-30503
In OVSDB high availability mode, if you create, then delete a binding, the FDB entry is not replaced and you see an error.3.7.12-4.2.04.2.1-4.4.5
2551714
CM-30498
There is a change to the default OVSDB bootstrapping process, where the script created now defaults to VLAN-aware bridge mode. If you want to use traditional bride mode, you need to force it by editing the ovs-vtep-ctl script generated by the bootstrap process.3.7.12-4.2.04.2.1-4.4.5
2551693
CM-30486
A host migrated to an 802.1X MAB port within the same broadcast domain fails to have the correct FDB entry installed if a dynamic FDB entry for that MAC address exists from previous connectivity in the broadcast domain.
To work around this issue, manually delete the dynamic FDB entry that is associated with the uplink trunk port.
3.7.12-3.7.13, 4.1.1-4.2.03.7.14-3.7.16, 4.2.1-4.4.5
2551675
CM-30479
When you restart clagd, the edge port setting on the peer link changes.3.7.2-3.7.13, 4.0.0-4.2.03.7.14-3.7.16, 4.2.1-4.4.5
2551651
CM-30464
The net show dot1x interface summary command output shows a MAC address with all zeros associated with a port.3.7.12-3.7.13, 4.0.0-4.2.03.7.14-3.7.16, 4.2.1-4.4.5
2551578
CM-30422
When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error.3.7.12-3.7.16, 4.0.0-4.4.5
2551565
CM-30414
If you toggle VRRP priority values between VRRP routers, then restart switchd, a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affected
To work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands.
3.7.13-3.7.16, 4.2.0-4.4.5
2551554
CM-30408
Customers running security scans on Cumulus Linux 4 may encounter the listing of an incorrect version of u-boot 2014.10+dfsg1-4 with the following vulnerabilities:CVE-2017-3225CVE-2017-3226CVE-2018-18440CVE-2019-11690CVE-2019-13103CVE-2019-14192CVE-2019-14193CVE-2019-14194CVE-2019-14195CVE-2019-14196CVE-2019-14197CVE-2019-14198CVE-2019-14199CVE-2019-14200CVE-2019-14201CVE-2019-14202CVE-2019-14203CVE-2019-14204CVE-2020-10648The u-boot-tools package is not installed on the switch by default, but is available in the repository for optional installation. On Cumulus Linux 4, the version is at least 2019.01+dfsg-7. However, the older versions available for optional installation on Cumulus Linux 3 may be vulnerable
According to https://security-tracker.debian.org/tracker/source-package/u-boot , all except the following are fixed in 2019.01+dfsg-7:CVE-2017-3225: https://security-tracker.debian.org/tracker/CVE-2017-3225 says “Negligible security impact”
CVE-2017-3226: https://security-tracker.debian.org/tracker/CVE-2017-3226 says “Negligible security impact”
CVE-2018-18440: https://security-tracker.debian.org/tracker/CVE-2018-18440 says “No security impact as supported/packaged in Debian”.
3.7.12-3.7.164.0.0-4.4.5
2551305
CM-30296
The net show configuration command provides the wrong net add command for ACL under the VLAN interface.

3.7.12-3.7.16, 4.1.0-4.4.5
2551288
CM-30286
When you remove BFD configuration by editing the /etc/frr/frr.conf file and restarting FRR, you see a traceback.
To work around this issue, either use NCLU or vtysh commands to remove the BFD configuration, or restart FRR with the new /etc/frr/frr.conf file.
3.7.7-3.7.164.0.0-4.4.5
2550974
CM-30195
On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured.3.7.11-3.7.16, 4.1.1-4.4.5
2550942
CM-30178
NCLU tab completion for net show displays the text add help text instead of system Information for the system option.3.7.11-4.2.04.2.1-4.4.5
2550873
CM-30141
In an MLAG configuration with static VXLAN, static tunnels become unreachable.3.7.13, 4.1.1-4.2.03.7.14-3.7.16, 4.2.1-4.4.5
2550796
CM-30103
On a Broadcom switch with the Trident2+ ASIC, ACL rules for VLANs are not applied after a reboot and the counters remain at zero.
To work around this issue, either do not set acl.non_atomic_update_mode = TRUE in the /etc/cumulus/switchd.conf file or run the cl-acltool -i command after the reboot to install the ACLs.
3.7.12-4.2.14.3.0-4.4.5
2550793
CM-30101
The NCLU net show bridge spanning-tree command displays the aging timer incorrectly.3.7.12-3.7.16, 4.0.0-4.4.5
2550600
CM-29978
The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged.3.7.8-4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2550479
CM-29899
VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches.3.7.7-4.2.04.2.1-4.4.5, 4.3.0-4.4.5
2550444
CM-29872
Tab completion for the net show rollback description command returns information about a snapshot instead of context help.
To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command.
3.7.12-3.7.16, 4.0.0-4.4.5
2550443
CM-29871
The net show rollback description command returns an error even if the string matches a commit description.
To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead.
3.7.12-3.7.16, 4.0.0-4.4.5
2550375
CM-29838
CPU utilization may increase when clag-managed bond interfaces are operationally/LACP down but the physical carrier remains up on the bond member switchports. This condition occurs when clag bond redirection is enabled and bond members remain up while the parent bond does not negotiate LACP.

This issue is resolved in Cumulus Linux 3.7.14.
3.7.9-3.7.13, 4.0.0-4.2.13.7.14-3.7.16, 4.3.0-4.4.5
2550350
CM-29830
Unicast traffic from downlink hosts is flooded to multiple remote VTEPs, which might also cause high HwIfOutQDrops/TX_DRP on the uplink ports.
To work around this issue, restart switchd.
3.7.10-3.7.13, 4.0.0-4.1.13.7.14-3.7.16, 4.2.0-4.4.5
2550276
CM-29779
In LLDP, the snmp subagent loses all subsequent lldpRemSysName (1.0.8802.1.1.2.1.4.1.1.9) entries after an entry with a missing SysName is added.
All the information from lldpctl is correct. Only the entries after the entry that is missing a SysName in lldpRemSysName disappear from the snmp subagent.
3.7.12-4.2.14.3.0-4.4.5
2550243
CM-29759
When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.
To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service. For example:

#Requires=nginx.service restserver.socket
3.7.12-3.7.16, 4.0.0-4.4.5
2550056
CM-29652
The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:

error: invalid signature.
Press any key to continue…
3.7.12-3.7.16, 4.1.1-4.4.5
2549925
CM-29594
When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:

error: swp1s1.2: netlink: cannot set link swp1s1.2 up: operation failed with ‘Network is down’ (100)
warning: cmd ‘/bin/ip addr del 10.0.0.1/24 dev eth0’ failed: returned 2 (RTNETLINK answers: Cannot assign requested address

To work around this issue, run the ifreload -a command a second time.
3.7.12-3.7.16, 4.0.0-4.4.5
2549872
CM-29562
If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error.3.7.12-3.7.16, 4.1.1-4.4.5
2549838
CM-29546
In vtysh, if you configure, then remove a layer 3 VNI for a VRF, the VNI is removed from zebra even if the VNI interface still exists in the kernel.
If you configure a layer 2 VNI as a layer 3 VNI by mistake, removing the layer 3 VNI binding removes it from zebra but EVPN-learned MACs and neighbors are not installed into the kernel.
To work around this issue, delete, then re-add the missing VNI. For example:

cumulus@switch:~$ sudo ifdown vni10100
cumulus@switch:~$ sudo ifup vni10100

If you flap the link with the ip link set vni10100 down; ip link set vni10100 up commands, zebra does not re-add the VNI.
3.7.12-4.2.14.3.0-4.4.5
2549794
CM-29525
The asic-monitor.service fails when you configure /etc/cumulus/datapath/monitor.conf with monitor.histogram_pg.collect.port_group_list = [all_packet_pg] and there is traffic passing through the buffer. When the service fails, you see the following traceback in journalctl:

asic-monitor[7389]: asic-monitor-module INFO: 2020-05-01 18:28:12.548734: Egress queue(s) greater than 500 bytes in monitor port group histogram_pg
asic-monitor[7389]: asic-monitor ERROR: ASIC monitor exception: sx_api_port_counter_tc_get failed: Parameter Error
asic-monitor[7389]: File “/usr/bin/asic-monitor”, line 139, in
asic-monitor[7389]: main(sys.argv[1:])
asic-monitor[7389]: File “/usr/bin/asic-monitor”, line 126, in main
asic-monitor[7389]: traceback.print_stack()
asic-monitor[7389]: Traceback (most recent call last):
asic-monitor[7389]: File “/usr/bin/asic-monitor”, line 117, in main
asic-monitor[7389]: monitor.run()
asic-monitor[7389]: File “/usr/lib/python2.7/dist-packages/cumulus/asic_monitor.py”, line 158, in run

3.7.11-3.7.13, 4.1.1-4.2.03.7.14-3.7.16, 4.2.1-4.4.5
2549782
CM-29519
The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state.3.7.12-3.7.16, 4.0.0-4.4.5
2549731
CM-29492
When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:

[ebtables]
-A FORWARD –in-interface swp10 -j span –dport swp1
3.7.12-3.7.16, 4.1.1-4.4.5
2549472
CM-29367
On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic.3.7.11-4.1.14.2.0-4.4.5
2549371
CM-29309
When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive.3.7.11-4.3.14.4.0-4.4.5
2549307
The following vulnerabilities affect git, which is available in the repository for optional installation:
CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host.
CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted.
3.7.12-4.1.14.2.0-4.4.5
2549226
CM-29259
You might see the following gport error messages in switchd.log:

2020-04-10T19:50:01.011224+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x800007a find failed
2020-04-10T19:50:01.011631+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x8000009 find failed

These messages are harmless and can be ignored.
3.7.12-3.7.14.2, 4.0.0-4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2548962
CM-29165
With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table.3.7.12-4.1.14.2.0-4.4.5
2548930
CM-29148
On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware.3.7.11-4.2.14.3.0-4.4.5
2548746
CM-29068
On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect.3.7.11-4.1.14.2.0-4.4.5
2548657
CM-29035
When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:

W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

You can safely ignore these error messages.
3.7.12-3.7.16, 4.0.0-4.4.5
2548490
CM-28944
A change in a route map prefix list that should remove a route might not be reflected in the ospf6 database or in peers, and the route might not be deleted.
To work around this issue, reenter the redistribute <connected|static> route-map statement in the configuration.
3.7.11-4.1.14.2.0-4.4.5
2548485
CM-28940
If you configure the aggregate-address
summary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:
router bgp 1
address-family ipv4 unicast
aggregate-address 50.0.0.0/8 summary-only
exit-address-family
If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path*> 50.0.0.0 0.0.0.0 32768 is> 50.0.0.1/32 0.0.0.0 0 32768 i
Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Paths> 50.0.0.1/32 0.0.0.0 0 32768 i
To work around this issue, remove, then re-add the component prefix routes.
3.7.12-4.2.14.3.0-4.4.5
2548475
CM-28932
After you add a new VNI and a layer 3 SVI to a set of leafs, certain leafs might not be able to communicate on the layer 3 VNI.
To work around this issue, reboot the leaf switch or restart switchd.
3.7.6-3.7.133.7.14-3.7.16, 4.0.0-4.4.5
2548315
CM-28816
The following security advisory has been announced for bash:
CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability
When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.
To work around this issue, do not make bash or bash scripts setuid.
3.7.12-3.7.16, 4.0.0-4.4.5
2548243
CM-28754
On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules.3.7.3-3.7.16, 4.0.0-4.4.5
2548155
CM-28685
The net show bgp neighbor swpX json command shows negative output for the bgpTimerUpMsec timer.3.7.10-3.7.164.0.0-4.4.5
2548117
CM-28659
In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX.3.7.12-3.7.16, 4.0.0-4.4.5
2548044
CM-28608
When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor.3.7.12-3.7.15, 4.0.0-4.4.53.7.16
2548024
CM-28596
On the Dell Z9100 switch, 100G-SR4 modules might not link up reliably in certain ports.
swp1, 2, 3, 9, 10, 23, 24, 30, 31, and 32 might be affected
To work around this issue, move 100G SR4 modules to one of the ports not affected by this issue.
3.7.11-4.1.14.2.0-4.4.5
2547942
CM-28533
On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl.3.7.11-4.0.14.1.0-4.4.5
2547878
The following vulnerability has been found in the libgcrypt20 cryptographic library.
CVE-2019-13627: there was a ECDSA timing attack.
For more information, see https://www.debian.org/lts/security/2020/dla-1931-2.en.html
Vulnerable: 1.6.3-2+deb8u7
Fixed: 1.6.3-2+deb8u8
3.7.11-3.7.16
2547876
The following vulnerability affects libxml2:
CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c has a memory leak related to newDoc->oldNs. This can lead to a denial of service.
For more information, see https://www.debian.org/lts/security/2019/dla-2048.en.html .
Vulnerable: 2.9.1+dfsg1-5+deb8u7
Fixed: 2.9.1+dfsg1-5+deb8u8
3.7.11-3.7.16
2547874
The following vulnerability affects libbsd, a package containing utility functions from BSD systems.
CVE-2016-2090: In function fgetwln() an off-by-one error could triggers a heap buffer overflow.
For more information, see https://www.debian.org/lts/security/2019/dla-2052.en.html .
Vulnerable: 0.7.0-2
Fixed: 0.7.0-2+deb8u1
3.7.11-3.7.16
2547839
CM-28465
When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error.3.7.11-4.1.14.2.0-4.4.5
2547799
CM-28451
An error similar to the following shows in syslog for Mellanox switches:

2020-02-12T19:59:22.208012+08:00 leaf01 sx_sdk: RM_TABLE: No resources available to add 1 entries to KVD hash Table HW resource
2020-02-12T19:59:22.208124+08:00 leaf01 sx_sdk: PORT: __port_vport_fid_set err = (No More Resources)

To work around this issue, reboot the switch.
3.7.11-3.7.13, 4.0.0-4.0.13.7.14-3.7.16, 4.1.0-4.4.5
2547784
CM-28442
PTM mis-detects incorrect hostnames of LLDP neighbors and does not fail them as expected. Instead they end up in an N/A cabling status.3.7.11-3.7.13, 4.0.0-4.1.13.7.14-3.7.16, 4.2.0-4.4.5
2547782
CM-28441
If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns.3.7.11-3.7.16, 4.0.0-4.4.5
2547706
CM-28397
When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch.
3.7.11-3.7.16, 4.0.0-4.4.5
2547659
CM-28372
On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise.3.7.11-4.0.14.1.0-4.4.5
2547573
CM-28322
On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU.3.7.9-3.7.16
2547443
CM-28248
On the Dell N3248PXE-ON switch, 25G SFP ports do not work in 10G mode.3.7.11-4.0.14.1.0-4.4.5
2547381
CM-28212
The hsflowd service sends an undefined header protocol 0 in the sampled flow sample to the collector, which is not recognized by the sFlow tool. You see errors similar to the following:

Dec 20 08:43:27 netflow-nms sfcapd[3991]: SFLOW: readFlowSample_header() undefined headerProtocol = 0

3.7.11-3.7.164.0.0-4.4.5
2547349
CM-28193
When you change an interface IP address, then change it back, static routes are misprogrammed
One of the following actions recovers the routes:- Bounce both layer 3 interfaces- Remove or add static routes in FRR- Restart FRR
3.7.11-3.7.164.0.0-4.4.5
2547341
CM-28189
When host-resources and ucd-snmp-mib are polled, you see permission denied messages similar to the following:

Jan 30 19:22:53 switch123 snmpd[23172]: Cannot statfs /sys/kernel/debug/tracing: Permission denied
3.7.13, 4.0.0-4.1.13.7.14-3.7.16, 4.2.0-4.4.5
2547246
CM-28136
The MLAG switch pair has VLANs defined that are not used on MLAG bonds. These VLANs still synchronize MAC addresses across to the peer switch. This results in log messages that indicate a MAC address is installed and the VLAN is not defined; for example:

RTM_NEWNEIGH with unconfigured vlan XXXX on port peerlink
3.7.10-3.7.13, 4.0.0-4.1.13.7.14-3.7.16, 4.2.0-4.4.5
2547123
CM-28078
On the Broadcom switch with the Trident3 ASC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect.3.7.11-4.1.14.2.0-4.4.5
2547120
CM-28076
After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command.3.7.11-3.7.16, 4.0.0-4.4.5
2547118
The following security vulnerabilities have been announced in the libtiff5 library on Cumulus Linux 4.0:
CVE-2019-14973, CVE-2019-17546: Multiple integer overflows have been discovered in the libtiff library and the included tools.
Vulnerable: 4.0.10-4
Fixed: 4.1.0+git191117-2~deb10u1
3.7.10-4.0.14.1.0-4.4.5
2547100
CM-28061
On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic.3.7.11-4.1.14.2.0-4.4.5
2547068
CM-28046
Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly
To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below
To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off”, change it to GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0”2. Run sudo update-grub
3. Reboot the system with sudo reboot
To disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci3
2. Disable C-states by running the command ./cpupower idle-set -d 2
C-states are disabled by default in Cumulus Linux 4.3.0 and later.
3.7.9-4.2.14.3.0-4.4.5
2546991
CM-28003
The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code.
3.7.11-3.7.16, 4.0.0-4.4.5
2546895
CM-27957
If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command.
3.7.11-3.7.16, 4.0.0-4.4.5
2546577
CM-27814
A traditional bridge with QinQ and a VNI does not work for tagged traffic.3.7.10-3.7.13, 4.0.0-4.0.13.7.14-3.7.16, 4.1.0-4.4.5
2546451
CM-27737
On the EdgeCore AS7326-56X switch, you might see the RPM of certain fans run over the maximum threshold.3.7.11-3.7.16
2546385
CM-27698
SNMP ifLastChange reports link transitions when there are none.3.7.6-3.7.16
2546225
CM-27627
When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support.
 
sudo onie-install -fai http://
sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image.
3.7.11-3.7.16, 4.0.0-4.4.5
2546203
CM-27620
When using QinQ with a traditional bridge, if you enable the LLDP dot1 TLV option, you see the following suboptimal behavior:
* Both the inner and outer VLAN information is sent as part of VLAN TLVs in the LLDP packet.
* If the outer VLAN ID is the same as the inner VLAN ID, only one VLAN TLV is sent with that VLAN ID in the LLDP packet.
3.7.11-3.7.16
2546131
CM-27581
On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present.
3.7.11-3.7.16, 4.0.0-4.4.5
2546010
CM-27530
When hal.bcm.per_vlan_router_mac_lookup is set to TRUE in the /etc/cumulus/switchd.conf file, inter-VLAN traffic is forwarded to the CPU when associated VNI interfaces exist.3.7.10-3.7.16
2545997
CM-27522
The NCLU command net show interface produces an error if bonds with no members exist.
To work around this issue, remove the empty Bond interfaces from the /etc/network/interfaces file and run sudo ifreload -a.
3.7.10-3.7.16
2545934
CM-27489
Mellanox switches might experience higher CPU usage from the sx_sdk service or when BFD is in use.
To work around this issue, disable BFD to alleviate some of the CPU load.
3.7.13, 4.0.0-4.1.13.7.14-3.7.16, 4.2.0-4.4.5
2545699
CM-27354
On the Celestica Pebble switch, if you use IPv6 routes with mask /65 to /127, the switchd log fills with errors.3.7.10-3.7.133.7.14-3.7.16, 4.1.0-4.4.5
2545566
CM-27272
The Dell Z9100-ON switch incorrectly reports many sensors as ABSENT.3.7.12-4.0.14.1.0-4.4.5
2545446
CM-27192
If you use NCLU commands to add a non-MLAG bond, then add an MLAG configuration, the net commit command fails. However, a subsequent net commit command succeeds.3.7.10-3.7.16
2545404
CM-27173
On the Trident3 switch, unicast ARP packets received on a VNI and forwarded to the CPU are not policed.3.7.10-3.7.13, 4.0.0-4.0.13.7.14-3.7.16, 4.1.0-4.4.5
2545125
CM-27018
If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address.3.7.10-3.7.16, 4.0.0-4.4.5
2544978
CM-26921
If you delete an undefined bond, then add a bond slave, the net commit command fails.3.7.9-3.7.16, 4.0.0-4.4.5
2544968
CM-26913
FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c “printf ‘interface 50\nvrf TEST description L3 routing interface\n’ » /etc/frr/frr.conf”

should be:

sudo sh -c “printf ‘interface 50 vrf TEST\ndescription L3 routing interface\n’ » /etc/frr/frr.conf”

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file.
3.7.9-3.7.16, 4.0.0-4.4.5
2544953
CM-26905
When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command.
3.7.10-3.7.16, 4.0.0-4.4.5
2544904
CM-26875
After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements.
To work around this issue, restart FRR after removing the IPv6 numbered configuration.
3.7.9-4.1.14.2.0-4.4.5
2544829
CM-26829
Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump.3.7.8-3.7.16
2544671
CM-26736
Package : sudoCVE ID : CVE-2019-14287Debian Bug : 942322Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID -1 or 4294967295. This could allow a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access
Details can be found in the upstream advisory at https://www.sudo.ws/alerts/minus_1_uid.html
We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudoVulnerable versions: < 1.8.27-1+deb10u1Fixed versions: >= 1.8.27-1+deb10u1To work around this iisue, disable (comment out) any sudoers entries in /etc/sudoers or files in /etc/sudoers.d that have entries with !root in them. Only root or other users with a uid of 0 that are affected.
3.7.9-3.7.164.0.0-4.4.5
2544556
CM-26655
If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:

net add time ntp server 1.2.3.4 iburst
net commit
net add time ntp server 1.2.3.4
net commit

If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options.
3.7.9-4.1.14.2.0-4.4.5
2544463
CM-26599
Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G.
3.7.9-3.7.16, 4.0.0-4.4.5
2544456
CM-26595
The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds.3.7.9-3.7.16, 4.0.0-4.4.5
2544311
CM-26516
Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host.3.7.5-3.7.16, 4.0.0-4.4.5
2544235
CM-26463
The following CVEs affect the linux kernel package:
CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
For the detailed security status of linux, refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux
3.7.10-3.7.16
2544155
CM-26423
NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

3.7.5-3.7.16, 4.0.0-4.4.5
2544113
CM-26412
Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file.
3.7.9-3.7.16, 4.0.0-4.4.5
2543900
CM-26288
On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address.3.7.8-3.7.16, 4.0.0-4.4.5
2543841
CM-26256
The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
3.7.8-3.7.16, 4.0.0-4.4.5
2543840
CM-26255
On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file.

3.7.6-3.7.16
2543800
CM-26230
When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface.
3.7.8-3.7.164.0.0-4.4.5
2543647
CM-26137
ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:

-A FORWARD -i vni10 -j erspan –src-ip 100.1.1.2 –dst-ip 100.1.1.1 –ttl 64
3.7.6-4.2.14.3.0-4.4.5
2543646
CM-26136
In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case).3.7.6-3.7.16, 4.0.0-4.4.5
2543627
CM-26126
Tomahawk 40G DACs cannot disable auto-negotiation.3.7.7-3.7.164.0.0-4.4.5
2543270
CM-25923
The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate.
3.7.8-4.1.14.2.0-4.4.5
2543211
CM-25890
In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
3.7.0-3.7.16, 4.0.0-4.4.5
2543164
CM-25859
The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command.
3.7.7-3.7.16, 4.0.0-4.4.5
2543096
CM-25815
When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
3.7.6-3.7.16, 4.0.0-4.4.5
2543058
CM-25798
The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.
To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces.
3.7.7-3.7.164.0.0-4.4.5
2543052
CM-25796
Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as “inactive” in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR.
To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:

ifdown vlan123 ; sleep 2 ; ifup vlan123

You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI.
3.7.5-3.7.164.0.0-4.4.5
2543044
CM-25794
Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up.
3.7.2-3.7.164.0.0-4.4.5
2542979
CM-25766
On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work.3.7.7-4.1.14.2.0-4.4.5
2542945
CM-25740
On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
3.7.6-3.7.16, 4.0.0-4.4.5
2542310
CM-25404
hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
3.7.6-3.7.16
2542305
CM-25400
If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
3.7.6-3.7.16, 4.0.0-4.4.5
2542301
CM-25397
When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
3.7.3-3.7.16, 4.0.0-4.4.5
2541212
CM-24894
The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded.3.7.5-3.7.16, 4.0.0-4.4.5
2541165
CM-24878
On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, poectl reports that four_pair_mode_enabled is true. However, this configuration is not supported on the port so poectl should report that four_pair_mode_enabled is false.
3.7.6-3.7.16
2541029
CM-24799
On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped.
This issue only affects QinQ configurations.
3.7.5-3.7.16, 4.0.0-4.4.5
2540950
CM-24751
On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status.
3.7.3-4.1.14.2.0-4.4.5
2540885
CM-24703
The Dell N3048EP-ON switch does not support 1G Base-T modules in the SFP ports.3.7.7-3.7.16
2540863
CM-24686
On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number.
3.7.3-3.7.16
2540753
CM-24618
If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
 
ERROR: No closing quotation
See /var/log/netd.log for more details.

3.7.5-3.7.16, 4.0.0-4.4.5
2540444
CM-24473
SNMP incorrectly requires engine ID specification.
3.7.4-3.7.16, 4.0.0-4.4.5
2540352
CM-24435
When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect:
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct:
 
net add routing route-map Proxy-ARP permit 25 match interface swp9
net add routing route-map Proxy-ARP permit 30 match interface swp10

3.7.2-3.7.16, 4.0.0-4.4.5
2540340
CM-24426
NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example:
 
cumulus@switch:~$ net add vrf mgmt


Tab completion for the net add vrf ip address
command works correctly.
3.7.4-3.7.16, 4.0.0-4.4.5
2540274
CM-24379
On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route.3.7.5-3.7.16, 4.0.0-4.4.5
2540204
CM-24350
When links come up after FRR is started, VRF connected routes do not get redistributed.3.7.4-3.7.16, 4.0.0-4.4.5
2540192
CM-24343
The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value.
3.7.4-3.7.16, 4.0.0-4.4.5
2540155
CM-24332
On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
3.7.3-3.7.16, 4.0.0-4.4.5
2540042
CM-24272
When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface br0.100
switch(config-if)# vrrp 1 priority 110
switch(config-if)# vrrp 1 advertisement-interval
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540041
CM-24271
On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU.
To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface vlan100
switch(config-if)# vrrp 1 priority 110
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540040
CM-24270
Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface swp4
switch(config-if)# vrrp 1 version 2
switch(config-if)# no vrrp 1 preempt
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540031
CM-24262
NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist.
3.7.3-3.7.16, 4.0.0-4.4.5
2539994
CM-24241
When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
 
cumulus@switch:~$ net del bgp neighbor fabric peer-group
‘router bgp 65001’ configuration does not have ‘neighbor fabric peer-group’

3.7.2-3.7.16, 4.0.0-4.4.5
2539962
CM-24222
When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error.
3.7.0-3.7.16, 4.0.0-4.4.5
2539670
CM-24035
On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type.
3.7.2-3.7.16, 4.0.0-4.4.5
2539124
CM-23825
The net add interface ptm-enable command adds no ptm-enable for that interface in the frr.conf file.
Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh.
3.7.2-3.7.16, 4.0.0-4.4.5
2539081
CM-23792
When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.
To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command.
3.7.0-3.7.164.0.0-4.4.5
2538875
CM-23696
IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file.
3.7.2-3.7.16
2538790
CM-23665
NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan bridge access . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.
To restore connectivity, remove the VLAN ID from the bridge.
3.7.2-3.7.16, 4.0.0-4.4.5
2538590
CM-23584
When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain.
3.7.2-3.7.16, 4.0.0-4.4.5
2538562
CM-23570
On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G.
3.7.2-3.7.16, 4.0.0-4.4.5
2538302
CM-23422
portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap.
3.7.0-3.7.16
2538294
CM-23417
If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid.3.7.0-3.7.16, 4.0.0-4.4.5
2538256
CM-23397
On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
3.7.2-4.0.14.1.0-4.4.5
2537820
CM-23123
When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
3.7.2-3.7.164.0.0-4.4.5
2537699
CM-23075
There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
3.7.1-3.7.16, 4.0.0-4.4.5
2537544
CM-23021
When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB.3.7.1-3.7.16, 4.0.0-4.4.5
2537378
CM-22937
NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
3.7.1-3.7.16
2537188
CM-22849
When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.
This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
3.7.2-3.7.16
2537104
CM-22808
When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
3.7.1-3.7.164.0.0-4.4.5
2537061
CM-22794
The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
3.7.1-4.0.14.1.0-4.4.5
2536608
CM-22583
Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
3.7.0-3.7.16
2536384
CM-22386
The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
3.7.0-3.7.16, 4.0.0-4.4.5
2536179
CM-22228
On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working.3.7.0-3.7.16, 4.0.0-4.4.5
2535986
CM-22041
At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart.
3.7.0-3.7.16, 4.0.0-4.4.5
2535965
CM-22020
On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic.
3.7.0-3.7.16, 4.0.0-4.4.5
2533691
CM-19788
If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict.
To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface.
3.7.12-3.7.16, 4.0.0-4.4.5
2532017
CM-18192
In FRR, bgp_snmp does not show all BGP peers when peer groups used.3.7.11-4.0.14.1.0-4.4.5

Fixed Issues in 3.7.13

Issue IDDescriptionAffects
2552134
CM-30793
When the MLAG peerlink flaps on Broadcom Trident3 platforms, switchd might continually sync route and neighbor entries to hardware. This can be observed in /var/log/switchd.log with repeated Neighbor Summary and IPv4 Route Summary updates:
sync_route.c:2063 Neighbor Summary : 0 Added, 0 Deleted, 501 Updated, 0 Skipped in 589761 usecs
sync_route.c:2123 IPv4 Route Summary (29279) : 0 Added, 0 Deleted, 1732 Updated, 0 Skipped in 589820 usecs
sync_route.c:2063 Neighbor Summary : 0 Added, 0 Deleted, 501 Updated, 0 Skipped in 606689 usecs
sync_route.c:2123 IPv4 Route Summary (29280) : 0 Added, 0 Deleted, 1732 Updated, 0 Skipped in 596760 usecs
3.7.12
2551915
CM-30581
The following vulnerabilities have been announced in NGINX, which is installed by default on Cumulus Linux (however, the default nginx configuration is not vulnerable, since it does not configure error_page redirection or use lua):
CVE-2019-20372: NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.
CVE-2020-11724: An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API.
Vulnerable: <= 1.6.2-5+deb8u6
Fixed: 1.6.2-5+deb8u7
3.7.12
2551779
CM-30532
Several issues were discovered in Python 3.4, an interactive high-level object-oriented language, that allow an attacker to cause denial of service, trafic redirection, header injection and cross-site scripting.
CVE-2013-1753: The gzip_decode function in the xmlrpc client library allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.
CVE-2016-1000110:The CGIHandler class does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.
CVE-2019-16935:The documentation XML-RPC server has XSS via the server_title field. This occurs in Lib/xmlrpc/server.py. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
CVE-2019-18348: In urllib2, CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header.
CVE-2020-8492: Python allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
CVE-2020-14422: Lib/ipaddress.py improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created.
Vulnerable: <= 3.4.2-1+deb8u7
Fixed: 3.4.2-1+deb8u8
3.7.12
2551778
CM-30531
Several vulnerabilities where found in Perl’s regular expression compiler. An application that compiles untrusted regular expressions could be exploited to cause denial of service or code injection.
It is discouraged to allow untrusted regular expressions to be compiled by Perl.
CVE-2020-10543: Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.
CVE-2020-10878: Perl before 5.30.3 has an integer overflow related to mishandling of a “PL_regkind[OP(n)] == NOTHING” situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.
CVE-2020-12723: regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.
Vulnerable: <= 5.20.2-3+deb8u12
Fixed: 5.20.2-3+deb8u13
3.7.12
2551708
CM-30494
On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces.
2551543
CM-30403
switchd might crash if more than 16 IPv6 default route next hops are installed in the kernel routing table and those 16 next hops recurse to MAC address table entries reachable over VXLAN VNI interfaces. This can occur when many IPv6 router advertisements (RAs) are received across VLAN interfaces that have IPv6 forwarding disabled.
To work around this issue, add the following parameters to the /etc/sysctl.conf file to disable IPv6 default route installation from received router advertisements, then run the sudo sysctl -p –system command.

