Cumulus Linux 4.3 Release Notes
4.3.0 Release Notes
Open issues in 4.3.0
|CM-33240 ||On the on the Mellanox SN2410 switch, when you restart |
[ 1446.599850] switch 2-0048: HW semaphore is not releasedThis is a cosmetic issue and does not affect operation of the switch.
|CM-33167 ||On the Mellanox SN4700 switch, if you use the CREDO CABLE with a 4x100 configuration, the system experiences issues accessing the ASIC Thermal sensors.||4.3.0|
|CM-32516 ||When using NCLU to add new BGP neighbors to existing configurations, the existence of address-family statements are ignored and the neighbors are added at the end of these lines. This might cause a problem if you try to activate these new neighbors in any of the existing address-family configurations.|
To work around this issue, configure the new BGP neighbors with vtysh.
|CM-32055 ||During a graceful restart of a peer router, if the link between the local system (Helper) and the restarting router flaps, the stale routes announced by the restarting router are no longer used for forwarding by the Helper router even though they remain in the BGP RIB.||4.3.0|
|CM-28249 ||On the Mellanox switch, when you modify the buffer and queue configuration without restarting ||4.0.0-4.3.0|
|CM-28080 ||TACACS+ through ClearPass is not currently supported. Cumulus Linux sends authorization before authentication, but ClearPass does not accept an authorization before the user is authenticated.||3.7.11-126.96.36.199, 4.0.0-4.3.0|
|CM-21678 ||On a Dell switch with a Maverick ASIC, NetQ might receive false alerts like the following via PagerDuty:|
This message might occur as a result of a timeout at the hardware level, or the switch might be reporting a failure to get a response.
|CM-20508 ||The Cumulus-Resource-Query-MIB defines the ability to gather buffer utilization status but when these objects are polled, they return nothing.||3.5.3-188.8.131.52, 4.0.0-4.3.0|
|CM-20033 ||The VLAN interface stays up even though the physical link carrying the VLAN is admin or carrier down||3.5.2-184.108.40.206, 4.0.0-4.3.0|
|CM-15812 ||Multicast forwarding fails for IP addresses whose DMAC overlaps with reserved DIPs.||3.2.1-220.127.116.11, 4.0.0-4.3.0|
|2690100 ||When you run the vtysh |
vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!
spine01# show bgp vrf all ipv6 unicast statistics vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!To workaround this issue, run the command against each VRF independently.
|2687160 ||CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332: Multiple vulnerabilities were discovered in libwebp, the implementation of the WebP image format, which could result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed images are processed|
Vulnerable: 0.6.1-2Fixed: 0.6.1-2+deb10u1
|2685584 ||A host migrated to an 802.1x port within the same broadcast domain does not have the correct static FDB entry installed if a dynamic FDB entry for that MAC address exists from previous connectivity in the broadcast domain.||4.2.1-4.3.0|
|2684418 ||If you configure items in a VRF that has been created, deleted, then re-created, ||4.3.0|
|2682976 ||CVE-2021-28902, CVE-2021-28903, CVE-2021-28904, CVE-2021-28905, CVE-2021-28906: Several vulnerabilities have been announced in libyang that can cause a crash|
Vulnerable: <= 1.0.184-2+cl4.3.0u1
|2682973 ||CVE-2020-12762: integer overflow in the json-c JSON library, which could result in denial of service or potentially the execution of arbitrary code if large malformed JSON files are processed|
|2682780 ||Adding a route map configuration after a MAC access list configuration line causes the route map configuration to be applied incorrectly|
To work around this issue, add the MAC access list configuration to the end of the
|2679950 ||CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash|
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1
|CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 CVE-2020-25685 CVE-2020-25686 CVE-2020-25687: Several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server, could result in denial of service, cache poisoning or the execution of arbitrary code.||4.0.0-4.3.0|
|2671668 ||CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which couldresult in denial of service and potentially the execution of arbitrary code|
Vulnerable: <= 1.14.2-2+deb10u3Fixed: 1.14.2-2+deb10u4
|2671381 ||Remote MAC addreses in zebra are out of sync with |
The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP.
|The following CVEs were announced for rsyslog:|
rsyslogd, when receiving remote log messages (not enabled by default on Cumulus Linux) with the pmaisforwardedfrom or pmcisconames optional log parsers (also not enabled by default on Cumulus Linux), is vulnerable to CVE-2019-17041 and CVE-2019-17042 where malicious messages that appear to be from AIX or Cisco respectively may be caused to skip sanity checks, resulting in incorrect negative lengths causing heap overflows.
Do not enable receiving syslog messages from other hosts by the network (with $UDPServerRun or $InputTCPServerRun). Also, do not enable (with $ModLoad) the vulnerable parsers pmaixforwardedfrom or pmcisconames. The default /etc/rsyslog.conf file on Cumulus Linux does not enable any of these.
|OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf.|
This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper.
|The following CVEs were announced that affect the libssh package:|
CVE-2019-14889 has been announced in the libssh library, where unsanitized user-provided scp command lines could allow an attacker to execute arbitrary commands on the server.
The libssh library is not installed on Cumulus Linux by default, but is available in the Cumulus Linux 4 repository for optional installation. Note that libssh is distinct from libssh2 and openssh, which are present on the switches and in the repositories.
