Cumulus Linux 5.0 Release Notes

Download 5.0 Release Notes xls    Download all 5.0 release notes as .xls

5.0.1 Release Notes

Open Issues in 5.0.1

Issue IDDescriptionAffectsFixed
2943443
Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd, expect a single VNI for a given bridge or VLAN.3.7.15, 4.2.1-4.4.2, 5.0.0-5.0.1
2939231
If you use NVUE to configure selective route leaking to exclude certain prefixes, the route map fails to apply when you run the nv config apply command.5.0.0-5.0.1
2932085
CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document filesare processed
Vulnerable: <= 9.27~dfsg-2+deb10u4Fixed: 9.27~dfsg-2+deb10u5
5.0.0-5.0.1
2932083
CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document filesare processed
Vulnerable: <= 9.27~dfsg-2+deb10u4Fixed: 9.27~dfsg-2+deb10u5
5.0.0-5.0.1
2914835
NVUE flexible snippets create invalid YAML files.5.0.0-5.0.1
2913859
ECMP error messages, similar to the following, show in log files:
Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:361 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:621 ERR ECMP: failed to CREATE static ecmp in hwDec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:656 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1540 ERR ECMP: failed to allocate hw ecmp status No More ResourcesDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1561 ERR ECMP: error allocating static ecmpDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find ecmp container
4.4.0-4.4.2, 5.0.0-5.0.1
2910017
SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces.3.7.15, 4.0.0-4.4.2, 5.0.0-5.0.1
2896733
Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send
To work around this issue, run the vtysh clear ip mroute command.
3.7.15, 4.3.0-4.4.2, 5.0.0-5.0.1
2895333
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry.4.4.0-4.4.1, 5.0.0-5.0.14.4.2
2891257
CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file
Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2
4.0.0-4.4.1, 5.0.0-5.0.14.4.2
2890683
CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1
4.0.0-4.4.1, 5.0.0-5.0.14.4.2
2886488
NVUE commands fail to configure port mirroring.5.0.0-5.0.1
2873053
In an EVPN Multihoming configuration, when any host side bond member port is brought admin down and up (ifdown and ifup), the VTEP might not program the local MAC addresses in hardware.5.0.0-5.0.1
2872277
The NVUE nv set router bgp wait-for-install on command fails to enable BGP suppress route advertisement
To work around this issue, restart switchd with sudo systemctl restart switchd.service after you run the NVUE command.
5.0.0-5.0.1
2868301
The validate-ports -d command does not return the correct speeds for ports. Use the speeds specified in the /etc/cumulus/ports.conf file.5.0.0-5.0.1
2867248
The validate-ports -d command does not return the correct speeds for ports. Use the speeds specified in the /etc/cumulus/ports.conf file.5.0.0-5.0.1
2860363
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry.4.4.0-4.4.1, 5.0.0-5.0.14.4.2
2859015
In a static VXLAN configuration with a traditional VXLAN device, enabling bridge learning on the VNI leads to an incorrect warning and the setting is removed in the next commit. The warning is similar to the following:
warning: vni10: possible mis-configuration detected: l2-vni configured with bridge-learning ON while EVPN is also configured - these two parameters conflict with each other
5.0.0-5.0.1
2855908
Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send
To work around this issue, run the vtysh clear ip mroute command.
3.7.15, 4.3.0-4.4.2, 5.0.0-5.0.1
2847919
Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only
To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API.
5.0.0-5.0.1
2847755
When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit.5.0.0-5.0.1
2847618
When you enable PIM on VLAN interfaces, multicast throughput might not achieve line rate depending on packet sizes in the multicast flow.5.0.0-5.0.1
2823307
Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration.5.0.0-5.0.1
2812075
When you configure PIM, you can either configure RP mappings for different multicast groups or use a prefix list to specify the RP to group mapping. You cannot use the two methods together.5.0.0-5.0.1

Fixed Issues in 5.0.1

Issue IDDescriptionAffects
2908541
Running apt dist-upgrade causes switchd to stop and never start again. Do not use apt dist-upgrade; use apt upgrade instead. Cumulus Linux does not support apt dist-upgrade
To work around this issue, if you run apt dist-upgrade and switchd no longer works, run the apt install sx-sdk-eth-dev command (and run the command for any other removed package) or reinstall the Cumulus Linux image.
5.0.0