net.ipv6.conf.all.accept_ra_defrtr = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
3.7.12
2551395
CM-30343
The libnss3 package, available for optional installation on Cumulus Linux, has the following vulnerabilities:
CVE-2020-12399: Timing differences when performing DSA signatures.
CVE-2020-12402: Side channel vulnerabilities during RSA key generation.
Vulnerable: <= 3.26-1+deb8u10
Fixed: 3.26-1+deb8u11
3.7.12
2551356
CM-30325
The following vulnerabilities have been announced in the qemu package, which is available in the repository for optional installation on Cumulus Linux:
CVE-2020-1983: slirp: Fix use-after-free in ip_reass().
CVE-2020-13361: es1370_transfer_audio in hw/audio/es1370.c allowed guest OS users to trigger an out-of-bounds access during an es1370_write() operation.
CVE-2020-13362: megasas_lookup_frame in hw/scsi/megasas.c had an out-of-bounds read via a crafted reply_queue_head field from a guest OS user.
CVE-2020-13765: hw/core/loader: Fix possible crash in rom_copy().
Vulnerable: <= 2.1+dfsg-12+deb8u14
Fixed: 2.1+dfsg-12+deb8u15
3.7.12
2551351
CM-30321
CVE-2018-6381 CVE-2018-6484 CVE-2018-6540 CVE-2018-6541 CVE-2018-6869 CVE-2018-7725 CVE-2018-7726 CVE-2018-16548
Several issues have been fixed in zziplib, a library providing read access on ZIP-archives. They are all related to invalid memory access and resulting crash or memory leak.
libzzip-0-13 is not installed by default on Cumulus Linux, but is available in the repository for optional installation.
Vulnerable: <= 0.13.62-3+deb8u1
Fixed: 0.13.62-3+deb8u2
3.7.12
2551350
CM-30320
CVE-2017-10790: The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack.
Vulnerable: <= 4.2-3+deb8u3
Fixed: 4.2-3+dev8u4
3.7.12
2551161
CM-30240
switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart.
3.7.11-3.7.12, 4.0.0-4.2.0
2550735
CM-30064
The following security vulnerability has been found in BlueZ, in which the libbluetooth3 library is available in the repository for optional installation in Cumulus Linux:
CVE-2020-0556: Improper access control in subsystem for BlueZ before version 5.54 may allow an unauthenticated user to potentially enable escalation of privilege and denial of service via adjacent access.
Vulnerable: <= 5.23-2+deb8u1
Fixed: 5.43-2+deb9u2~deb8u1
3.7.12
2550693
CM-30040
The following vulnerabilities have been announced in the cups package:
CVE-2019-8842: The ‘ippReadIO’ function may under-read an extension field
CVE-2020-3898: heap based buffer overflow in libcups’s ppdFindOption() in ppd-mark.c
Vulnerable: <= 1.7.5-11+deb8u7
Fixed: 1.7.5-11+deb8u8
3.7.12
2550647
CM-30009
CVE-2020-12049: There was a file descriptor leak in the D-Bus message bus. An unprivileged local attacker could use this to attack the system DBus daemon, leading to denial of service for all users of the machine.
Vulnerable: <= 1.8.22-0+deb8u2
Fixed: 1.8.22-0+deb8u3
3.7.12
2550512
CM-29922
The python-httplib2 package, which is available in the repository for optional installation, has the following vulnerability:
CVE-2020-11078: In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for ‘httplib2.Http.request()’ could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.
Vulnerable: 0.9+dfsg-2
Fixed: 0.9+dfsg-2+deb8u1
3.7.12
2550511
CM-29921
The following vulnerabilities have been announced in dosfstools, which is available in the repository for optional installation:
CVE-2015-8872: The set_fat function in fat.c in dosfstools before 4.0 might allow attackers to corrupt a FAT12 filesystem or cause a denial of service (invalid memory read and crash) by writing an odd number of clusters to the third to last entry on a FAT12 filesystem, which triggers an “off-by-two error."
CVE-2016-4804: The read_boot function in boot.c in dosfstools before 4.0 allows attackers to cause a denial of service (crash) via a crafted filesystem, which triggers a heap-based buffer overflow in the (1) read_fat function or an out-of-bounds heap read in (2) get_fat function.
Vulnerable: 3.0.27-1
Fixed: 3.0.27-1+deb8u1
3.7.12
2550509
CM-29920
The json-c shared library (libjson-c2) had an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend. The libjson-c2 library is installed by default on Cumulus Linux 3.x.
Vulnerable: <= 0.11-4
Fixed: 0.11-4+deb8u2
3.7.12
2550507
CM-29919
Several vulnerabilities were discovered in BIND, a DNS server implementation.
bind9-host (containing only /usr/bin/host) and some libraries from the bind9 source package are installed on the switch by default; the BIND server referred to in these vulnerabilities is not installed by default but is available in the repository for optional installation.
CVE-2020-8616: It was discovered that BIND does not sufficiently limit the number of fetches performed when processing referrals. An attacker can take advantage of this flaw to cause a denial of service (performance degradation) or use the recursing server in a reflection attack with a high amplification factor.
CVE-2020-8617: It was discovered that a logic error in the code which checks TSIG validity can be used to trigger an assertion failure, resulting in denial of service.
Vulnerable: <= 1:9.9.5.dfsg-9+deb8u18
Fixed: 1:9.9.5.dfsg-9+deb8u19
3.7.12
2550323
CM-29807
After a neighbor is removed, the redistributed neighbor entry is withdrawn from the BGP table, but the prefix might still be selected as the bestpath when the host’s originated prefix is not advertised.
To work around this issue, recreate the neighbor entry and flap the interface to the host.
Or, if the host is already down, manually create a neighbor entry with an invalid MAC address, which forces redistribute neighbor to re-withdraw the entry.
3.7.3-3.7.12
2550274
CM-29778
If packets with an invalid checksum are received, the cumulus-poe service might restart and you see log messages similar to the following:
May 20 10:48:04.665635 leaf01 poed[8012]: ERROR : invalid checksum in response [0xC2:0x00]
May 20 10:48:04.671299 leaf01 poed[8012]: poed : ERROR : invalid checksum in response [0xC2:0x00]
May 20 10:48:04.708620 leaf01 systemd[1]: cumulus-poe.service: main process exited, code=exited, status=1/FAILURE
The service starts automatically but there is an impact to POE devices momentarily.
3.7.12, 4.0.0-4.1.1
2550119
CM-29692
The following vulnerability has been announced in the apt package:
CVE-2020-3810: Shuaibing Lu discovered that missing input validation in the ar/tar implementations of APT, the high level package manager, could result in denial of service when processing specially crafted deb files.
Vulnerable: <= 1.0.9.8.5-cl3u1
Fixed: 1.0.9.8.5-cl3u2
3.7.12
2549835
CM-29544
The following vulnerability affects the openldap package:
CVE-2020-12243: A vulnerability was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. LDAP search filters with nested boolean expressions can result in denial of service (slapd daemon crash).
Vulnerable: <= 2.4.40+dfsg-1+deb8u5
Fixed: 2.4.40+dfsg-1+deb8u6
3.7.12
2549711
CM-29484
The following vulnerability affects libgd2/libgd3:
CVE-2018-14553: gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointer dereference allowing attackers to crash an application via a specific function call sequence. Only affects PHP when linked with an external libgd (not bundled).
Vulnerable: <= 2.1.0-5+deb8u13
Fixed: 2.1.0-5+deb8u14
3.7.12
2549710
CM-29483
The following vulnerability affects imptool:
CVE-2020-5208: It’s been found that multiple functions in ipmitool before 1.8.19 neglect proper checking of the data received from a remote LAN party, which may lead to buffer overflows and potentially to remote code execution on the ipmitool side. This is especially dangerous if ipmitool is run as a privileged user.
Vulnerable: <= 1.8.14-4
Fixed: 1.8.14-4+deb8u1
3.7.12
2549676
CM-29471
After you add or remove a bridge VLAN identifier (VID) on a trunk port, the layer 2 VNI is put into VLAN 1.
To work around this issue, revert the configuration change.
3.7.10-3.7.12, 4.0.0-4.1.1
2549397
CM-29322
When the BGP Multi-protocol Unreach NLRI attribute is received in a BGP update without a next hop attribute, the BGP session is brought down unexpectedly. RFC 4760 defines that the next-hop attribute is not required for updates containing MP_UNREACH_NLRI.3.7.12
2548673
CM-29044
A large number of flapping peers causes FRR to require a corresponding update to internal data structures that track peer information. Updating this internal data structure does not delete links that are down due to the flapping. The size of this array then grows to contain both current peers as well as peers that should have been deleted during the flap processing. The contents of this array is processed by FRR to poll the links, which consumes CPU for all items in the array. This additional polling consumes more CPU than necessary but has no functional impact.
To work around this issue, restart FRR.
3.7.11-3.7.12, 4.0.0-4.1.1
2548659
CM-29037
When a link flap occurs while IPv6 traffic traverses interfaces, a kernel panic may occur with the following logs printed to the console:

[1675080.282051] BUG: unable to handle kernel NULL pointer dereference at 0000000000000110
[1675080.291007] IP: [] fib6_lookup_1+0xac/0x170

[1675080.757405] Kernel panic - not syncing: Fatal exception in interrupt
3.7.12
2548585
CM-28995
After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors.
Note: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active.
To recover from this condition, restart switchd with the sudo systemctl restart switchd command.
3.7.10-3.7.12, 4.1.0-4.1.1
2548579
The following security vulnerability has been announced:
CVE-2020-10531: An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.
3.7.12, 4.0.0-4.4.5
2548382
CM-28867
The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog.3.7.5-3.7.12, 4.0.0-4.1.1
2548372
None
On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert.3.7.12, 4.0.0-4.1.1
2548307
CM-28810
When the garbage collector does not release memory back to the operating system, clagd might consume a large amount of memory. As a result of low system memory, systemd might shut down services to reclaim memory.
3.7.11-3.7.12, 4.1.0-4.1.1
2548116
CM-28658
The OVSDB log contains duplicate MAC addresses with the well-known BFD MAC address (00:23:20:00:00:01). This is mainly cosmetic, but clutters the log.3.7.12, 4.0.0-4.0.1
2548112
CM-28656
In OVSDB VLAN-aware mode, removing a VTEP binding on the NSX controller fails to clean up all interfaces associated with the logical switch.3.7.12, 4.0.0-4.1.1
2548111
CM-28655
When you remove, then re-add an NSX VTEP binding, the VXLAN VTEP interface is not recreated.3.7.9-3.7.12, 4.0.0-4.0.1
2547880
CM-28488
The following CVEs were announced that affect the cron package. All of these require untrusted local user access.

CVE-2017-9525 is a local user privilege escalation attack: In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks against unsafe usage of the chown and chmod programs.
CVE-2019-9704, CVE-2019-9705, CVE-2019-9706 are local user denial of service attacks. Note: the fix for CVE-2019-9705 imposes a limitation on the length of a crontab file (the vulnerability was that an unlimited size crontab file could cause excessive memory consumption).
https://security-tracker.debian.org/tracker/DLA-1723-1

Vulnerable: <= 3.0pl1-cl3u1
Fixed: 3.0pl1-cl3u2
3.7.12
2547879
CM-28487
The following CVE was announced for rsyslog:
CVE-2019-17041 CVE-2019-17042
rsyslogd, when receiving remote log messages and using optional pmaixforwardedfrom or pmcisconames parser modules (not enabled by default on Cumulus Linux), is vulnerable to CVE-2019-17041 and CVE-2019-17042 where malicious messages that appear to be from AIX or Cisco respectively may be caused to skip sanity checks, resulting in incorrect negative lengths causing heap overflows.
Do not enable (with $UDPServerRun or $InputTCPServerRun) receiving syslog messages from other hosts by the network. Also, do not enable (with $ModLoad) the vulnerable parsers pmaixforwardedfrom or pmcisconames.<br />The default /etc/rsyslog.conf file on Cumulus Linux does NOT enable $UDPServerRun or $InputTCPServerRun, so the vulnerability is not network exploitable in the default configuration. In addition, the vulnerable parsers are not enabled in the default configuration.

Vulnerable: <= 8.4.2-1-cl3u5
Fixed: 8.4.2-1-cl3u6
3.7.12
2547769
CM-28437
syslog might report a high load average with the CPU running a later microcode revision.3.7.4-3.7.12
2547666
CM-28376
On the Dell S5232F-ON switch, the output of ledmgrd shows amber_blinking but smonctl shows all OK.3.7.11-3.7.12, 4.0.0-4.1.1
2547663
CM-28374
When traffic from a double tag interface (facing a different site) is forwarded through VXLAN, the inner tag is not removed. The destination does not know this tag, so it discards it.3.7.8-3.7.12, 4.0.0-4.0.1
2547658
CM-28371
On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl.3.7.11-3.7.12
2547609
CM-28340
Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work.
Mellanox switches with the Spectrum A1 ASIC do not have this issue.
3.7.11-3.7.12, 4.0.0-4.1.1
2547592
CM-28331
When you add a route map to advertise IPv4 unicast in a BGP EVPN configuration and the route map contains a set operation, BGP crashes.3.7.11-3.7.12
2547293
CM-28160
On the Broadcom Trident3 switch with DHCP relay, where the DHCP server is reachable through the EVPN overlay, DHCP discover packets forwarded to the CPU might appear corrupt and might not get forwarded.3.7.9-3.7.12, 4.0.0-4.0.1
2547147
CM-28086
The ospfd daemon might crash with the following kernel trace:

2019-11-06T23:00:08.261749+09:00 cumulus ospfd[5339]: Assertion ‘node’ failed in file ospfd/ospf_packet.c, line 671, function ospf_write
3.7.11-3.7.12, 4.0.0-4.0.1
2546984
CM-27999
On the EdgeCore AS7326-56X switch, the PSU fans show constant LOW warnings.3.7.10-3.7.12, 4.0.0-4.2.0
2546950
CM-27982
switchd crashes when dynamic VRF route leaking is enabled and the following is true:
* The default route is leaked from VRF1 to VRF2
* Hardware-based dynamic VRF route leaking is configured (vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).
You might see logs similar to the following in /var/log/syslog:

kernel: [159400.526241] switchd[21374]: segfault at 1229cdd84 ip 00000000004142ca sp 00007ffd557a86d0 error 4 in switchd[400000+71000]

To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF).
3.7.10-3.7.12, 4.0.0-4.1.1
2546141
CM-27586
CPU usage might be higher than normal if you have a high number of interfaces x VLANs and lldpd is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled.
To check if lldpd is the heavy CPU resource user, run the following command:

cumulus@switch:~$ ps -eo user,pid,ppid,cmd,%mem,%cpu –sort=-%cpu | head

Alternatively, check for messages in the /var/log/syslog directory similar to:

2020-02-20T15:02:12.137857-05:00 leaf01 sysmonitor: High CPU use: 87%
2020-02-20T15:02:12.482398-05:00 leaf01 sysmonitor: PID USER PR VIRT RES %CPU %MEM TIME+ COMMAND
2020-02-20T15:02:12.483112-05:00 leaf01 sysmonitor: 1570 _lldpd 20 73244 13800 76.6 0.3 4:43.06 lldpd

Note: The exact amount of CPU usage varies in each network based on a number of factors; however, it is unusual for lldpd to consume more than 30% CPU for an extended period of time.
To work around this issue, you can do one of the following:
* If the large number of VLANs is not absolutely necessary, manually prune the VLAN allowed list (if you use the range 1-2999, modify the bridge-vids list to include the VLANs being used).
* Stop the lldpd service. (This approach might be undesirable if the switch is providing services that rely on LLDP such as Voice VLAN.) To stop the lldpd service (runtime setting), run the sudo systemctl stop lldpd.service command. To disable the lldpd service upon boot, run sudo systemctl disable lldpd.service.
3.7.11-3.7.12, 4.0.0-4.0.1
2543792
CM-26225
On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:

2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.274521+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
2019-09-05T05:15:17.469556+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.497514+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
3.7.9-3.7.12, 4.0.0-4.0.1
2543648
CM-26138
You cannot specify a source and destination MAC address in an ERSPAN ebtables rule. For example, the following rule does not work:

-A FORWARD -i swp5 -s 00:25:90:b2:bd:9d -d 50:6b:4b:96:c4:04 -j erspan –src-ip 100.1.1.2 –dst-ip 100.1.1.1 –ttl 64
3.7.6-3.7.12, 4.0.0-4.1.1
2543472
CM-26024
On switches with the Spectrum ASIC, the underlay hashes VXLAN packets for a given overlay flow randomly.
To work around this issue, configure the ECMP hash seed to the same value on the EVPN egress leaf switches.
3.7.7-3.7.12, 4.0.0-4.0.1
2542767
CM-25641
If the BMC operating system fails to respond to IPMI, you see a traceback in bmcd and all the sensors might report ABSENT devices in smonctl.
To work around this issue, power cycle the switch.
3.7.6-3.7.12, 4.0.0-4.0.1
2535845
CM-21898
On a Trident3 switch, IGMP packets are not policed by the police rule in the 00control ACL file. The packets are policed by the catchall policer in the 99control ACL file instead.
-A $INGRESS_CHAIN -p ipv4 -d 01:00:5e:00:00:00/ff:ff:ff:80:00:00 -j police –set-mode pkt –set-rate 100 –set-burst 100
To work around this issue, let the CPU bound IGMP packet hit the following rule and change the policer rate to a desired value for IGMP packets:
-A $INGRESS_CHAIN -p ipv4 -d 01:00:5e:00:00:00/ff:ff:ff:80:00:00 -j police –set-mode pkt –set-rate 100 –set-burst 100
Typically, the destination MAC address 01:00:5e:xx:xx:xx is used only for PIM/IGMP control and data stream packets. However, this workaround cannot handle data stream multicast packets that are not TCP/UDP; this is not typically done.
4.0.0-4.0.1

3.7.12 Release Notes

Open Issues in 3.7.12

Issue IDDescriptionAffectsFixed
3418046
None
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.3.7.0-5.4.05.5.0-5.6.0
3376798
On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected.
3.7.0-3.7.16, 4.3.1-4.4.5
3330705
When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present.3.7.0-5.3.15.4.0-5.6.0
3327477
If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password.3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0
3216922
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users).3.7.0-5.2.15.3.0-5.6.0
3216921
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
3.7.0-3.7.16, 4.3.0-4.4.5
3209699
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
3.7.0-4.3.0, 4.4.0-5.2.14.3.1, 5.3.0-5.6.0
3073668
On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap.3.7.12-3.7.16, 4.3.0-4.4.5
3017190
When you power cycle the switch, multiple interfaces came up in a PoE disabled state
To work around this issue, run the sudo poectl -a | grep disabled command to find ports with disabled POE. Run the sudo poectl -e swp1-swp48 command to enable POE on affected ports.
3.7.10-3.7.16
2959454
CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact
Vulnerable: <= 2.1.0-6+deb8u6Fixed: 2.1.0-6+deb8u7
3.7.0-3.7.153.7.16
2959444
CVE-2017-12424, CVE-2018-7169: shadow incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information
Vulnerable: <= 4.2-3+deb8u4Fixed: 4.2-3+deb8u5
3.7.0-3.7.153.7.16
2957684
CVE-2018-19872 CVE-2021-3481 CVE-2021-45930: Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability
Vulnerable: <= 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u3Fixed: 4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4
3.7.0-3.7.153.7.16
2949602
CVE-2017-12613: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.3.7.0-3.7.153.7.16
2949586
CVE-2022-21699: ipython may execute untrusted files in the current working directory
Vulnerable: 2.3.0-2Fixed: 2.3.0-2+deb8u1
3.7.0-3.7.153.7.16
2949585
CVE-2017-16611: In libxfont, an X11 font rasterisation library, by creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog.3.7.0-3.7.153.7.16
2949584
CVE-2022-22747: nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service
Vulnerable: <= 3.26-1+debu8u15Fixed: 3.26-1+debu8u16
3.7.0-3.7.153.7.16
2941560
CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed
Vulnerable: <= 9.26a~dfsg-0+deb8u7Fixed: 9.26a~dfsg-0+deb8u
3.7.0-3.7.153.7.16
2934939
When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
aggregate-address 10.10.0.0/16 summary-only
redistribute connected
After:
ip route 10.10.0.0/16 Null0
!
address-family ipv4 unicast
redistribute connected route-map DENY-COMPONENTS
redistribute static
exit-address-family
ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
!
route-map DENY-COMPONENTS deny 10
match ip address prefix-list NO-COMPONENTS
!
route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed.
3.7.12-3.7.16
2910862
CVE-2020-18442: Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value “zzip_file_read” in the function “unzzip_cat_file”
Vulnerable: <= 0.13.62-3+deb8u2Fixed: 0.13.62-3+deb8u3
3.7.0-3.7.153.7.16
2910861
CVE-2021-41819: A cookie prefix spoofing vulnerability in CGI::Cookie.parse
CVE-2021-41817: A regular expression denial of service vulnerability (ReDoS) on date parsing methods
Vulnerable: <= 2.1.5-2+deb8u12Fixed: 2.1.5-2+deb8u13
3.7.0-3.7.153.7.16
2885241
CVE-2021-43527: nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code
Vulnerable: <= 3.26-1+debu8u13Fixed: 3.26-1+debu8u14
3.7.0-3.7.153.7.16
2885239
CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms
Vulnerable: 6.0.0+dfsg-6 on armel platformFixed: 6.0.0+dfsg-6+deb8u1
3.7.0-3.7.153.7.16
2885238
The following vulnerabilities have been announced in bluez, the Linux Bluetooth protocol stack:CVE-2019-8921: SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data
CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response
CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash
Vulnerable: <= 5.43-2+deb9u2~deb8u3Fixed: 5.43-2+deb9u2~deb8u4
3.7.0-3.7.153.7.16
2866111
CVE-2019-13616: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c.3.7.0-3.7.153.7.16
2866096
CM-33416
Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file.3.7.12-3.7.15, 4.1.1-4.3.03.7.16, 4.3.1-4.4.5, 5.0.0-5.6.0
2866084
When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb del
dev [dst|via] <interface|IP> command, then add “vxlan-learning”: “off” in the /etc/network/ifupdown2/policy.d/vxlan.json file:
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
{
“vxlan”: {
“module_globals”: { “vxlan-purge-remotes”: “no” },
“defaults”: {
“vxlan-ageing”: “1800”,
“vxlan-port”: “4789”, <==== This comma needs to be added at the end of this line
“vxlan-learning”: “off” <= This line needs to be added
}
}
}
Reboot the affected switches.
3.7.12-4.3.04.3.1-4.4.5
2862269
CVE-2021-23214, CVE-2021-23222: postgresql-9.4 may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries or false responses to the client’s queries when a connection is first established
Vulnerable: <= 9.4.26-0+deb8u4Fixed: 9.4.26-0+deb8u5
3.7.0-3.7.153.7.16
2855881
A number of vulnerabilities were discovered in Redis, a popular key/value database:CVE-2021-32672: Random heap reading issue with Lua Debugger
CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value
CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections
CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow
Vulnerable: <= 2:2.8.17-1+deb8u8Fixed: 2:2.8.17-1+deb8u9
3.7.0-3.7.153.7.16
2855879
The following vulnerabilities have been announced in the python3.4 package:CVE-2021-3426: Running ‘pydoc -p’ allows other local users to extract arbitrary files. The ‘/getfile?key=path’ URL allows to read arbitrary file on the filesystem
CVE-2021-3733: The ReDoS-vulnerable regex has quadratic worst-case complexityand it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server
CVE-2021-3737: HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a ‘100 Continue’ HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server
Vulnerable: <= 3.4.2-1+deb8u10Fixed: 3.4.2-1+deb8u11
3.7.0-3.7.153.7.16
2850806
CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts)
Vulnerable: <= 1:9.9.5.dfsg-9+deb8u22Fixed: 1:9.9.5.dfsg-9+deb8u23
3.7.0-3.7.153.7.16
2845540
CVE-2020-10001: In CUPS, an input validation issue was addressed with improved memory handling
Vulnerable: <= 1.7.5-11+deb8u8Fixed: 1.7.5-11+deb8u9
3.7.0-3.7.153.7.16
2841003
CVE-2017-9216, CVE-2020-12268: Two issues have been found in jbig2dec, a JBIG2 decoder library. One is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference
Vulnerable: <= 0.13-4~deb8u2Fixed: 0.13-4~deb8u3
3.7.0-3.7.153.7.16
2835994
CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function
Vulnerable: <= 1.0.1t-1+deb8u15Fixed: 1.0.1t-1+deb8u16
3.7.0-3.7.153.7.16
2823255
CVE-2020-21913: Potential use-after-free vulnerability in icu (International Components for Unicode)
Vulnerable: <= 52.1-8+deb8u8Fixed: 52.1-8+deb8u9
3.7.0-3.7.153.7.16
2821981
The following vulnerabilities have been announced in the ruby2.1 package:CVE-2021-31799: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 2.1.5, it is possible to execute arbitrary code via | and tags in a filename
CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions)
CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.“Vulnerable: <= 2.1.5-2+deb8u11Fixed: 2.1.5-2+deb8u12
3.7.0-3.7.153.7.16
2820758
The following vulnerabilities have been announced in curl:CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected
CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data
Vulnerable: <= 7.38.0-4+deb8u21Fixed: 7.38.0-4+deb8u22
3.7.0-3.7.153.7.16
2815592
In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence.3.7.12-4.3.0, 4.4.2-5.0.14.3.1, 5.1.0-5.6.0
2813826
Two security issues were found in TIFF, a widely used format for storing image data, as follows:CVE-2020-19131: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the “invertImage()” function in the component “tiffcrop”
CVE-2020-19144: Buffer Overflow in LibTiff allows attackers to cause a denial of service via the ‘in _TIFFmemcpy’ funtion in the component ‘tif_unix.c’
Vulnerable: <= 4.0.3-12.3+deb8u11Fixed: 4.0.3-12.3+deb8u12
3.7.0-3.7.153.7.16
2813823
Several vulnerabilities were discovered in the Apache HTTP server. An attacker could send proxied requests to arbitrary servers, corrupt memory in some setups involving third-party modules, and cause the server to crash
CVE-2021-34798: Malformed requests may cause the server to dereference a NULL pointer
CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may
CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user
Vulnerable: <= 2.4.10-10+deb8u18Fixed: 2.4.10-10+deb8u19
3.7.0-3.7.153.7.16
2801262
On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart
To work around this issue, load the port configuration in a staggered manner (groups of five downlink ports).
3.7.12-4.3.0, 4.4.2-4.4.54.3.1, 5.0.0-5.6.0
2801126
CVE-2021-3580, CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures
Vulnerable: <= 2.7.1-5+deb8u2Fixed: 2.7.1-5+deb8u3
3.7.0-3.7.153.7.16
2801125
OpenSSL, a cryptography library for secure communication, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01
Vulnerable: <= 1.0.1t-1+deb8u14Fixed: 1.0.1t-1+deb8u15
3.7.0-3.7.153.7.16
2801124
GnuTLS, a portable cryptography library, fails to validate alternate trust chains in some conditions. In particular this breaks connecting to servers that use Let’s Encrypt certificates, starting 2021-10-01
Vulnerable: <= 3.3.30-0+deb8u1Fixed: 3.3.30-0+deb8u2
3.7.0-3.7.153.7.16
2799742
CM-33032
On the Edgecore AS4610 switch, the historic CPU usage displayed in /run/sysmonitor/history sometimes shows as a negative value.3.7.12-3.7.153.7.16, 4.3.1-4.4.5
2798139
CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2021-32027: Several vulnerabilities were discovered in PostgreSQL, an object-relational SQL database. An attacker could have an opportunity to complete a MITM attack, execute arbitrary SQL functions under the identity of a superuser, execute arbitrary code as the operating system account running psql when connecting to a rogue server, and corrupt server memory, in some conditions
Vulnerable: <= 9.4.26-0+deb8u3Fixed: 9.4.26-0+deb8u4
3.7.0-3.7.153.7.16
2794750
CM-29043
When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering.
3.7.12-3.7.15, 4.0.0-4.2.13.7.16, 4.3.0-4.4.5
2769687
CVE-2021-22898: Information disclosure in connection to telnet servers was fixed in curl, a client-side URL transfer library
Vulnerable: <= 7.38.0-4+deb8u20Fixed: 7.38.0-4+deb8u21
3.7.0-3.7.153.7.16
2769633
CVE-2021-3672: in c-ares, an asynchronous name resolver, missing input validation of host names returned by Domain Name Servers can lead to output of wrong hostnames
Vulnerable: <= 1.10.0-2+deb8u2Fixed: 1.10.0-2+deb8u3
3.7.0-3.7.153.7.16
2769632
CVE-2020-10753 CVE-2021-3524: A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made
Vulnerable: <= 0.80.7-2+deb8u4Fixed: 0.80.7-2+deb8u5
3.7.0-3.7.153.7.16
2769631
CVE-2021-38165: lynx has a a remote authentication credential leak (e.g. with URIs like https://user:pass@example.com) that allows remote attackers to discover cleartext credentials in SSL connection data
Vulnerable: <= 2.8.9dev1-2+deb8u1Fixed: 2.8.9dev1-2+deb8u2
3.7.0-3.7.153.7.16
2743132
CVE-2021-3246: An issue has been found in libsndfile, a library for reading/writing audio files. A crafted WAV file can trigger a heap buffer overflow and might allow exectution of arbitrary code
Vulnerable: <= 1.0.25-9.1+deb8u5Fixed: 1.0.25-9.1+deb8u6
3.7.0-3.7.153.7.16
2736265
After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes.3.7.12-3.7.15, 4.2.1-4.3.03.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5
2736247
CVE-2021-27845: A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.cVulnerable: <= 1.900.1-debian1-2.4+deb8u10Fixed: 1.900.1-debian1-2.4+deb8u113.7.0-3.7.153.7.16
2736245
CVE-2021-32761: It was discovered that there were several integer overflow issues in Redis, a popular key-value database system. Some BITFIELD-related commands were affected on 32-bit systems
Vulnerable: <= 2.8.17-1+deb8u7Fixed: 2.8.17-1+deb8u8
3.7.0-3.7.153.7.16
2734107
When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs.3.7.12-4.3.0, 4.4.0-4.4.14.3.1, 4.4.2-4.4.5
2728207
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-3.7.16, 4.0.0-4.4.5
2728206
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-3.7.16, 4.0.0-4.4.5
2728205
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-4.4.14.4.2-4.4.5
2726776
CVE-2020-1927 CVE-2020-1934 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641: Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour
Vulnerable: <= 2.4.10-10+deb8u17Fixed: 2.4.10-10+deb8u18
3.7.0-3.7.153.7.16
2716841
CVE-2021-3572: pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository
Vulnerable: <= 1.5.6-5+deb8u1Fixed: 1.5.6-5+deb8u2
3.7.0-3.7.153.7.16
2705169
CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed
Vulnerable: <= 4.0.3-12.3+deb8u10Fixed: 4.0.3-12.3+deb8u11
3.7.0-3.7.153.7.16
2705168
CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access
Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3
3.7.0-3.7.153.7.16
2702519
CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt
Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9
3.7.0-3.7.153.7.16
2700767
Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration.3.7.12-3.7.15, 4.3.0-4.4.53.7.16
2699464
In a VXLAN fabric with ToR switches configured in a MLAG pair, BUM traffic received on a VXLAN tunnel is decapsulated and forwarded on the peer link bond. The BUM traffic is then encapsulated by the peer switch and sent back to the fabric. The issue has been seen in environments where the following conditions exist at the same time:1) high VNI scale2) switchd is busy processing updates3) clagd is in a transition state, such as Up, then Down, then Up. For example, when clagd restarts, the switch reboots, and so on
The problem is seen on the switch that experiences the clagd state transition.
3.7.12-3.7.153.7.16
2687332
When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
aggregate-address 10.10.0.0/16 summary-only
redistribute connected
After:
ip route 10.10.0.0/16 Null0
!
address-family ipv4 unicast
redistribute connected route-map DENY-COMPONENTS
redistribute static
exit-address-family
ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
!
route-map DENY-COMPONENTS deny 10
match ip address prefix-list NO-COMPONENTS
!
route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed.
3.7.12-4.2.14.3.0-4.4.5
2684452
When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst|via] <interface|IP> command2. Add “vxlan-learning”: “off” under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
{
“vxlan”: {
“module_globals”: { “vxlan-purge-remotes”: “no” },
“defaults”: {
“vxlan-ageing”: “1800”,
“vxlan-port”: “4789”, <==== This comma needs to be added at the end of this line
“vxlan-learning”: “off” <= This line needs to be added
}
}
}
3. Reboot the affected switch(es)
3.7.12-3.7.16
2684404
CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9
3.7.0-3.7.153.7.16
2679950
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1
3.7.0-3.7.15, 4.0.0-4.3.13.7.16, 4.4.0-4.4.5
2677063
CVE-2021-3541: “Parameter Laughs” attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11
3.7.0-3.7.153.7.16
2677061
CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8
3.7.0-3.7.153.7.16
2677060
CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7
3.7.0-3.7.153.7.16
2668477
CVE-2021-31535: libX11, the X11 protocol client library, was vulnerable to protocol command injection due to insufficient validation of arguments to some functions
Vulnerable: <= 1.6.2-3+deb8u4Fixed: 1.6.2-3+deb8u5
3.7.0-3.7.153.7.16
2660693
CVE-2021-22876: libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request
Vulnerable: 7.38.0-4+deb8u19Fixed: 7.38.0-4+deb8u20
3.7.0-3.7.153.7.16
2660582
In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure)
To recover restart the clagd service with sudo systemctl restart clagd.service
3.7.8-3.7.153.7.16
2658233
The following vulnerabilities have been announced in the graphviz package:CVE-2018-10196: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (applicationcrash) via a crafted file
CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file
Vulnerable: 2.38.0-7Fixed: 2.38.0-7+deb8u1
3.7.0-3.7.153.7.16
2656291
The following CVEs affect the linux kernel package:
CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
For the detailed security status of linux, refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux
3.7.12-3.7.164.0.0-4.4.5
2654684
CVE-2021-3517 CVE-2021-3518 CVE-2021-3537: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files
Vulnerable: <= 2.9.1+dfsg1-5+deb8u9Fixed: 2.9.1+dfsg1-5+deb8u10
3.7.0-3.7.153.7.16
2653521
CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code
Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1
3.7.0-3.7.153.7.16
2653400
None
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration.3.7.10-3.7.16
2652003
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static FDB entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration.3.7.10-4.3.04.3.1-4.4.5
2646974
The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service
CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query
CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries
Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22
3.7.0-3.7.153.7.16
2646968
CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service
Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24
3.7.0-3.7.153.7.16
2645846
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration.3.7.10-3.7.153.7.16, 4.3.1-4.4.5
2635951
The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1
Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened
Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3
3.7.0-3.7.14.23.7.15-3.7.16
2633245
On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle.3.7.10-3.7.16
2617009
CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code
Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1
3.7.0-3.7.14.23.7.15-3.7.16
2617008
CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data
Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5
3.7.0-3.7.14.23.7.15-3.7.16
2617007
CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited
Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10
3.7.0-3.7.14.23.7.15-3.7.16
2617006
CVE-2021-28957: An issue has been found in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitization, XSS is possible for the HTML5 formaction attribute
Vulnerable: <= 3.4.0-1+deb8u3Fixed: 3.4.0-1+deb8u4
3.7.0-3.7.14.23.7.15-3.7.16
2617002
CVE-2020-25666 CVE-2020-25675 CVE-2020-25676 CVE-2020-27754 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2021-20176 CVE-2021-20241 CVE-2021-20244 CVE-2021-20246: Multiple security vulnerabilities were fixed in Imagemagick. Missing or incomplete input sanitising may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact
Vulnerable: 6.8.9.9-5+deb8u22Fixed: 6.8.9.9-5+deb8u23
3.7.0-3.7.14.23.7.15-3.7.16
2595889
CM-31120
In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface.3.7.10-3.7.14.2, 4.0.0-4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2595816
CM-31222
Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address.3.7.12-3.7.14.2, 4.0.0-4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2589747
CM-32226
If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers.3.7.12-3.7.14.2, 4.0.0-4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2589570
The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input
Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3
3.7.0-3.7.14.23.7.15-3.7.16
2589567
The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations
CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size
Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6
3.7.0-3.7.14.23.7.15-3.7.16
2562511
hostapd does not fail over to secondary RADIUS servers for 802.1x authentication when the primary radius is reachable but not responding to Access-Requests
If the primary RADIUS server is having a problem servicing requests, you can remove it from the configuration temporarily to force requests to be sent to alternate servers.
3.7.10-3.7.14.23.7.15-3.7.16
2556233
CM-33129
Some ECMP next-hops might fail installation into hardware at high ECMP group and route scale. The following log message will be observed when this condition occurs:WARN xx routes reverted to non-ECMP due to NH table capacity3.7.9-3.7.14.23.7.15-3.7.16
2556037
CM-33012
After you add an interface to the bridge, an OSPF session flap might occur
3.7.9-4.2.04.2.1-4.4.5
2556019
CM-32997
After you add an interface to a bridge using the NCLU net add bridge bridge ports command, the bridge can go down and its MAC address changes
To work around this issue, use Linux commands to add an interface to a bridge.
3.7.9-3.7.133.7.14-3.7.16
2555908
CM-32940
If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up
To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command.
3.7.12-4.0.14.1.0-4.4.5
2554785
CM-32275
After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:
Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!
To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor
2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX=“cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command
4. Reboot the switch.
3.7.11-4.2.14.3.0-4.4.5
2554719
CM-32225
A slow memory leak is observed (1% per 14 hours) in kmalloc-256.
To work around this issue, reboot the switch.
3.7.12-3.7.14.23.7.15-3.7.16
2554369
CM-32006
Certain Dell S4048-ON switches show an incorrect vendor name and hang when you issue the reboot command.3.7.12-4.2.14.3.0-4.4.5
2554232
CM-31929
VXLAN encapsulated traffic is not routed to the next hop because the destination VTEP IP address is mis-programmed on the switch, which decapsulates the traffic unexpectedly.
To work around this issue, restart switchd.
3.7.12-3.7.133.7.14-3.7.16
2553887
CM-31700
When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server.
3.7.7-3.7.16, 4.0.0-4.4.5
2553748
CM-31627
On switches with the Spectrum ASIC, the IPv6 default route might be present in the kernel but missing in hardware when IPv6 RAs are received on SVIs configured with ip-forward off.3.7.11-3.7.14.2, 4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2553732
CM-31618
A ping via a dual-connected bond fails, and the audio stream is not routed or encapsulated through the layer 3 VNI.3.7.12-3.7.13, 4.0.0-4.2.13.7.14-3.7.16, 4.3.0-4.4.5
2553588
CM-31565
Multicast traffic on a VPN is sent to remote VTEPs that are not part of the VPN and the remote VTEPs receive multicast traffic encapsulated in a VXLAN ID that doesn’t exist.
To work around this issue, disable IGMP snooping on the switch.
3.7.12-3.7.13, 4.0.0-4.2.13.7.14-3.7.16, 4.3.0-4.4.5
2553530
CM-31545
In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