See the following for more information:
|2669073 ||On Spectrum, Spectrum-2, and Spectrum-3 switches, the |
To work around this issue, start the MST service with the
|2668483 ||If you update the MAC address of an SVI using ||3.7.14-3.7.15, 4.3.0|
|2666839 ||CVE-2021-31535: missing length validation in various functions provided by libx11, the X11 client-side library, allow to inject X11 protocol commands on X clients, leading to authentication bypass, denial of service or potentially the execution of arbitrary code|
Vulnerable: <= 1.6.7-1+deb10u1Fixed: 1.6.7-1+deb10u2
|2663480 ||CVE-2021-3520: integer overflow flaw in lz4, a fast LZ compression algorithm library, resulting in memory corruption|
Vulnerable: 1.8.3-1Fixed: 1.8.3-1+deb10u1
|2656530 ||CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file|
Vulnerable: 2.40.1-6Fixed: 2.40.1-6+deb10u1
|2654715 ||The ||4.2.0-4.3.0|
|2653493 ||After running the |
To work around this issue, run the
|The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged.||3.7.8-18.104.22.168, 4.0.0-4.3.0||3.7.15|
|2644054 ||The following vulnerabilities have been announced in BIND:CVE-2021-25214: a malformed incoming IXFR transfer could trigger an assertion failure in named, resulting in denial of service|
CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query
CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries
Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u4Fixed: 9.11.5.P4+dfsg-5.1+deb10u5
|2639303 ||When you use NCLU to delete a bond, then add an interface, NCLU reports an error similar to the following:ERROR: ‘NoneType’ object has no attribute ‘conf_key_value_multiple_values’See /var/log/netd.log for more details.||4.3.0|
|2638106 ||The NCLU ||4.3.0|
|2633062 ||The following vulnerability affects the libgstreamer-plugins-base1.0-0 package. There is no CVE yet; the Debian advisory number is DSA-4903-1|
Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened
Vulnerable: 1.14.4-2Fixed: 1.14.4-2+deb10u1
|2632379 ||When you upgrade the switch with ||4.3.0|
|2628515 ||CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service|
Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3
|2618227 ||The NCLU ||4.3.0|
|2617001 ||CVE-2021-26933 CVE-2021-27379Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, privilege escalation or memory disclosure|
Vulnerable: < 4.11.4+99-g8bce4698f6-1Fixed: 4.11.4+99-g8bce4698f6-1
Vulnerable: 1.9.1~dfsg-1Fixed: 1.9.1~dfsg-1+deb10u1
|2616988 ||CVE-2020-6851 CVE-2020-8112 CVE-2020-15389 CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27842 CVE-2020-27843 CVE-2020-27845: Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, which could result in denial of service or the execution of arbitrary code when opening a malformed image|
Vulnerable: <= 2.3.0-2+deb10u1Fixed: 2.3.0-2+deb10u2
|2616977 ||Multiple vulnerabilities were discovered in cURL, an URL transfer library:CVE-2020-8169: partial password leak to DNS servers|
CVE-2020-8177: malicious server could cause curl -J -i to overwrite a local file
CVE-2020-8231: libcurl with CURLOPT_CONNECT_ONLY information leak due to wrong connection
CVE-2020-8284: PASV response could trick curl into connecting back to an arbitrary IP address and port
CVE-2020-8285: libcurl could run out of stack space using FTP wildcard matching (CURLOPT_CHUNK_BGN_FUNCTION)
CVE-2020-8286: failure to verify that OSCP response matches intended certificate
CVE-2021-22876: libcurl did not strip user credentials from URL when populating Referer HTTP request header
CVE-2021-22890: libcurl using HTTPS proxy with TLS1.3 could use the wrong session ticket and bypass server TLS certificate check
Vulnerable: <= 7.64.0-4+deb10u1Fixed: 7.64.0-4+deb10u2
|2616968 ||CVE-2021-28957: lxml, a Python binding for the libxml2 and libxslt libraries, did not properly sanitize its input. This would allow a malicious user to mount a cross-site scripting attack|
Vulnerable: <= 4.3.2-1+deb10u2Fixed: 4.3.2-1+deb10u3
|2616965 ||CVE-2021-27291: Pygments, a syntax highlighting package written in Python 3, used regular expressions which could result in denial of service|
Vulnerable: <= 2.3.1+dfsg-1+deb10u1Fixed: 2.3.1+dfsg-1+deb10u2
|2616955 ||CVE-2021-3449: A NULL pointer dereference was found in the signature_algorithms processing in OpenSSL, a Secure Sockets Layer toolkit, which could result in denial of service|
Vulnerable: <= 1.1.1d-0+deb10u5Fixed: 1.1.1d-0+deb10u6
|2614016 ||The switch firmware incorrectly identifies Lenovo LR4 transceivers (part number 00YD278) and does not set the laser levels properly, which can prevent the link from coming up or might cause the transceiver to be identified as a 1G module.||4.2.0-4.3.0|
|2578872 ||CVE-2021-20270: It was discovered that Pygments, a syntax highlighting package written in Python, could be forced into an infinite loop, resulting in denial of service|
Vulnerable: 2.3.1+dfsg-1Fixed: 2.3.1+dfsg-1+deb10u1
|2578870 ||CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed|
Vulnerable: <= 4.1.0+git191117-2~deb10u1Fixed: 4.1.0+git191117-2~deb10u2
|2578814 ||On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap.||4.3.0|
|2574368 ||When you run the NCLU |
To work around this issue, either use the
|2566880 ||CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.||3.7.14-22.214.171.124, 4.0.0-4.3.0||3.7.15|
|2564839 ||Several vulnerabilities have been discovered in the GRUB2 bootloader:CVE-2020-14372: It was discovered that the acpi command allows a privileged user to load crafted ACPI tables when Secure Boot is enabled|
CVE-2020-25632: A use-after-free vulnerability was found in the rmmod command
CVE-2020-25647: An out-of-bound write vulnerability was found in the grub_usb_device_initialize() function, which is called to handle USB device initialization
CVE-2020-27749: A stack buffer overflow flaw was found in grub_parser_split_cmdline
CVE-2020-27779: It was discovered that the cutmem command allows a privileged user to remove memory regions when Secure Boot is enabled
CVE-2021-20225: A heap out-of-bounds write vulnerability was found in the short form option parser
CVE-2021-20233: A heap out-of-bound write flaw was found caused by mis-calculation of space required for quoting in the menu rendering.