5.0.0 Release Notes

Open Issues in 5.0.0

Issue IDDescriptionAffectsFixed
2943443
Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd, expect a single VNI for a given bridge or VLAN.3.7.15, 4.2.1-4.4.2, 5.0.0-5.0.1
2939231
If you use NVUE to configure selective route leaking to exclude certain prefixes, the route map fails to apply when you run the nv config apply command.5.0.0-5.0.1
2932085
CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document filesare processed
Vulnerable: <= 9.27~dfsg-2+deb10u4Fixed: 9.27~dfsg-2+deb10u5
5.0.0-5.0.1
2932083
CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document filesare processed
Vulnerable: <= 9.27~dfsg-2+deb10u4Fixed: 9.27~dfsg-2+deb10u5
5.0.0-5.0.1
2914835
NVUE flexible snippets create invalid YAML files.5.0.0-5.0.1
2913859
ECMP error messages, similar to the following, show in log files:
Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:361 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:621 ERR ECMP: failed to CREATE static ecmp in hwDec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:656 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1540 ERR ECMP: failed to allocate hw ecmp status No More ResourcesDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1561 ERR ECMP: error allocating static ecmpDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find ecmp container
4.4.0-4.4.2, 5.0.0-5.0.1
2910017
SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces.3.7.15, 4.0.0-4.4.2, 5.0.0-5.0.1
2908541
Running apt dist-upgrade causes switchd to stop and never start again. Do not use apt dist-upgrade; use apt upgrade instead. Cumulus Linux does not support apt dist-upgrade
To work around this issue, if you run apt dist-upgrade and switchd no longer works, run the apt install sx-sdk-eth-dev command (and run the command for any other removed package) or reinstall the Cumulus Linux image.
5.0.05.0.1
2896733
Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send
To work around this issue, run the vtysh clear ip mroute command.
3.7.15, 4.3.0-4.4.2, 5.0.0-5.0.1
2895333
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry.4.4.0-4.4.1, 5.0.0-5.0.14.4.2
2891257
CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file
Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2
4.0.0-4.4.1, 5.0.0-5.0.14.4.2
2890683
CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1
4.0.0-4.4.1, 5.0.0-5.0.14.4.2
2886488
NVUE commands fail to configure port mirroring.5.0.0-5.0.1
2873053
In an EVPN Multihoming configuration, when any host side bond member port is brought admin down and up (ifdown and ifup), the VTEP might not program the local MAC addresses in hardware.5.0.0-5.0.1
2872277
The NVUE nv set router bgp wait-for-install on command fails to enable BGP suppress route advertisement
To work around this issue, restart switchd with sudo systemctl restart switchd.service after you run the NVUE command.
5.0.0-5.0.1
2868301
The validate-ports -d command does not return the correct speeds for ports. Use the speeds specified in the /etc/cumulus/ports.conf file.5.0.0-5.0.1
2867248
The validate-ports -d command does not return the correct speeds for ports. Use the speeds specified in the /etc/cumulus/ports.conf file.5.0.0-5.0.1
2860363
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry.4.4.0-4.4.2, 5.0.0-5.0.1
2859015
In a static VXLAN configuration with a traditional VXLAN device, enabling bridge learning on the VNI leads to an incorrect warning and the setting is removed in the next commit. The warning is similar to the following:
warning: vni10: possible mis-configuration detected: l2-vni configured with bridge-learning ON while EVPN is also configured - these two parameters conflict with each other
5.0.0-5.0.1
2855908
Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send
To work around this issue, run the vtysh clear ip mroute command.
3.7.15, 4.3.0-4.4.2, 5.0.0-5.0.1
2847919
Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only
To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API.
5.0.0-5.0.1
2847755
When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit.5.0.0-5.0.1
2847618
When you enable PIM on VLAN interfaces, multicast throughput might not achieve line rate depending on packet sizes in the multicast flow.5.0.0-5.0.1
2823307
Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration.5.0.0-5.0.1
2812075
When you configure PIM, you can either configure RP mappings for different multicast groups or use a prefix list to specify the RP to group mapping. You cannot use the two methods together.5.0.0-5.0.1