3.7.10-3.7.13, 4.1.1-4.2.13.7.14-3.7.16, 4.3.0-4.4.5
2553450
CM-31504
On the the Dell N3248-PXE switch, when you insert two PSUs at different times, the newly inserted PSU is detected as OK but the fan and temp sensors are ABSENT.
To work around this issue, remove power to both PSUs at the same time, then reinsert power simultaneously.
3.7.12-3.7.13, 4.2.13.7.14-3.7.16, 4.3.0-4.4.5
2553229
CM-31412
On the Dell N3248PXE switch, RJ45 fixed copper ports that auto-negotiate with a 100M or 10M neighbor incorrectly negotiate a half-duplex link that generates errors. Half duplex modes are not supported on this platform.3.7.12-3.7.13, 4.2.13.7.14-3.7.16, 4.3.0-4.4.5
2553219
CM-31407
You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters.3.7.12-4.2.14.3.0-4.4.5
2553116
CM-31357
When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool.
3.7.12-3.7.16, 4.0.0-4.4.5
2553050
CM-31322
SNMP status might incorrectly reflect that a BGP neighbor is down due to an issue between bgpd and SNMP AgentX when the IP-FORWARD-MIB is also polled.
To work around this issue, avoid polling IP-FORWARD-MIB objects.
3.7.12-3.7.16
2553015
CM-31300
If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail.3.7.10-3.7.16, 4.2.0-4.4.5
2553001
CM-31294
When the following conditions exist, clagd might fail to establish a TCP control session across the subinterface (such as, peerlink.4094):
* clagd uses an IPv6 link-local address (LLA) to establish the TCP connection (the clagd-peer-ip linklocal command configures an IPv6 LLA connection)

* Subsequent VLAN changes are made to VLAN sub-interfaces or adding or removing SVIs

This issue occurs because the hardware stores one entry per VRF to represent the IPv6 LLA. The hardware entry for the LLA is removed when another interface is changed because the software interfaces are represented by a single entity in hardware. As a result, packets destined to the local IPv6 LLA address are received on the port but do not get forwarded to CPU for further processing.