|2558184 ||The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with ||3.7.11-3.7.15, 4.1.1-4.3.0|
|When ARP suppression is enabled, RARP packets sometimes get dropped and are not flooded by the local VTEP.|
To work around this issue, disable ARP suppression.
|CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution.|
Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1
|CVE-2021-26937: A flaw in the handling of combining characters in screen, a terminal multiplexer with VT100/ANSI terminal emulation can result in denial of service, or potentially the execution of arbitrary code via a specially crafted UTF-8 character sequence.|
|CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets.|
Vulnerable: <= 2.4.47+dfsg-3+deb10u5
|DSA-4859-1 (no CVE): zstd, a compression utility, was vulnerable to a race condition: it temporarily exposed, during a very short timeframe, a world-readable version of its input even if the original file had restrictive permissions.|
Vulnerable: <= 1.3.8+dfsg-3+deb10u1
To work around this issue, run the
|In a configuration with both traditional and vlan-aware bridges, the VLAN membership check on a vlan-aware switch does not drop PVST BPBUs that come from a traditional bridge.||3.7.14-126.96.36.199, 4.0.0-4.3.0||3.7.15|
|CVE-2020-8625: A buffer overflow vulnerability was discovered in the SPNEGO implementation affecting the GSSAPI security policy negotiation in BIND, a DNS server implementation, which could result in denial of service (daemon crash), or potentially the execution of arbitrary code.|
Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u2
|The following vulnerabilities have been announced in the openssl packages:|
CVE-2021-23840: Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash.
CVE-2021-23841: The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained
within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack.
CVE-2019-1551: There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME.
Vulnerable: <= 1.1.1d-0+deb10u4
|CVE-2020-35498: A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability.|
Vulnerable: <= 2.8.90-1-cl4u5
|DSA-4850-1 (no CVE): libzstd adds read permissions to files while being compressed or uncompressed.|
|Cumulus Linux does not support bond members at 200G or greater.||4.0.0-4.3.0|
|CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, CVE-2020-36230: Several vulnerabilities were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash, infinite loops) via specially crafted packets.|
Vulnerable: <= 2.4.47+dfsg-3+deb10u4
|If you use NCLU to configure an ACL for eth0, you can’t designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the |
To work around this issue, manually create an ACL in the
|In vtysh you can enable and disable debugs from either exec mode or global configuration mode (config t). When disabling OSPF debugs from exec mode, the debug is disabled at runtime but left in the running-configuration.|
To work around this issue, disable OSPF debugs from global configuration mode (config t).
|On a Mellanox switch, the ||4.3.0|
|The NCLU ||4.2.1-4.3.0|
|You cannot set the time zone can with NCLU commands.||4.1.1-4.3.0|
|On Edgecore AS4610 switches, the historic CPU usage displayed in ||3.7.12-3.7.15, 4.2.1-4.3.0|
|On Mellanox switches, you can’t ping the SVI of the MLAG peer over the peer link after the packet is VXLAN decapsulated.||4.2.1-4.3.0|
|On Mellanox switches, egress ACLs with VLAN keys do not filter layer 2 multicast or broadcast traffic.||4.3.0|
|The NCLU |
To work around this issue, use the FRR command to delete a neighbor.
The correct NCLU command to disable IPv6 forwarding is
|If you try to enable BGP graceful restart when it is already enabled, you see an error similar to the following in the |
This error has no functional impact.
|If the RMAC of a layer 3 SVI changes, the ||4.2.1-4.3.0|
|On the Mellanox SN3700C switch, PIM multicast packets are duplicated at the egress VTEP.||4.2.0-4.3.0|
|If you apply an outbound route map to a BGP peer that uses |
This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes.
|The IP address specified in the |
To work around this issue, configure
|On switches with the Maverick ASIC, control traffic is dropped due to receive buffering.||4.2.0-4.3.0|
|On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms).||4.0.0-4.3.0|
|Kernel routes added by |
To work around this issue, configure a static route in FRR.
|In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart.||4.2.0-4.3.0|
|The NCLU command to enable bridge learning fails.|
As a work around, enable bridge learning in the
|MLAG packets received on the peer link are dropped instead of routed.||4.2.0-4.3.0|
|The output of the ||4.2.1-4.3.0|
|When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as |
To work around this issue, remove the DEFAULT user from the TACACS+ server.
|When you configure an SNMPv3 user with the |
To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:
Alternatively, directly edit the
|The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.|
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.
|When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a |
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool.
|If a neighbour contains a special character in PortID for LLDP, the ||3.7.10-3.7.15, 4.2.0-4.3.0|
|On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface.|
To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the
|On the Mellanox switch, RoCE with PFC configuration is not applied to all ports in hardware when a range is used in the |
To work around this issue, use NCLU to configure RoCE with PFC or list individual ports in the
|The following messages are seen on an Edgecord Minipack-AS8000 running Cumulus Linux 4.2.0:|
These messages are for internal validation purposes only and can be safely ignored.
|NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.||3.7.12-3.7.15, 4.0.0-4.3.0|
|OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files.|
The two scenarios where an exploit may be useful to an attacker:
-The user is authorized to
-An attacker plants a maliciously named file in a directory tree that someone later uses
Be aware that restricting users to
If you want to use
To disable scp completely, use
|2552214 ||The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with ||3.7.11-3.7.14, 4.1.1-4.3.0||188.8.131.52-3.7.15|
|2552213 ||The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with ||3.7.11-184.108.40.206, 4.1.1-4.3.0||3.7.15|
|If you modify an interface name, then reuse the previous interface name for a different VLAN, the ||4.1.0-4.3.0|
|When you configure a bridge in the ||3.7.12-3.7.15, 4.0.0-4.3.0|
|If you toggle VRRP priority values between VRRP routers, then restart |
To work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands.
|When TACACS+ is configured and the management VRF is enabled, users with privilege level 13 are prevented from running ||4.0.0-4.3.0|
|The ||3.7.12-3.7.15, 4.1.0-4.3.0|
|On a Mellanox SN2010 switch, the Locator LED is on after you upgrade Cumulus Linux.||4.1.0-4.3.0|
|On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured.||3.7.11-3.7.15, 4.1.1-4.3.0|
|The NCLU ||3.7.12-3.7.15, 4.0.0-4.3.0|
|Configuring the subinterface of a VXLAN uplink under another traditional bridge, which also has the VXLAN VNI enslaved, causes |
To work around this issue, do not enslave the subinterface of a VXLAN layer 3 uplink under a traditional bridge in a VXLAN configuration.
|2550704 ||On the Mellanox SN3420 switch, 25G SR optics only link up in force mode.||4.3.0|
|Multiple paths to identical EVPN prefixes are either not displayed or not accepted into the l2vpn evpn table if they are received from a different AS.||3.7.12-3.7.15, 4.1.1-4.3.0|
|Tab completion for the |
To work around this issue, run the
To work around this issue, look for your string in the output of the
|When you use |
To work around this issue, comment out the
|The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:||3.7.12-3.7.15, 4.1.1-4.3.0|
|When you run an Ansible script to replace the |
To work around this issue, run the
|If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, ||3.7.12-3.7.15, 4.1.1-4.3.0|
|The JSON format output of the ||3.7.12-3.7.15, 4.0.0-4.3.0|
|When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:||3.7.12-3.7.15, 4.1.1-4.3.0|
|When you configure an RD or RT with NCLU, you see duplicate VNI stanzas in the |
To work around this issue, manually edit the
|When Optimized Multicast Flooding (OMF) is enabled with the ||3.7.11-3.7.15, 4.0.0-4.3.0|
|On the EdgeCore Minipack AS8000, storm control does not restrict unknown unicast, broadcast, or multicast traffic.||4.1.1-4.3.0|
|The following security advisory has been announced for bash:|
CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability
When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use
To work around this issue, do not make bash or bash scripts
|On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules.||3.7.3-3.7.15, 4.0.0-4.3.0|
|On the Mellanox SN3800 switch, 4x25G DAC breakouts are not supported.||4.1.0-4.3.0|
|In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX.||3.7.12-3.7.15, 4.0.0-4.3.0|
|When ports are split to 4x25G, RS FEC needs to explicitly configured on both ends (especially when interoperating with non-Mellanox switches).||4.1.0-4.3.0|
|On the Mellanox SN3800 switch, links do not come up when the ports are configured for 40G.||4.1.0-4.3.0|
|CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs|
Vulnerable: 2.9.4+dfsg1-7Fixed: 2.9.4+dfsg1-7+deb10u1
|QinQ across VXLAN on a traditional bridge does not work.||4.1.0-4.3.0|
|When you configure ganged ports in the |
To work around this issue, reboot the switch.
|When you restart the ||4.0.0-4.3.0|
|The FRR service does not provide a way for automation to know if the configuration applied properly.|
To work around this issue, execute the
|If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the |
bq. systemd: switchd.service watchdog timeout (limit 2min)!To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the
To increase the
2. Restart the
|On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the ||4.0.0-4.3.0|
|If you use the NCLU commands to configure NTP and run the |
To work around this issue, run the
|The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages.||3.7.10, 4.0.0-4.3.0||3.7.11-3.7.15|
|On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported.||4.0.0-4.3.0|
|On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power.||4.0.0-4.3.0|
|If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address.||3.7.10-3.7.15, 4.0.0-4.3.0|
|If you delete an undefined bond, then add a bond slave, the ||3.7.9-3.7.15, 4.0.0-4.3.0|
|FRR configuration commands for an SVI interface might have the |
To work around this issue, configure the interface manually in the
|NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge.||4.0.0-4.3.0|
|When you update the hostname of a switch with the NCLU |
To work around this issue, run the
|When you run the NCLU ||4.0.0-4.3.0|
|Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link.||3.7.6-3.7.10, 4.0.0-4.3.0||3.7.11-3.7.15|
|Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with |
To work around this issue, do not use auto-negotiation and set the local port speed to 10G.