To workaround this issue, use IPv4 addresses under peerlink.4094 and configure clagd to peer on IPv4 addresses.
3.7.12-3.7.133.7.14-3.7.16, 4.2.0-4.4.5
2552939
CM-31263
RX_DRP on a bond interface increases without any data traffic while the slave port does not increase.3.7.12-4.2.14.3.0-4.4.5
2552925
CM-31257
On the EdgeCore AS-6712-32X, AS5812-54X and AS5812-54T switch models, the temp sensors (DIMM temp sensor) show ABSENT. The amber diagnostic light on the front of the switch might also be turned on due to this issue.
These messages and the light are cosmetic issues only and do not otherwise impact the function of the switch.
3.7.12-3.7.133.7.14-3.7.16
2552742
CM-31150
On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd.
3.7.12-4.2.14.3.0-4.4.5
2552739
CM-31148
Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor.3.7.2-3.7.16
2552647
CM-31086
When you add a member to a bond that has a subinterface configured (such as peerlink.4094), the new member is assigned only the VLAN of the subinterface for forwarding.
To work around this issue, bounce the bond or shutdown the new interface and use the remaining members over the bond.
3.7.10-3.7.13, 4.2.03.7.14-3.7.16, 4.2.1-4.4.5
2552528
CM-31028
Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated.3.7.7-3.7.13, 4.0.0-4.2.13.7.14-3.7.16, 4.3.0-4.4.5
2552506
CM-31016
Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file.
3.7.11-3.7.13, 4.0.0-4.2.03.7.14-3.7.16, 4.2.1-4.4.5
2552352
CM-30914
The following security vulnerabilities have been announced in the nss / libnss3 packages:
CVE-2020-6829: Side channel attack on ECDSA signature generation
CVE-2020-12400: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function
CVE-2020-12401: ECDSA timing attack mitigation bypass
Vulnerable: <= 3.26-1+debu8u11
Fixed: 3.26-1+debu8u12
3.7.0-3.7.133.7.14-3.7.16
2552351
CM-30913
The following vulnerability has been announced in the libx11 packages:
CVE-2020-14344: The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method.
Vulnerable: <= 1.6.2-3+deb8u2
Fixed: 1.6.2-3+deb8u3
3.7.0-3.7.133.7.14-3.7.16
2552294
CM-30879
NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
3.7.12-3.7.16, 4.0.0-4.4.5
2552214
CM-30832
The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages.3.7.11-3.7.14.2, 4.1.1-4.3.03.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5
2552205
CM-30827
If the MAC address of an SVI changes, clagd does not update its permanent neighbor entry for the local interface, and it does not report the change to its MLAG peer. This leaves the MLAG peer in a state where its permanent neighbor for the MLAG peer’s SVI IP address continues to use the old MAC address, which causes routed traffic over this SVI to be dropped.
To work around this issue, ifdown/ifup the SVI when a MAC address changes.
3.7.12-4.2.04.2.1-4.4.5
2552134
CM-30793
When the MLAG peerlink flaps on Broadcom Trident3 platforms, switchd might continually sync route and neighbor entries to hardware. This can be observed in /var/log/switchd.log with repeated Neighbor Summary and IPv4 Route Summary updates:
sync_route.c:2063 Neighbor Summary : 0 Added, 0 Deleted, 501 Updated, 0 Skipped in 589761 usecs
sync_route.c:2123 IPv4 Route Summary (29279) : 0 Added, 0 Deleted, 1732 Updated, 0 Skipped in 589820 usecs
sync_route.c:2063 Neighbor Summary : 0 Added, 0 Deleted, 501 Updated, 0 Skipped in 606689 usecs
sync_route.c:2123 IPv4 Route Summary (29280) : 0 Added, 0 Deleted, 1732 Updated, 0 Skipped in 596760 usecs
3.7.123.7.13-3.7.16
2551915
CM-30581
The following vulnerabilities have been announced in NGINX, which is installed by default on Cumulus Linux (however, the default nginx configuration is not vulnerable, since it does not configure error_page redirection or use lua):
CVE-2019-20372: NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.
CVE-2020-11724: An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API.
Vulnerable: <= 1.6.2-5+deb8u6
Fixed: 1.6.2-5+deb8u7
3.7.123.7.13-3.7.16
2551912
CM-30580
ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down.3.7.12-4.2.04.2.1-4.4.5
2551779
CM-30532
Several issues were discovered in Python 3.4, an interactive high-level object-oriented language, that allow an attacker to cause denial of service, trafic redirection, header injection and cross-site scripting.
CVE-2013-1753: The gzip_decode function in the xmlrpc client library allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.
CVE-2016-1000110:The CGIHandler class does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.
CVE-2019-16935:The documentation XML-RPC server has XSS via the server_title field. This occurs in Lib/xmlrpc/server.py. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
CVE-2019-18348: In urllib2, CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header.
CVE-2020-8492: Python allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
CVE-2020-14422: Lib/ipaddress.py improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created.
Vulnerable: <= 3.4.2-1+deb8u7
Fixed: 3.4.2-1+deb8u8
3.7.123.7.13-3.7.16
2551778
CM-30531
Several vulnerabilities where found in Perl’s regular expression compiler. An application that compiles untrusted regular expressions could be exploited to cause denial of service or code injection.
It is discouraged to allow untrusted regular expressions to be compiled by Perl.
CVE-2020-10543: Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.
CVE-2020-10878: Perl before 5.30.3 has an integer overflow related to mishandling of a “PL_regkind[OP(n)] == NOTHING” situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.
CVE-2020-12723: regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.
Vulnerable: <= 5.20.2-3+deb8u12
Fixed: 5.20.2-3+deb8u13
3.7.123.7.13-3.7.16
2551748
CM-30514
In OVSDB high availability mode, deleting > 200 VLAN bindings might cause ovs-vtepd to crash. Limit the deletion to 200 or fewer VLAN bindings.3.7.12-3.7.13, 4.0.0-4.2.13.7.14-3.7.16, 4.3.0-4.4.5
2551731
CM-30504
When the OVSDB VTEP scale increases, the CPU utilization increases and eventually the switch (ptmd) fails to respond to the BFD, causing the BFD session to go down. As a result OVSDB cannot read the BFD socket status and outputs a warning in the ovs-vtepd debugs: PTM socket error: Bad file descriptor.3.7.12-4.2.04.2.1-4.4.5
2551728
CM-30503
In OVSDB high availability mode, if you create, then delete a binding, the FDB entry is not replaced and you see an error.3.7.12-4.2.04.2.1-4.4.5
2551714
CM-30498
There is a change to the default OVSDB bootstrapping process, where the script created now defaults to VLAN-aware bridge mode. If you want to use traditional bride mode, you need to force it by editing the ovs-vtep-ctl script generated by the bootstrap process.3.7.12-4.2.04.2.1-4.4.5
2551693
CM-30486
A host migrated to an 802.1X MAB port within the same broadcast domain fails to have the correct FDB entry installed if a dynamic FDB entry for that MAC address exists from previous connectivity in the broadcast domain.
To work around this issue, manually delete the dynamic FDB entry that is associated with the uplink trunk port.
3.7.12-3.7.13, 4.1.1-4.2.03.7.14-3.7.16, 4.2.1-4.4.5
2551675
CM-30479
When you restart clagd, the edge port setting on the peer link changes.3.7.2-3.7.13, 4.0.0-4.2.03.7.14-3.7.16, 4.2.1-4.4.5
2551651
CM-30464
The net show dot1x interface summary command output shows a MAC address with all zeros associated with a port.3.7.12-3.7.13, 4.0.0-4.2.03.7.14-3.7.16, 4.2.1-4.4.5
2551578
CM-30422
When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error.3.7.12-3.7.16, 4.0.0-4.4.5
2551554
CM-30408
Customers running security scans on Cumulus Linux 4 may encounter the listing of an incorrect version of u-boot 2014.10+dfsg1-4 with the following vulnerabilities:CVE-2017-3225CVE-2017-3226CVE-2018-18440CVE-2019-11690CVE-2019-13103CVE-2019-14192CVE-2019-14193CVE-2019-14194CVE-2019-14195CVE-2019-14196CVE-2019-14197CVE-2019-14198CVE-2019-14199CVE-2019-14200CVE-2019-14201CVE-2019-14202CVE-2019-14203CVE-2019-14204CVE-2020-10648The u-boot-tools package is not installed on the switch by default, but is available in the repository for optional installation. On Cumulus Linux 4, the version is at least 2019.01+dfsg-7. However, the older versions available for optional installation on Cumulus Linux 3 may be vulnerable
According to https://security-tracker.debian.org/tracker/source-package/u-boot , all except the following are fixed in 2019.01+dfsg-7:CVE-2017-3225: https://security-tracker.debian.org/tracker/CVE-2017-3225 says “Negligible security impact”
CVE-2017-3226: https://security-tracker.debian.org/tracker/CVE-2017-3226 says “Negligible security impact”
CVE-2018-18440: https://security-tracker.debian.org/tracker/CVE-2018-18440 says “No security impact as supported/packaged in Debian”.
3.7.12-3.7.164.0.0-4.4.5
2551543
CM-30403
switchd might crash if more than 16 IPv6 default route next hops are installed in the kernel routing table and those 16 next hops recurse to MAC address table entries reachable over VXLAN VNI interfaces. This can occur when many IPv6 router advertisements (RAs) are received across VLAN interfaces that have IPv6 forwarding disabled.
To work around this issue, add the following parameters to the /etc/sysctl.conf file to disable IPv6 default route installation from received router advertisements, then run the sudo sysctl -p –system command.

net.ipv6.conf.all.accept_ra_defrtr = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
3.7.123.7.13-3.7.16
2551395
CM-30343
The libnss3 package, available for optional installation on Cumulus Linux, has the following vulnerabilities:
CVE-2020-12399: Timing differences when performing DSA signatures.
CVE-2020-12402: Side channel vulnerabilities during RSA key generation.
Vulnerable: <= 3.26-1+deb8u10
Fixed: 3.26-1+deb8u11
3.7.123.7.13-3.7.16
2551356
CM-30325
The following vulnerabilities have been announced in the qemu package, which is available in the repository for optional installation on Cumulus Linux:
CVE-2020-1983: slirp: Fix use-after-free in ip_reass().
CVE-2020-13361: es1370_transfer_audio in hw/audio/es1370.c allowed guest OS users to trigger an out-of-bounds access during an es1370_write() operation.
CVE-2020-13362: megasas_lookup_frame in hw/scsi/megasas.c had an out-of-bounds read via a crafted reply_queue_head field from a guest OS user.
CVE-2020-13765: hw/core/loader: Fix possible crash in rom_copy().
Vulnerable: <= 2.1+dfsg-12+deb8u14
Fixed: 2.1+dfsg-12+deb8u15
3.7.123.7.13-3.7.16
2551351
CM-30321
CVE-2018-6381 CVE-2018-6484 CVE-2018-6540 CVE-2018-6541 CVE-2018-6869 CVE-2018-7725 CVE-2018-7726 CVE-2018-16548
Several issues have been fixed in zziplib, a library providing read access on ZIP-archives. They are all related to invalid memory access and resulting crash or memory leak.
libzzip-0-13 is not installed by default on Cumulus Linux, but is available in the repository for optional installation.
Vulnerable: <= 0.13.62-3+deb8u1
Fixed: 0.13.62-3+deb8u2
3.7.123.7.13-3.7.16
2551350
CM-30320
CVE-2017-10790: The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack.
Vulnerable: <= 4.2-3+deb8u3
Fixed: 4.2-3+dev8u4
3.7.123.7.13-3.7.16
2551305
CM-30296
The net show configuration command provides the wrong net add command for ACL under the VLAN interface.

3.7.12-3.7.16, 4.1.0-4.4.5
2551288
CM-30286
When you remove BFD configuration by editing the /etc/frr/frr.conf file and restarting FRR, you see a traceback.
To work around this issue, either use NCLU or vtysh commands to remove the BFD configuration, or restart FRR with the new /etc/frr/frr.conf file.
3.7.7-3.7.164.0.0-4.4.5
2551161
CM-30240
switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart.
3.7.11-4.2.04.2.1-4.4.5
2550974
CM-30195
On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured.3.7.11-3.7.16, 4.1.1-4.4.5
2550942
CM-30178
NCLU tab completion for net show displays the text add help text instead of system Information for the system option.3.7.11-4.2.04.2.1-4.4.5
2550796
CM-30103
On a Broadcom switch with the Trident2+ ASIC, ACL rules for VLANs are not applied after a reboot and the counters remain at zero.
To work around this issue, either do not set acl.non_atomic_update_mode = TRUE in the /etc/cumulus/switchd.conf file or run the cl-acltool -i command after the reboot to install the ACLs.
3.7.12-4.2.14.3.0-4.4.5
2550793
CM-30101
The NCLU net show bridge spanning-tree command displays the aging timer incorrectly.3.7.12-3.7.16, 4.0.0-4.4.5
2550735
CM-30064
The following security vulnerability has been found in BlueZ, in which the libbluetooth3 library is available in the repository for optional installation in Cumulus Linux:
CVE-2020-0556: Improper access control in subsystem for BlueZ before version 5.54 may allow an unauthenticated user to potentially enable escalation of privilege and denial of service via adjacent access.
Vulnerable: <= 5.23-2+deb8u1
Fixed: 5.43-2+deb9u2~deb8u1
3.7.123.7.13-3.7.16
2550693
CM-30040
The following vulnerabilities have been announced in the cups package:
CVE-2019-8842: The ‘ippReadIO’ function may under-read an extension field
CVE-2020-3898: heap based buffer overflow in libcups’s ppdFindOption() in ppd-mark.c
Vulnerable: <= 1.7.5-11+deb8u7
Fixed: 1.7.5-11+deb8u8
3.7.123.7.13-3.7.16
2550647
CM-30009
CVE-2020-12049: There was a file descriptor leak in the D-Bus message bus. An unprivileged local attacker could use this to attack the system DBus daemon, leading to denial of service for all users of the machine.
Vulnerable: <= 1.8.22-0+deb8u2
Fixed: 1.8.22-0+deb8u3
3.7.123.7.13-3.7.16
2550600
CM-29978
The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged.3.7.8-4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2550512
CM-29922
The python-httplib2 package, which is available in the repository for optional installation, has the following vulnerability:
CVE-2020-11078: In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for ‘httplib2.Http.request()’ could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.
Vulnerable: 0.9+dfsg-2
Fixed: 0.9+dfsg-2+deb8u1
3.7.123.7.13-3.7.16
2550511
CM-29921
The following vulnerabilities have been announced in dosfstools, which is available in the repository for optional installation:
CVE-2015-8872: The set_fat function in fat.c in dosfstools before 4.0 might allow attackers to corrupt a FAT12 filesystem or cause a denial of service (invalid memory read and crash) by writing an odd number of clusters to the third to last entry on a FAT12 filesystem, which triggers an “off-by-two error."
CVE-2016-4804: The read_boot function in boot.c in dosfstools before 4.0 allows attackers to cause a denial of service (crash) via a crafted filesystem, which triggers a heap-based buffer overflow in the (1) read_fat function or an out-of-bounds heap read in (2) get_fat function.
Vulnerable: 3.0.27-1
Fixed: 3.0.27-1+deb8u1
3.7.123.7.13-3.7.16
2550509
CM-29920
The json-c shared library (libjson-c2) had an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend. The libjson-c2 library is installed by default on Cumulus Linux 3.x.
Vulnerable: <= 0.11-4
Fixed: 0.11-4+deb8u2
3.7.123.7.13-3.7.16
2550507
CM-29919
Several vulnerabilities were discovered in BIND, a DNS server implementation.
bind9-host (containing only /usr/bin/host) and some libraries from the bind9 source package are installed on the switch by default; the BIND server referred to in these vulnerabilities is not installed by default but is available in the repository for optional installation.
CVE-2020-8616: It was discovered that BIND does not sufficiently limit the number of fetches performed when processing referrals. An attacker can take advantage of this flaw to cause a denial of service (performance degradation) or use the recursing server in a reflection attack with a high amplification factor.
CVE-2020-8617: It was discovered that a logic error in the code which checks TSIG validity can be used to trigger an assertion failure, resulting in denial of service.
Vulnerable: <= 1:9.9.5.dfsg-9+deb8u18
Fixed: 1:9.9.5.dfsg-9+deb8u19
3.7.123.7.13-3.7.16
2550479
CM-29899
VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches.3.7.7-4.2.04.2.1-4.4.5, 4.3.0-4.4.5
2550444
CM-29872
Tab completion for the net show rollback description command returns information about a snapshot instead of context help.
To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command.
3.7.12-3.7.16, 4.0.0-4.4.5
2550443
CM-29871
The net show rollback description command returns an error even if the string matches a commit description.
To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead.
3.7.12-3.7.16, 4.0.0-4.4.5
2550375
CM-29838
CPU utilization may increase when clag-managed bond interfaces are operationally/LACP down but the physical carrier remains up on the bond member switchports. This condition occurs when clag bond redirection is enabled and bond members remain up while the parent bond does not negotiate LACP.

This issue is resolved in Cumulus Linux 3.7.14.
3.7.9-3.7.13, 4.0.0-4.2.13.7.14-3.7.16, 4.3.0-4.4.5
2550350
CM-29830
Unicast traffic from downlink hosts is flooded to multiple remote VTEPs, which might also cause high HwIfOutQDrops/TX_DRP on the uplink ports.
To work around this issue, restart switchd.
3.7.10-3.7.13, 4.0.0-4.1.13.7.14-3.7.16, 4.2.0-4.4.5
2550323
CM-29807
After a neighbor is removed, the redistributed neighbor entry is withdrawn from the BGP table, but the prefix might still be selected as the bestpath when the host’s originated prefix is not advertised.
To work around this issue, recreate the neighbor entry and flap the interface to the host.
Or, if the host is already down, manually create a neighbor entry with an invalid MAC address, which forces redistribute neighbor to re-withdraw the entry.
3.7.3-3.7.123.7.13-3.7.16, 4.0.0-4.4.5
2550276
CM-29779
In LLDP, the snmp subagent loses all subsequent lldpRemSysName (1.0.8802.1.1.2.1.4.1.1.9) entries after an entry with a missing SysName is added.
All the information from lldpctl is correct. Only the entries after the entry that is missing a SysName in lldpRemSysName disappear from the snmp subagent.
3.7.12-4.2.14.3.0-4.4.5
2550274
CM-29778
If packets with an invalid checksum are received, the cumulus-poe service might restart and you see log messages similar to the following:
May 20 10:48:04.665635 leaf01 poed[8012]: ERROR : invalid checksum in response [0xC2:0x00]
May 20 10:48:04.671299 leaf01 poed[8012]: poed : ERROR : invalid checksum in response [0xC2:0x00]
May 20 10:48:04.708620 leaf01 systemd[1]: cumulus-poe.service: main process exited, code=exited, status=1/FAILURE
The service starts automatically but there is an impact to POE devices momentarily.
3.7.12-4.1.14.2.0-4.4.5
2550243
CM-29759
When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.
To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service. For example:

#Requires=nginx.service restserver.socket
3.7.12-3.7.16, 4.0.0-4.4.5
2550119
CM-29692
The following vulnerability has been announced in the apt package:
CVE-2020-3810: Shuaibing Lu discovered that missing input validation in the ar/tar implementations of APT, the high level package manager, could result in denial of service when processing specially crafted deb files.
Vulnerable: <= 1.0.9.8.5-cl3u1
Fixed: 1.0.9.8.5-cl3u2
3.7.123.7.13-3.7.16
2550056
CM-29652
The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:

error: invalid signature.
Press any key to continue…
3.7.12-3.7.16, 4.1.1-4.4.5
2549925
CM-29594
When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:

error: swp1s1.2: netlink: cannot set link swp1s1.2 up: operation failed with ‘Network is down’ (100)
warning: cmd ‘/bin/ip addr del 10.0.0.1/24 dev eth0’ failed: returned 2 (RTNETLINK answers: Cannot assign requested address