|The NCLU ||3.7.9-3.7.15, 4.0.0-4.3.0|
|Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host.||3.7.5-3.7.15, 4.0.0-4.3.0|
|NCLU requires you to specify an interface with multiple ||3.7.5-3.7.15, 4.0.0-4.3.0|
|Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.|
To work around this issue, disable MAC learning on QinQ VLANs by adding
|An interface alias configured outside FRR using |
To work around this issue, remove the interface alias description from
|On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address.||3.7.8-3.7.15, 4.0.0-4.3.0|
|The ||3.7.8-3.7.15, 4.0.0-4.3.0|
|On the Dell S5248F-ON switch, ||3.7.6-3.7.11, 4.0.0-4.3.0||3.7.12-3.7.15|
|NCLU does not allow you to configure OSPF NSSAs. For example:|
To work around this issue, use FRR instead. For example:
|If a hostname contains utf-8 characters, the NCLU ||3.7.7-3.7.10, 4.0.0-4.3.0||3.7.11-3.7.15|
|In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case).||3.7.6-3.7.15, 4.0.0-4.3.0|
|In some cases, the ||3.7.0-3.7.15, 4.0.0-4.3.0|
|The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The |
To work around this issue, change the MTU on all SVIs and the bridge manually in the
|When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the ||3.7.6-3.7.15, 4.0.0-4.3.0|
|On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.|
To work around this issue, configure the bridge with
|On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule.||3.7.6-3.7.8, 4.0.0-4.3.0||3.7.9-3.7.15|
|If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the ||3.7.6-3.7.15, 4.0.0-4.3.0|
|When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.||3.7.3-3.7.15, 4.0.0-4.3.0|
|The ||3.7.5-3.7.15, 4.0.0-4.3.0|
|On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped.|
This issue only affects QinQ configurations.
|If the interface alias contains a single or double quotation mark, or an apostrophe, the |
|SNMP incorrectly requires engine ID specification.||3.7.4-3.7.15, 4.0.0-4.3.0|
|When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.|
For example, this command is incorrect:
These commands are correct:
|NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the |
Tab completion for the
|On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route.||3.7.5-3.7.15, 4.0.0-4.3.0|
|When links come up after FRR is started, VRF connected routes do not get redistributed.||3.7.4-3.7.15, 4.0.0-4.3.0|
To work around this issue, use the
|On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.||3.7.3-3.7.15, 4.0.0-4.3.0|
|When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the |
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
|On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU.|
To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
|Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:|
|NCLU does not honor ||3.7.3-3.7.15, 4.0.0-4.3.0|
|When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:|
|When an LDAP user that does not have NCLU privileges (either in the ||3.7.0-3.7.15, 4.0.0-4.3.0|
|On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type.||3.7.2-3.7.15, 4.0.0-4.3.0|
|NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run |
To restore connectivity, remove the VLAN ID from the bridge.
|When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain.||3.7.2-3.7.15, 4.0.0-4.3.0|
|On an RMP/1G-T switch, when you remove |
After you remove the link-speed,
To work around this issue and bring the interface back up, either restart
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G.
|If you use NCLU to create an iBGP peering across the peer link, running the ||3.7.0-3.7.15, 4.0.0-4.3.0|
|There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the |
|If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.||4.0.0-4.3.0|
|The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.||3.7.0-3.7.15, 4.0.0-4.3.0|
|For an unresolved address, the IPROUTER default policer rule has been modified to not match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets.|
These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
|On the EdgeCore AS7712 (Tomahawk) switch running in atomic mode, when a layer 3 ECMP path is brought down, traffic traversing the path stops working for about four seconds. When the switch is changed to non-atomic mode, the delay is less than one second. This issue is seen across OSPF and static ECMP routes.||4.0.0-4.3.0|
|On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working.||3.7.0-3.7.15, 4.0.0-4.3.0|
|At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in |
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a
|On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.|
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic.
|The source address of the ICMPv6 time exceeded message (traceroute hop) is sourced from the wrong VRF when the traceroute target resides on the same switch but in a different VRF.||4.0.0-4.3.0|
|FRR does not add BGP |
To work around this issue, add
To work around this issue, use
|Span rules matching the out-interface as a bond do not mirror packets.||4.0.0-4.3.0|
|If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the |
To work around this issue, correct the bridge VIDs and restart
|PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default ||4.0.0-4.3.0|
|When you use NCLU to bring a bond admin down (|
To work around this issue, use the
|In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet.|
To work around this issue, change the value of
Fixed Issues in 4.3.0
|CM-30832 ||The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with ||3.7.11-3.7.14, 4.1.1-4.2.1|
|Interfaces configured to get an IP address with DHCP try only three times to secure a DHCP lease (instead of retrying indefinitely). If unsuccessful after the third try, the switch stops trying.||4.2.1|
|In a traditional bridge configuration with ||3.7.10-220.127.116.11, 4.0.0-4.2.1|
|Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address.||3.7.12-18.104.22.168, 4.0.0-4.2.1|
|If ||3.7.12-22.214.171.124, 4.0.0-4.2.1|
|On the Mellanox SN-4700 switch, when you use a 2x100G configuration, the links do not come up.|
|CVE-2021-3156: A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the bug.|
Vulnerable: <= 1.8.27-1+deb10u2
|The following vulnerability affects lldpd:|
CVE-2020-27827: A packet that contains multiple instances of certain TLVs will cause lldpd to continually allocate memory and leak the old memory. As an example, multiple instances of system name TLV will cause old values to be dropped by the decoding routine.
|When you run any of the vtysh ||4.2.1|
|On Broadcom switches, after repeated VLAN or VXLAN configuration changes, ||3.7.14, 4.0.0-4.2.1|
|The following vulnerabilities were announced in the p11-kit (libp11-kit0) packages:|
CVE-2020-29361: Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc.
CVE-2020-29362: A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS#11 function call, the receiving entity may allow the reading of up to 4 bytes of memory past the heap allocation.
CVE-2020-29363: A heap-based buffer overflow has been discovered in the RPC protocol used by p11-kit server/remote commands and the client library. When the remote entity supplies a serialized byte array in a CK_ATTRIBUTE, the receiving entity may not allocate sufficient length for the buffer to store the deserialized value.
|The NET-SNMP-EXTEND-MIB, disabled in Cumulus Linux 4.2.1 and 3.7.14 to prevent security vulnerability CVE-2020-15862, is re-enabled read-only.||3.7.14-126.96.36.199, 4.2.1|
|You can’t delete a BGP community list created with NCLU.||4.2.1|
|QinQ (802.1Q) packets routed to a layer 3 subinterface are still double tagged with the VLAN of the subinterface and the original inner VLAN when they leave the subinterface.||4.2.0-4.2.1|
|In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer’s ARP policer.|
To work around this issue, increase the burst value of the ARP policers to 200 or higher.
|CVE-2020-29479 CVE-2020-29480 CVE-2020-29481 CVE-2020-29482 CVE-2020-29483 CVE-2020-29484 CVE-2020-29485 CVE-2020-29486 CVE-2020-29566 CVE-2020-29570 CVE-2020-29571|
Several security issues affecting Xenstore could result in cross domain access (denial of service, information leaks or privilege escalation) or denial of service against xenstored.
Additional vulnerabilities could result in guest-to-host denial of
Vulnerable: <= 4.11.4+57-g41a822c392-1
|On Broadcom switches, when WARN level ||3.7.14|
|When you change the SVI |
This operation is not supported in the kernel without recreating the SVI. To apply the change, run
|Broadcom switches running Cumulus Linux do not support EVPN Multihoming. When a BGP update with EVPN multihoming attributes is received, |
EVPN Multihoming is supported on Mellanox switches only.
|On the Edgecore AS7312 switch, eth0 and swp use the same MAC address.||3.7.14-188.8.131.52, 4.0.0-4.2.1|
|When you start ||4.2.1|
|CVE-2020-27350: Missing input validation in the ar/tar implementations of APT, the high level package manager, could cause out-of-bounds reads or infinite loops, resulting in denial of service when processing malformed deb files.|
CVE-2020-27351: Various memory and file descriptor leaks were discovered in the Python interface to the APT package management runtime library, which could result in denial of service.
Vulnerable: apt <= 184.108.40.206, python-apt <= 220.127.116.11
Fixed: apt 18.104.22.168, python-apt 22.214.171.124
|The following vulnerability has been announced in OpenSSL:|
CVE-2020-1971: A flaw in the GENERAL_NAME_cmp() function could cause a NULL dereference when both GENERAL_NAMEs contain an EDIPARTYNAME, resulting in denial of service. More information can be found at https://www.openssl.org/news/secadv/20201208.txt .
Vulnerable: <= 1.1.1d-0+deb10u3
|CVE-2020-27670 CVE-2020-27671 CVE-2020-27672 CVE-2020-27674 CVE-2020-28368: Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, privilege escalation or information leaks.|
Vulnerable: < 4.11.4+57-g41a822c392-1
|An EVPN route map filter matching a VNI on egress on the originating router might not set a large-community correctly:|
To work around this issue, remove the VNI match to allow the tag to be applied on egress.
The VNI match works if applied at some other non-originating router either in the ingress or egress direction.
|CVE-2020-8927: A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a “one-shot” decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. If one cannot update to a fixed version, we recommend to use the “streaming” API as opposed to the “one-shot” API, and impose chunk size limits.|
|When running traditional mode bridges at scale (for example, when you have more than 200 bridges and a large number of MAC addresses), MLAG bonds flap intermittently from dual to single connected, then back to dual connected, which causes a layer 2 loop and STP state changes.|
To work around this issue, either shut down one side of the MLAG bond or prune out VLANS over the bond.
|CVE-2020-28196: MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.|
|On the Mellanox SN3420 switch, 1000BaseT and 1000Base-SX/LX modules do not link up.||4.2.1|
|CVE-2020-25709, CVE-2020-25710: Two vulnerabilities in the certificate list syntax verification and in the handling of CSN normalization were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash) via specially crafted packets.|
Vulnerable: <= 2.4.47+dfsg-3+deb10u3
|Some non-Mellanox ethernet modules do not link up on the Mellanox SN3420 switch with Cumulus PSID in the Hardware revision. To see if a Mellanox SN3420 switch has the Cumulus PSID, check the output of |
To work around this issue, use Mellanox ethernet modules with the Mellanox SN3420 switch,
|After you reboot a Broadcom switch, |
..To work around this issue, configure Cumulus Linux to boot with the kernel command option ‘intel_iommu=off’:a) Open the file /etc/default/grub with a text editorb) Edit the variable GRUB_CMDLINE_LINUX by adding the string ‘intel_iommu=off’ at the end. For example: GRUB_CMDLINE_LINUX=“cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"c) Run the command ‘update-grub’d) Reboot the switch
|In an EVPN multihoming configuration, reloading FRR causes brief traffic loss.||4.2.1|
|On the Mellanox SN3700C switch, running ||4.2.1|
|On the Dell S5048F-ON switch, optical transceivers do not come up and the modules are in reset mode.||4.0.0-4.2.1|
|If you try to reconfigure a DHCP server after you delete the switch configuration with the |
To work around this issue, edit the
|CVE-2020-25692: A vulnerability in the handling of normalization with modrdn was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can use this flaw to cause a denial of service (slapd daemon crash) via a specially crafted packet.|
The slapd package is not present in the image or repository, although the OpenLDAP libraries are present.