To work around this issue, run the ifreload -a command a second time.
3.7.12-3.7.16, 4.0.0-4.4.5
2549872
CM-29562
If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error.3.7.12-3.7.16, 4.1.1-4.4.5
2549838
CM-29546
In vtysh, if you configure, then remove a layer 3 VNI for a VRF, the VNI is removed from zebra even if the VNI interface still exists in the kernel.
If you configure a layer 2 VNI as a layer 3 VNI by mistake, removing the layer 3 VNI binding removes it from zebra but EVPN-learned MACs and neighbors are not installed into the kernel.
To work around this issue, delete, then re-add the missing VNI. For example:

cumulus@switch:~$ sudo ifdown vni10100
cumulus@switch:~$ sudo ifup vni10100

If you flap the link with the ip link set vni10100 down; ip link set vni10100 up commands, zebra does not re-add the VNI.
3.7.12-4.2.14.3.0-4.4.5
2549835
CM-29544
The following vulnerability affects the openldap package:
CVE-2020-12243: A vulnerability was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. LDAP search filters with nested boolean expressions can result in denial of service (slapd daemon crash).
Vulnerable: <= 2.4.40+dfsg-1+deb8u5
Fixed: 2.4.40+dfsg-1+deb8u6
3.7.123.7.13-3.7.16
2549794
CM-29525
The asic-monitor.service fails when you configure /etc/cumulus/datapath/monitor.conf with monitor.histogram_pg.collect.port_group_list = [all_packet_pg] and there is traffic passing through the buffer. When the service fails, you see the following traceback in journalctl:

asic-monitor[7389]: asic-monitor-module INFO: 2020-05-01 18:28:12.548734: Egress queue(s) greater than 500 bytes in monitor port group histogram_pg
asic-monitor[7389]: asic-monitor ERROR: ASIC monitor exception: sx_api_port_counter_tc_get failed: Parameter Error
asic-monitor[7389]: File “/usr/bin/asic-monitor”, line 139, in
asic-monitor[7389]: main(sys.argv[1:])
asic-monitor[7389]: File “/usr/bin/asic-monitor”, line 126, in main
asic-monitor[7389]: traceback.print_stack()
asic-monitor[7389]: Traceback (most recent call last):
asic-monitor[7389]: File “/usr/bin/asic-monitor”, line 117, in main
asic-monitor[7389]: monitor.run()
asic-monitor[7389]: File “/usr/lib/python2.7/dist-packages/cumulus/asic_monitor.py”, line 158, in run

3.7.11-3.7.13, 4.1.1-4.2.03.7.14-3.7.16, 4.2.1-4.4.5
2549782
CM-29519
The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state.3.7.12-3.7.16, 4.0.0-4.4.5
2549731
CM-29492
When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:

[ebtables]
-A FORWARD –in-interface swp10 -j span –dport swp1
3.7.12-3.7.16, 4.1.1-4.4.5
2549711
CM-29484
The following vulnerability affects libgd2/libgd3:
CVE-2018-14553: gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointer dereference allowing attackers to crash an application via a specific function call sequence. Only affects PHP when linked with an external libgd (not bundled).
Vulnerable: <= 2.1.0-5+deb8u13
Fixed: 2.1.0-5+deb8u14
3.7.123.7.13-3.7.16
2549710
CM-29483
The following vulnerability affects imptool:
CVE-2020-5208: It’s been found that multiple functions in ipmitool before 1.8.19 neglect proper checking of the data received from a remote LAN party, which may lead to buffer overflows and potentially to remote code execution on the ipmitool side. This is especially dangerous if ipmitool is run as a privileged user.
Vulnerable: <= 1.8.14-4
Fixed: 1.8.14-4+deb8u1
3.7.123.7.13-3.7.16
2549676
CM-29471
After you add or remove a bridge VLAN identifier (VID) on a trunk port, the layer 2 VNI is put into VLAN 1.
To work around this issue, revert the configuration change.
3.7.10-4.1.14.2.0-4.4.5
2549472
CM-29367
On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic.3.7.11-4.1.14.2.0-4.4.5
2549397
CM-29322
When the BGP Multi-protocol Unreach NLRI attribute is received in a BGP update without a next hop attribute, the BGP session is brought down unexpectedly. RFC 4760 defines that the next-hop attribute is not required for updates containing MP_UNREACH_NLRI.3.7.123.7.13-3.7.16, 4.0.0-4.4.5
2549371
CM-29309
When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive.3.7.11-4.3.14.4.0-4.4.5
2549307
The following vulnerabilities affect git, which is available in the repository for optional installation:
CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host.
CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted.
3.7.12-4.1.14.2.0-4.4.5
2549226
CM-29259
You might see the following gport error messages in switchd.log:

2020-04-10T19:50:01.011224+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x800007a find failed
2020-04-10T19:50:01.011631+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x8000009 find failed

These messages are harmless and can be ignored.
3.7.12-3.7.14.2, 4.0.0-4.2.13.7.15-3.7.16, 4.3.0-4.4.5
2548962
CM-29165
With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table.3.7.12-4.1.14.2.0-4.4.5
2548930
CM-29148
On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware.3.7.11-4.2.14.3.0-4.4.5
2548746
CM-29068
On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect.3.7.11-4.1.14.2.0-4.4.5
2548673
CM-29044
A large number of flapping peers causes FRR to require a corresponding update to internal data structures that track peer information. Updating this internal data structure does not delete links that are down due to the flapping. The size of this array then grows to contain both current peers as well as peers that should have been deleted during the flap processing. The contents of this array is processed by FRR to poll the links, which consumes CPU for all items in the array. This additional polling consumes more CPU than necessary but has no functional impact.
To work around this issue, restart FRR.
3.7.11-4.1.14.2.0-4.4.5
2548659
CM-29037
When a link flap occurs while IPv6 traffic traverses interfaces, a kernel panic may occur with the following logs printed to the console:

[1675080.282051] BUG: unable to handle kernel NULL pointer dereference at 0000000000000110
[1675080.291007] IP: [] fib6_lookup_1+0xac/0x170

[1675080.757405] Kernel panic - not syncing: Fatal exception in interrupt
3.7.123.7.13-3.7.16
2548657
CM-29035
When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:

W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

You can safely ignore these error messages.
3.7.12-3.7.16, 4.0.0-4.4.5
2548585
CM-28995
After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors.
Note: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active.
To recover from this condition, restart switchd with the sudo systemctl restart switchd command.
3.7.10-4.1.14.2.0-4.4.5
2548579
The following security vulnerability has been announced:
CVE-2020-10531: An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.
3.7.12, 4.0.0-4.4.53.7.13-3.7.16
2548490
CM-28944
A change in a route map prefix list that should remove a route might not be reflected in the ospf6 database or in peers, and the route might not be deleted.
To work around this issue, reenter the redistribute <connected|static> route-map statement in the configuration.
3.7.11-4.1.14.2.0-4.4.5
2548485
CM-28940
If you configure the aggregate-address
summary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:
router bgp 1
address-family ipv4 unicast
aggregate-address 50.0.0.0/8 summary-only
exit-address-family
If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path*> 50.0.0.0 0.0.0.0 32768 is> 50.0.0.1/32 0.0.0.0 0 32768 i
Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Paths> 50.0.0.1/32 0.0.0.0 0 32768 i
To work around this issue, remove, then re-add the component prefix routes.
3.7.12-4.2.14.3.0-4.4.5
2548475
CM-28932
After you add a new VNI and a layer 3 SVI to a set of leafs, certain leafs might not be able to communicate on the layer 3 VNI.
To work around this issue, reboot the leaf switch or restart switchd.
3.7.6-3.7.133.7.14-3.7.16, 4.0.0-4.4.5
2548382
CM-28867
The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog.3.7.5-4.1.14.2.0-4.4.5
2548372
None
On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert.3.7.12-4.1.14.2.0-4.4.5
2548315
CM-28816
The following security advisory has been announced for bash:
CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability
When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.
To work around this issue, do not make bash or bash scripts setuid.
3.7.12-3.7.16, 4.0.0-4.4.5
2548307
CM-28810
When the garbage collector does not release memory back to the operating system, clagd might consume a large amount of memory. As a result of low system memory, systemd might shut down services to reclaim memory.
3.7.11-4.1.14.2.0-4.4.5
2548243
CM-28754
On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules.3.7.3-3.7.16, 4.0.0-4.4.5
2548155
CM-28685
The net show bgp neighbor swpX json command shows negative output for the bgpTimerUpMsec timer.3.7.10-3.7.164.0.0-4.4.5
2548117
CM-28659
In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX.3.7.12-3.7.16, 4.0.0-4.4.5
2548116
CM-28658
The OVSDB log contains duplicate MAC addresses with the well-known BFD MAC address (00:23:20:00:00:01). This is mainly cosmetic, but clutters the log.3.7.12, 4.0.0-4.0.13.7.13-3.7.16, 4.1.0-4.4.5
2548112
CM-28656
In OVSDB VLAN-aware mode, removing a VTEP binding on the NSX controller fails to clean up all interfaces associated with the logical switch.3.7.12-4.1.14.2.0-4.4.5
2548111
CM-28655
When you remove, then re-add an NSX VTEP binding, the VXLAN VTEP interface is not recreated.3.7.9-3.7.12, 4.0.0-4.0.13.7.13-3.7.16, 4.1.0-4.4.5
2548044
CM-28608
When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor.3.7.12-3.7.15, 4.0.0-4.4.53.7.16
2548024
CM-28596
On the Dell Z9100 switch, 100G-SR4 modules might not link up reliably in certain ports.
swp1, 2, 3, 9, 10, 23, 24, 30, 31, and 32 might be affected
To work around this issue, move 100G SR4 modules to one of the ports not affected by this issue.
3.7.11-4.1.14.2.0-4.4.5
2547942
CM-28533
On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl.3.7.11-4.0.14.1.0-4.4.5
2547880
CM-28488
The following CVEs were announced that affect the cron package. All of these require untrusted local user access.

CVE-2017-9525 is a local user privilege escalation attack: In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks against unsafe usage of the chown and chmod programs.
CVE-2019-9704, CVE-2019-9705, CVE-2019-9706 are local user denial of service attacks. Note: the fix for CVE-2019-9705 imposes a limitation on the length of a crontab file (the vulnerability was that an unlimited size crontab file could cause excessive memory consumption).
https://security-tracker.debian.org/tracker/DLA-1723-1

Vulnerable: <= 3.0pl1-cl3u1
Fixed: 3.0pl1-cl3u2
3.7.123.7.13-3.7.16
2547879
CM-28487
The following CVE was announced for rsyslog:
CVE-2019-17041 CVE-2019-17042
rsyslogd, when receiving remote log messages and using optional pmaixforwardedfrom or pmcisconames parser modules (not enabled by default on Cumulus Linux), is vulnerable to CVE-2019-17041 and CVE-2019-17042 where malicious messages that appear to be from AIX or Cisco respectively may be caused to skip sanity checks, resulting in incorrect negative lengths causing heap overflows.
Do not enable (with $UDPServerRun or $InputTCPServerRun) receiving syslog messages from other hosts by the network. Also, do not enable (with $ModLoad) the vulnerable parsers pmaixforwardedfrom or pmcisconames.<br />The default /etc/rsyslog.conf file on Cumulus Linux does NOT enable $UDPServerRun or $InputTCPServerRun, so the vulnerability is not network exploitable in the default configuration. In addition, the vulnerable parsers are not enabled in the default configuration.

Vulnerable: <= 8.4.2-1-cl3u5
Fixed: 8.4.2-1-cl3u6
3.7.123.7.13-3.7.16
2547878
The following vulnerability has been found in the libgcrypt20 cryptographic library.
CVE-2019-13627: there was a ECDSA timing attack.
For more information, see https://www.debian.org/lts/security/2020/dla-1931-2.en.html
Vulnerable: 1.6.3-2+deb8u7
Fixed: 1.6.3-2+deb8u8
3.7.11-3.7.16
2547876
The following vulnerability affects libxml2:
CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c has a memory leak related to newDoc->oldNs. This can lead to a denial of service.
For more information, see https://www.debian.org/lts/security/2019/dla-2048.en.html .
Vulnerable: 2.9.1+dfsg1-5+deb8u7
Fixed: 2.9.1+dfsg1-5+deb8u8
3.7.11-3.7.16
2547874
The following vulnerability affects libbsd, a package containing utility functions from BSD systems.
CVE-2016-2090: In function fgetwln() an off-by-one error could triggers a heap buffer overflow.
For more information, see https://www.debian.org/lts/security/2019/dla-2052.en.html .
Vulnerable: 0.7.0-2
Fixed: 0.7.0-2+deb8u1
3.7.11-3.7.16
2547839
CM-28465
When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error.3.7.11-4.1.14.2.0-4.4.5
2547799
CM-28451
An error similar to the following shows in syslog for Mellanox switches:

2020-02-12T19:59:22.208012+08:00 leaf01 sx_sdk: RM_TABLE: No resources available to add 1 entries to KVD hash Table HW resource
2020-02-12T19:59:22.208124+08:00 leaf01 sx_sdk: PORT: __port_vport_fid_set err = (No More Resources)

To work around this issue, reboot the switch.
3.7.11-3.7.13, 4.0.0-4.0.13.7.14-3.7.16, 4.1.0-4.4.5
2547784
CM-28442
PTM mis-detects incorrect hostnames of LLDP neighbors and does not fail them as expected. Instead they end up in an N/A cabling status.3.7.11-3.7.13, 4.0.0-4.1.13.7.14-3.7.16, 4.2.0-4.4.5
2547782
CM-28441
If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns.3.7.11-3.7.16, 4.0.0-4.4.5
2547769
CM-28437
syslog might report a high load average with the CPU running a later microcode revision.3.7.4-3.7.123.7.13-3.7.16
2547706
CM-28397
When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch.
3.7.11-3.7.16, 4.0.0-4.4.5
2547666
CM-28376
On the Dell S5232F-ON switch, the output of ledmgrd shows amber_blinking but smonctl shows all OK.3.7.11-4.1.14.2.0-4.4.5
2547663
CM-28374
When traffic from a double tag interface (facing a different site) is forwarded through VXLAN, the inner tag is not removed. The destination does not know this tag, so it discards it.3.7.8-3.7.12, 4.0.0-4.0.13.7.13-3.7.16, 4.1.0-4.4.5
2547659
CM-28372
On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise.3.7.11-4.0.14.1.0-4.4.5
2547658
CM-28371
On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl.3.7.11-3.7.123.7.13-3.7.16
2547609
CM-28340
Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work.
Mellanox switches with the Spectrum A1 ASIC do not have this issue.
3.7.11-4.1.14.2.0-4.4.5
2547592
CM-28331
When you add a route map to advertise IPv4 unicast in a BGP EVPN configuration and the route map contains a set operation, BGP crashes.3.7.11-3.7.123.7.13-3.7.16, 4.1.0-4.4.5
2547573
CM-28322
On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU.3.7.9-3.7.16
2547443
CM-28248
On the Dell N3248PXE-ON switch, 25G SFP ports do not work in 10G mode.3.7.11-4.0.14.1.0-4.4.5
2547381
CM-28212
The hsflowd service sends an undefined header protocol 0 in the sampled flow sample to the collector, which is not recognized by the sFlow tool. You see errors similar to the following:

Dec 20 08:43:27 netflow-nms sfcapd[3991]: SFLOW: readFlowSample_header() undefined headerProtocol = 0

3.7.11-3.7.164.0.0-4.4.5
2547349
CM-28193
When you change an interface IP address, then change it back, static routes are misprogrammed
One of the following actions recovers the routes:- Bounce both layer 3 interfaces- Remove or add static routes in FRR- Restart FRR
3.7.11-3.7.164.0.0-4.4.5
2547293
CM-28160
On the Broadcom Trident3 switch with DHCP relay, where the DHCP server is reachable through the EVPN overlay, DHCP discover packets forwarded to the CPU might appear corrupt and might not get forwarded.3.7.9-3.7.12, 4.0.0-4.0.13.7.13-3.7.16, 4.1.0-4.4.5
2547246
CM-28136
The MLAG switch pair has VLANs defined that are not used on MLAG bonds. These VLANs still synchronize MAC addresses across to the peer switch. This results in log messages that indicate a MAC address is installed and the VLAN is not defined; for example:

RTM_NEWNEIGH with unconfigured vlan XXXX on port peerlink
3.7.10-3.7.13, 4.0.0-4.1.13.7.14-3.7.16, 4.2.0-4.4.5
2547147
CM-28086
The ospfd daemon might crash with the following kernel trace:

2019-11-06T23:00:08.261749+09:00 cumulus ospfd[5339]: Assertion ‘node’ failed in file ospfd/ospf_packet.c, line 671, function ospf_write
3.7.11-3.7.12, 4.0.0-4.0.13.7.13-3.7.16, 4.1.0-4.4.5
2547123
CM-28078
On the Broadcom switch with the Trident3 ASC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect.3.7.11-4.1.14.2.0-4.4.5
2547120
CM-28076
After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command.3.7.11-3.7.16, 4.0.0-4.4.5
2547118
The following security vulnerabilities have been announced in the libtiff5 library on Cumulus Linux 4.0:
CVE-2019-14973, CVE-2019-17546: Multiple integer overflows have been discovered in the libtiff library and the included tools.
Vulnerable: 4.0.10-4
Fixed: 4.1.0+git191117-2~deb10u1
3.7.10-4.0.14.1.0-4.4.5
2547100
CM-28061
On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic.3.7.11-4.1.14.2.0-4.4.5
2547068
CM-28046
Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly
To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below
To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off”, change it to GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0”2. Run sudo update-grub
3. Reboot the system with sudo reboot
To disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci3
2. Disable C-states by running the command ./cpupower idle-set -d 2
C-states are disabled by default in Cumulus Linux 4.3.0 and later.
3.7.9-4.2.14.3.0-4.4.5
2546991
CM-28003
The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code.
3.7.11-3.7.16, 4.0.0-4.4.5
2546984
CM-27999
On the EdgeCore AS7326-56X switch, the PSU fans show constant LOW warnings.3.7.10-4.2.04.2.1-4.4.5
2546950
CM-27982
switchd crashes when dynamic VRF route leaking is enabled and the following is true:
* The default route is leaked from VRF1 to VRF2
* Hardware-based dynamic VRF route leaking is configured (vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).
You might see logs similar to the following in /var/log/syslog:

kernel: [159400.526241] switchd[21374]: segfault at 1229cdd84 ip 00000000004142ca sp 00007ffd557a86d0 error 4 in switchd[400000+71000]

To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF).
3.7.10-4.1.14.2.0-4.4.5
2546895
CM-27957
If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command.
3.7.11-3.7.16, 4.0.0-4.4.5
2546577
CM-27814
A traditional bridge with QinQ and a VNI does not work for tagged traffic.3.7.10-3.7.13, 4.0.0-4.0.13.7.14-3.7.16, 4.1.0-4.4.5
2546451
CM-27737
On the EdgeCore AS7326-56X switch, you might see the RPM of certain fans run over the maximum threshold.3.7.11-3.7.16
2546385
CM-27698
SNMP ifLastChange reports link transitions when there are none.3.7.6-3.7.16
2546225
CM-27627
When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support.
 
sudo onie-install -fai http://
sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image.
3.7.11-3.7.16, 4.0.0-4.4.5
2546203
CM-27620
When using QinQ with a traditional bridge, if you enable the LLDP dot1 TLV option, you see the following suboptimal behavior:
* Both the inner and outer VLAN information is sent as part of VLAN TLVs in the LLDP packet.
* If the outer VLAN ID is the same as the inner VLAN ID, only one VLAN TLV is sent with that VLAN ID in the LLDP packet.
3.7.11-3.7.16
2546141
CM-27586
CPU usage might be higher than normal if you have a high number of interfaces x VLANs and lldpd is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled.
To check if lldpd is the heavy CPU resource user, run the following command:

cumulus@switch:~$ ps -eo user,pid,ppid,cmd,%mem,%cpu –sort=-%cpu | head

Alternatively, check for messages in the /var/log/syslog directory similar to:

2020-02-20T15:02:12.137857-05:00 leaf01 sysmonitor: High CPU use: 87%
2020-02-20T15:02:12.482398-05:00 leaf01 sysmonitor: PID USER PR VIRT RES %CPU %MEM TIME+ COMMAND
2020-02-20T15:02:12.483112-05:00 leaf01 sysmonitor: 1570 _lldpd 20 73244 13800 76.6 0.3 4:43.06 lldpd

Note: The exact amount of CPU usage varies in each network based on a number of factors; however, it is unusual for lldpd to consume more than 30% CPU for an extended period of time.
To work around this issue, you can do one of the following:
* If the large number of VLANs is not absolutely necessary, manually prune the VLAN allowed list (if you use the range 1-2999, modify the bridge-vids list to include the VLANs being used).
* Stop the lldpd service. (This approach might be undesirable if the switch is providing services that rely on LLDP such as Voice VLAN.) To stop the lldpd service (runtime setting), run the sudo systemctl stop lldpd.service command. To disable the lldpd service upon boot, run sudo systemctl disable lldpd.service.
3.7.11-3.7.12, 4.0.0-4.0.13.7.13-3.7.16, 4.1.0-4.4.5
2546131
CM-27581
On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present.
3.7.11-3.7.16, 4.0.0-4.4.5
2546010
CM-27530
When hal.bcm.per_vlan_router_mac_lookup is set to TRUE in the /etc/cumulus/switchd.conf file, inter-VLAN traffic is forwarded to the CPU when associated VNI interfaces exist.3.7.10-3.7.16
2545997
CM-27522
The NCLU command net show interface produces an error if bonds with no members exist.
To work around this issue, remove the empty Bond interfaces from the /etc/network/interfaces file and run sudo ifreload -a.
3.7.10-3.7.16
2545699
CM-27354
On the Celestica Pebble switch, if you use IPv6 routes with mask /65 to /127, the switchd log fills with errors.3.7.10-3.7.133.7.14-3.7.16, 4.1.0-4.4.5
2545566
CM-27272
The Dell Z9100-ON switch incorrectly reports many sensors as ABSENT.3.7.12-4.0.14.1.0-4.4.5
2545446
CM-27192
If you use NCLU commands to add a non-MLAG bond, then add an MLAG configuration, the net commit command fails. However, a subsequent net commit command succeeds.3.7.10-3.7.16
2545404
CM-27173
On the Trident3 switch, unicast ARP packets received on a VNI and forwarded to the CPU are not policed.3.7.10-3.7.13, 4.0.0-4.0.13.7.14-3.7.16, 4.1.0-4.4.5
2545125
CM-27018
If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address.3.7.10-3.7.16, 4.0.0-4.4.5
2544978
CM-26921
If you delete an undefined bond, then add a bond slave, the net commit command fails.3.7.9-3.7.16, 4.0.0-4.4.5
2544968
CM-26913
FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c “printf ‘interface 50\nvrf TEST description L3 routing interface\n’ » /etc/frr/frr.conf”

should be:

sudo sh -c “printf ‘interface 50 vrf TEST\ndescription L3 routing interface\n’ » /etc/frr/frr.conf”

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file.
3.7.9-3.7.16, 4.0.0-4.4.5
2544953
CM-26905
When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command.
3.7.10-3.7.16, 4.0.0-4.4.5
2544904
CM-26875
After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements.
To work around this issue, restart FRR after removing the IPv6 numbered configuration.
3.7.9-4.1.14.2.0-4.4.5
2544829
CM-26829
Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump.3.7.8-3.7.16
2544671
CM-26736
Package : sudoCVE ID : CVE-2019-14287Debian Bug : 942322Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID -1 or 4294967295. This could allow a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access
Details can be found in the upstream advisory at https://www.sudo.ws/alerts/minus_1_uid.html
We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudoVulnerable versions: < 1.8.27-1+deb10u1Fixed versions: >= 1.8.27-1+deb10u1To work around this iisue, disable (comment out) any sudoers entries in /etc/sudoers or files in /etc/sudoers.d that have entries with !root in them. Only root or other users with a uid of 0 that are affected.
3.7.9-3.7.164.0.0-4.4.5
2544556
CM-26655
If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:

net add time ntp server 1.2.3.4 iburst
net commit
net add time ntp server 1.2.3.4
net commit

If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options.
3.7.9-4.1.14.2.0-4.4.5
2544463
CM-26599
Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G.
3.7.9-3.7.16, 4.0.0-4.4.5
2544456
CM-26595
The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds.3.7.9-3.7.16, 4.0.0-4.4.5
2544311
CM-26516
Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host.3.7.5-3.7.16, 4.0.0-4.4.5
2544235
CM-26463
The following CVEs affect the linux kernel package:
CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
For the detailed security status of linux, refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux
3.7.10-3.7.16
2544155
CM-26423
NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

3.7.5-3.7.16, 4.0.0-4.4.5
2544113
CM-26412
Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file.
3.7.9-3.7.16, 4.0.0-4.4.5
2543900
CM-26288
On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address.3.7.8-3.7.16, 4.0.0-4.4.5
2543841
CM-26256
The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
3.7.8-3.7.16, 4.0.0-4.4.5
2543840
CM-26255
On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file.

3.7.6-3.7.16
2543800
CM-26230
When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface.
3.7.8-3.7.164.0.0-4.4.5
2543792
CM-26225
On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:

2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.274521+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
2019-09-05T05:15:17.469556+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.497514+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
3.7.9-3.7.12, 4.0.0-4.0.13.7.13-3.7.16, 4.1.0-4.4.5
2543648
CM-26138
You cannot specify a source and destination MAC address in an ERSPAN ebtables rule. For example, the following rule does not work:

-A FORWARD -i swp5 -s 00:25:90:b2:bd:9d -d 50:6b:4b:96:c4:04 -j erspan –src-ip 100.1.1.2 –dst-ip 100.1.1.1 –ttl 64
3.7.6-4.1.14.2.0-4.4.5
2543647
CM-26137
ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:

-A FORWARD -i vni10 -j erspan –src-ip 100.1.1.2 –dst-ip 100.1.1.1 –ttl 64
3.7.6-4.2.14.3.0-4.4.5
2543646
CM-26136
In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case).3.7.6-3.7.16, 4.0.0-4.4.5
2543627
CM-26126
Tomahawk 40G DACs cannot disable auto-negotiation.3.7.7-3.7.164.0.0-4.4.5
2543472
CM-26024
On switches with the Spectrum ASIC, the underlay hashes VXLAN packets for a given overlay flow randomly.
To work around this issue, configure the ECMP hash seed to the same value on the EVPN egress leaf switches.
3.7.7-3.7.12, 4.0.0-4.0.13.7.13-3.7.16, 4.1.0-4.4.5
2543270
CM-25923
The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate.
3.7.8-4.1.14.2.0-4.4.5
2543211
CM-25890
In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
3.7.0-3.7.16, 4.0.0-4.4.5
2543164
CM-25859
The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command.
3.7.7-3.7.16, 4.0.0-4.4.5
2543096
CM-25815
When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
3.7.6-3.7.16, 4.0.0-4.4.5
2543058
CM-25798
The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.
To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces.
3.7.7-3.7.164.0.0-4.4.5
2543052
CM-25796
Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as “inactive” in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR.
To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:

ifdown vlan123 ; sleep 2 ; ifup vlan123

You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI.
3.7.5-3.7.164.0.0-4.4.5
2543044
CM-25794
Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up.
3.7.2-3.7.164.0.0-4.4.5
2542979
CM-25766
On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work.3.7.7-4.1.14.2.0-4.4.5
2542945
CM-25740
On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
3.7.6-3.7.16, 4.0.0-4.4.5
2542767
CM-25641
If the BMC operating system fails to respond to IPMI, you see a traceback in bmcd and all the sensors might report ABSENT devices in smonctl.
To work around this issue, power cycle the switch.
3.7.6-3.7.12, 4.0.0-4.0.13.7.13-3.7.16, 4.1.0-4.4.5
2542310
CM-25404
hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
3.7.6-3.7.16
2542305
CM-25400
If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
3.7.6-3.7.16, 4.0.0-4.4.5
2542301
CM-25397
When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
3.7.3-3.7.16, 4.0.0-4.4.5
2541212
CM-24894
The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded.3.7.5-3.7.16, 4.0.0-4.4.5
2541165
CM-24878
On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, poectl reports that four_pair_mode_enabled is true. However, this configuration is not supported on the port so poectl should report that four_pair_mode_enabled is false.
3.7.6-3.7.16
2541029
CM-24799
On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped.
This issue only affects QinQ configurations.
3.7.5-3.7.16, 4.0.0-4.4.5
2540950
CM-24751
On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status.
3.7.3-4.1.14.2.0-4.4.5
2540885
CM-24703
The Dell N3048EP-ON switch does not support 1G Base-T modules in the SFP ports.3.7.7-3.7.16
2540863
CM-24686
On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number.
3.7.3-3.7.16
2540753
CM-24618
If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
 
ERROR: No closing quotation
See /var/log/netd.log for more details.

3.7.5-3.7.16, 4.0.0-4.4.5
2540444
CM-24473
SNMP incorrectly requires engine ID specification.
3.7.4-3.7.16, 4.0.0-4.4.5
2540352
CM-24435
When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect:
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct:
 
net add routing route-map Proxy-ARP permit 25 match interface swp9
net add routing route-map Proxy-ARP permit 30 match interface swp10

3.7.2-3.7.16, 4.0.0-4.4.5
2540340
CM-24426
NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example:
 
cumulus@switch:~$ net add vrf mgmt


Tab completion for the net add vrf ip address
command works correctly.
3.7.4-3.7.16, 4.0.0-4.4.5
2540274
CM-24379
On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route.3.7.5-3.7.16, 4.0.0-4.4.5
2540204
CM-24350
When links come up after FRR is started, VRF connected routes do not get redistributed.3.7.4-3.7.16, 4.0.0-4.4.5
2540192
CM-24343
The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value.
3.7.4-3.7.16, 4.0.0-4.4.5
2540155
CM-24332
On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
3.7.3-3.7.16, 4.0.0-4.4.5
2540042
CM-24272
When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface br0.100
switch(config-if)# vrrp 1 priority 110
switch(config-if)# vrrp 1 advertisement-interval
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540041
CM-24271
On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU.
To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface vlan100
switch(config-if)# vrrp 1 priority 110
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540040
CM-24270
Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface swp4
switch(config-if)# vrrp 1 version 2
switch(config-if)# no vrrp 1 preempt
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540031
CM-24262
NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist.
3.7.3-3.7.16, 4.0.0-4.4.5
2539994
CM-24241
When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
 
cumulus@switch:~$ net del bgp neighbor fabric peer-group
‘router bgp 65001’ configuration does not have ‘neighbor fabric peer-group’

3.7.2-3.7.16, 4.0.0-4.4.5
2539962
CM-24222
When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error.
3.7.0-3.7.16, 4.0.0-4.4.5
2539670
CM-24035
On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type.
3.7.2-3.7.16, 4.0.0-4.4.5
2539124
CM-23825
The net add interface ptm-enable command adds no ptm-enable for that interface in the frr.conf file.
Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh.
3.7.2-3.7.16, 4.0.0-4.4.5
2539081
CM-23792
When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.
To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command.
3.7.0-3.7.164.0.0-4.4.5
2538875
CM-23696
IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file.
3.7.2-3.7.16
2538790
CM-23665
NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan bridge access . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.
To restore connectivity, remove the VLAN ID from the bridge.
3.7.2-3.7.16, 4.0.0-4.4.5
2538590
CM-23584
When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain.
3.7.2-3.7.16, 4.0.0-4.4.5
2538562
CM-23570
On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G.
3.7.2-3.7.16, 4.0.0-4.4.5
2538302
CM-23422
portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap.
3.7.0-3.7.16
2538294
CM-23417
If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid.3.7.0-3.7.16, 4.0.0-4.4.5</