Vulnerable: <= 2.4.47+dfsg-3+deb10u2
|If the peer link does not trunk all VLANs on an MLAG bond, all FDB entries learned through that MLAG bond are not redirected over the peer link when the MLAG bond goes down. As a result, traffic destined to the MAC addresses that arrives on the MLAG peer with the downed MLAG port is dropped.|
To work around this issue, ensure that the peer link trunks all VLANs that exist on all MLAG bonds.
|On the Mellanox SN4600C switch, the fan speed fluctuates when only one PSU is plugged in.|
To work around this issue, use both PSUs.
|Certain Dell S4048-ON switches show an incorrect vendor name and hang when you issue the ||3.7.12-4.2.1|
|The INPUT chain POLICE target acts as ACCEPT instead of continue.||4.2.1|
|The following vulnerability has been announced in freetype:|
CVE-2020-15999: Sergei Glazunov discovered a heap-based buffer overflow vulnerability in the handling of embedded PNG bitmaps in FreeType. Opening malformed fonts may result in denial of service or the execution of arbitrary code.
Vulnerable: <= 2.9.1-3+deb10u1
|With traditional bridges, a race condition occurs when Cumulus Linux tries to derive MAC addresses.|
To work around this issue, use a static MAC address; specify a MAC address in the
|A security issue was discovered in the MariaDB database server.|
|After upgrading the Mellanox SN2410 switch, the FAN is set to full speed.||4.2.1|
|When you back up and restore a configuration using the conf-backup utility, the switch might hang when rebooted.||4.1.1-4.2.1|
|CVE-2020-14355: Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1.|
Both the SPICE client (spice-gtk) and server are affected by these flaws. These flaws allow a malicious client or server to send specially crafted messages that, when processed by the QUIC image compression algorithm, result in a process crash or potential code execution.
|On Mellanox Spectrum based switches running 4.1.0 or higher, if FORWARD chain ACLs are configured on the system, a switch port breakout action applied with a reload of the switchd service may cause switchd to crash.||4.2.0-4.2.1|
|Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, guest-to-host privilege escalation or information leaks. These include the following:CVE-2020-25595, CVE-2020-25596, CVE-2020-25597, CVE-2020-25599, CVE-2020-25600, CVE-2020-25601, CVE-2020-25602, CVE-2020-25603, CVE-2020-25604.|
Vulnerable: < 4.11.4+37-g3263f257ca-1
|On switches with the Spectrum ASIC, the IPv6 default route might be present in the kernel but missing in hardware when IPv6 RAs are received on SVIs configured with ||3.7.11-126.96.36.199, 4.2.1|
|The next hop for static routes configured in a non-default VRF might be incorrectly flagged as inactive. Remove and reconfigure the static VRF route to recover from this condition.||4.2.1|
|A ping via a dual-connected bond fails, and the audio stream is not routed or encapsulated through the layer 3 VNI.||3.7.12-3.7.13, 4.0.0-4.2.1|
|Multicast traffic on a VPN is sent to remote VTEPs that are not part of the VPN and the remote VTEPs receive multicast traffic encapsulated in a VXLAN ID that doesn’t exist.|
To work around this issue, disable IGMP snooping on the switch.
|After a MAC address moves from one remote VTEP to another, the MAC address continues to point to the old VTEP IP address in hardware.||4.1.1-4.2.1|
|In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.|
To work around this issue, restart FRR with the
|Digital Optical Monitoring (DOM) Data is displayed incorrectly on SFP fiber modules inserted in the Fiberstore N8500-48B6C, Celestica Questone, and Celestica RedstoneV switches.||4.2.0-4.2.1|
|On the the Dell N3248-PXE switch, when you insert two PSUs at different times, the newly inserted PSU is detected as OK but the fan and temp sensors are ABSENT.|
To work around this issue, remove power to both PSUs at the same time, then reinsert power simultaneously.
|When you delete a layer 2 VNI and VLAN, the layer 3 VNI reports an incorrect layer 2 VNI number.|
To work around this issue, either restart FRR or delete the VNI interface first, then delete the VLAN/SVI.
|Leaked routes are sometimes missing from the destination VRF after a reboot.||4.2.0-4.2.1|
|On the Dell N3248PXE switch, RJ45 fixed copper ports that auto-negotiate with a 100M or 10M neighbor incorrectly negotiate a half-duplex link that generates errors. Half duplex modes are not supported on this platform.||3.7.12-3.7.13, 4.2.1|
|You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters.||3.7.12-4.2.1|
|The Dell 100G-LR4 (Innolight) transceiver cannot link up due to a power budget exceeded error on the Mellanox SN4600C switch.||4.2.0-4.2.1|
|RX_DRP on a bond interface increases without any data traffic while the slave port does not increase.||3.7.12-4.2.1|
|IPv6 TCP or UDP connections (sourcing from an ephemeral port in the range 34048 to 35071) are not forwarded if the switch has more than one layer 2 VNI defined. The traffic might be locally switched on the bridge and dropped.|
To work around this issue, disable ARP/ND suppression to remove the internal ACL rule that affects the ports.
|On the Dell N3048EP switch, the module information from SFP ports is not displayed in the |
To work around this issue, use the
|Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks|
CVE-2020-14351 CVE-2020-29660 CVE-2020-29661 CVE-2020-25704 CVE-2020-28974 CVE-2020-25705 CVE-2020-28915 CVE-2020-25211 CVE-2019-19338 CVE-2020-0305 CVE-2019-18885 CVE-2019-19072 CVE-2020-12652 CVE-2020-24394 CVE-2020-25641 CVE-2019-3874 CVE-2019-5489. (CVE-2020-27825 CVE-2020-29369 CVE-2020-29372 CVE-2020-29534 are not applicable to Cumulus Linux)For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux
|On the Mellanox SN2410 switch, you see |
To work around this issue, restart
|The MLAG bonds on a secondary switch do not change to a unique MAC address on the peerlink. As a result, a backup double failure can occur where both peers go down.||4.2.0-4.2.1|
|When you boot Cumulus VX 4.2 for the first time, ZTP does not execute because it thinks that the |
To work around this issue, boot the switch, manually change the password, then run
|Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated.||3.7.7-3.7.13, 4.0.0-4.2.1|
|On the Mellanox SN4700 switch, you might see Bad signal integrity issues on 200G and 400G ports.||4.2.1|
|If you have an existing community list of any type, redefining the same sequence number results in the entire community list being deleted.|
To work around this issue, delete the community list sequence before trying to adjust it.
|In OVSDB high availability mode, deleting > 200 VLAN bindings might cause ||3.7.12-3.7.13, 4.0.0-4.2.1|
|When you run ||4.2.0-4.2.1|
|On Mellanox switches with the Spectrum-2 switch, the lpm-balanced forwarding profile does not work.||4.1.1-4.2.1|
|dot1qVlanIndex in the dot1qVlanStaticTable of the SNMP Q-BRIDGE-MIB does not use VLAN ID and does not comply with RFC 4363.||4.1.1-4.2.1|
|When the dynamic or static flag on a bridge fdb (MAC) entry is changed to the opposite state, the new flag is not set appropriately in hardware. This can allow a static fdb entry to be unexpectedly learned dynamically on a different interface, or can prevent a dynamic entry from being updated or learned elsewhere.|
This condition can occur during a manual replacement of a local MAC address or when EVPN updates a dynamic MAC address to add or remove the Sticky Mac flag. Either situation results in the MAC address keeping the original flag in hardware.
To work around this issue, delete or withdraw the fdb entry, then add the static MAC address directly. For example:
If you are unable to delete an EVPN-learned remote MAC address, you can replace the dynamic MAC address with a local static one, then delete the static MAC address. For example:
|After you enable ROCE with the ||4.1.1-4.2.1|
To work around this issue, you must update the file from https://www.ietf.org/timezones/data/leap-seconds.list or upgrade the
|After you delete a bond, the deleted bond members have the deleted bond MAC address instead of their original MAC address, which might result in traffic being discarded.|
To work around this issue, perform a full switch restart.
|On a Broadcom switch with the Trident2+ ASIC, ACL rules for VLANs are not applied after a reboot and the counters remain at zero.|
To work around this issue, either do not set
|VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches.||3.7.7-4.2.0|
|CPU utilization may increase when clag-managed bond interfaces are operationally/LACP down but the physical carrier remains up on the bond member switchports. This condition occurs when clag bond redirection is enabled and bond members remain up while the parent bond does not negotiate LACP.|
This issue is resolved in Cumulus Linux 3.7.14.
|Due to a known limitation, DHCPv6 snooping is not supported on Mellanox platforms.|
Please refer the Mellanox support case
|In LLDP, the |
All the information from
|In vtysh, if you configure, then remove a layer 3 VNI for a VRF, the VNI is removed from zebra even if the VNI interface still exists in the kernel.|
If you configure a layer 2 VNI as a layer 3 VNI by mistake, removing the layer 3 VNI binding removes it from zebra but EVPN-learned MACs and neighbors are not installed into the kernel.
To work around this issue, delete, then re-add the missing VNI. For example:
If you flap the link with the
|On Mellanox switches, when the networking service and ||4.1.0-4.2.1|
|You might see the following |
These messages are harmless and can be ignored.
|On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware.||3.7.11-4.2.1|
|When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.|
To work around this issue, remove the unnecessary eBGP IPv4 peering.
|If you configure the aggregate-addresssummary-only option before injecting a component of the same aggregate into the BGP table with the |
router bgp 1If you add
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,Removing
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,To work around this issue, remove, then re-add the component prefix routes.
|Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly|
To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below
To permanently disable C-states using a kernel boot parameter:1. Edit
3. Reboot the system with
To disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run
2. Disable C-states by running the command
C-states are disabled by default in Cumulus Linux 4.3.0 and later.
|ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:||3.7.6-4.2.1|
|On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets.||4.0.0-4.2.1|