Fixed Issues in 5.0.0

Issue IDDescriptionAffects
2877793
CVE-2021-43527: The NSS package is vulnerable to a heap overflow when verifying DSA/RSA-PSS DER-encoded signatures
Vulnerable: <= 3.42.1-1+deb10u3Fixed: 3.42.1-1+deb10u4
4.0.0-4.4.1
2873320
CVE-2020-21913: International Components for Unicode (ICU-20850) v66.1 was discovered to contain a use after free bug in the pkg_createWithAssemblyCode function in the file tools/pkgdata/pkgdata.cpp.4.0.0-4.4.1
2873186
In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges.3.7.14.2-4.4.2
2862211
On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart
To work around this issue, load the port configuration in a staggered manner (groups of five downlink ports).
3.7.12-4.4.2
2845647
The mpls_enable = TRUE parameter in the /etc/cumulus/datapath/traffic.conf does not enable MPLS.
2845536
CVE-2020-19143: A flaw was discovered in tiff, a Tag Image File Format library, which may result in denial of service or the execution of arbitrary code if malformed image files are processed
Vulnerable: <= 4.1.0+git191117-2~deb10u2Fixed: 4.1.0+git191117-2~deb10u3
4.0.0-4.4.1
2845531
If you update the MAC address of an SVI when the SVI is in a protodown state (for example, when no bridge ports that carry this VNI are operationally up or if the MAC address of the SVI’s parent bridge changes), clagd does not notice the change. The MLAG peer incorrectly maintains a PERMANENT neighbor entry for the SVI IP that points to the old MAC address.4.2.1-4.4.2
2845290
The following vulnerabilities in gdb, as embedded in the crash handling program, have been announced:CVE-2019-1010180: Buffer overflow which can be triggered by debugging an ELF file
CVE-2017-9778: Vulnerability to a negative length field in DWARF section, resulting in excessive memory allocation
Vulnerable: crash 7.2.8-1+cl4u1 and 7.2.8-1+cl3u1 with embedded gdb 7.6Fixed: crash 7.2.8-1+cl5.0.0u6
3.7.15-4.4.2
2840817
CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts).4.0.0-4.4.1
2839140
After building VLAN or VXLAN interfaces, MLAG becomes unstable.4.3.0-4.4.1
2835817
Multicast packets are not seen on a SPAN port.
2826121
When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds.4.3.0-4.4.1
2821869
The cl-route-check –layer3 command fails with a memory error. For example:
cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last):
File “/usr/cumulus/bin/cl-route-check”, line 1270, in
routing.collect_data()
File “/usr/cumulus/bin/cl-route-check”, line 528, in collect_data
self.collect_data_bgp_ipv4()
File “/usr/cumulus/bin/cl-route-check”, line 711, in collect_data_bgp_ipv4
bgp_ipv4 = json.loads(output)
File “/usr/lib/python2.7/json/init.py”, line 338, in loads
return _default_decoder.decode(s)
File “/usr/lib/python2.7/json/decoder.py”, line 366, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File “/usr/lib/python2.7/json/decoder.py”, line 382, in raw_decode
obj, end = self.scan_once(s, idx)MemoryError
3.7.15-4.4.2
2820565
SNMP does not start and you see errors similar to the following:
cumulus@switch:~$ sudo systemctl status snmpd.service snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
Loaded: loaded (/lib/systemd/system/snmpd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2021-10-11 14:38:13 UTC; 1min 8s ago
Process: 1987 ExecStart=/usr/sbin/snmpd $SNMPDOPTS -f (code=exited, status=1/FAILURE)
Main PID: 1987 (code=exited, status=1/FAILURE)
To work around this issue, run the sudo systemctl restart snmpd.service command.
4.3.0-4.4.2
2799575
When next hop tracking fails for a global next hop, BGP invalidates the entire path instead of only invalidating the global next hop.4.4.0-4.4.2
2799568
When you add or remove a global unicast address from an interface, BGP does not update the global next hop advertised to the unnumbered BGP peer.4.4.0-4.4.2
2798406
If an MLAG failure of an EVPN Active-Active VTEP pair occurs after you disable EVPN Advertise Primary IP Address, remote VTEPs might not be able to install the anycast RMAC of the failed MLAG peers or the related bridge FDB entry
To work around this issue, do not disable EVPN Advertise Primary IP Address, which is enabled by default when you use address-virtual for layer 3 VNI SVI interfaces.
4.4.0-4.4.2
2792616
If a neighbor entry (ARP or NDP) is used as a next hop of a route that is synchronized into hardware, the neighbor entry is not removed from hardware after the neighbor is no longer reachable. As a result, routed traffic matching this prefix is incorrectly hardware forwarded through the stale neighbor information.4.3.0-4.4.2
2782032
The following vulnerabilities have been announced in the openssl packages:CVE-2021-3711: buffer overflow vulnerability in SM2 decryption
CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function
More details at https://www.openssl.org/news/secadv/20210824.txt
Vulnerable: <= 1.1.1d-0+deb10u6Fixed: 1.1.1d-0+deb10u7
4.0.0-4.4.1
2780915
In NVUE, you can’t deactivate the IPv4 address family per neighbor.4.4.0-4.4.2
2780834
To enable an address family on a peer, you have to enable the address family globally.4.4.0-4.4.2
2780211
When you use the NVUE nv set vrf default router bgp peer local-as asn command to configure a local AS, Cumulus Linux does not update the etc/frr/frr.conf file.4.4.0-4.4.2
2755615
When route_preferred_over_neigh is set to FALSE in the /etc/cumulus/switchd.conf file, host routes (/32 or /128) are used for forwarding in hardware instead of a local neighbor entry.4.0.0-4.4.1
2754690
CVE-2021-3672: in c-ares, a library that performs DNS requests and name resolution asynchronously, missing input validation of hostnames returned by DNS servers can lead to output of wrong hostnames (leading to Domain Hijacking)
Vulnerable: 1.14.0-1Fixed: 1.14.0-1+deb10u1
4.0.0-4.4.1
2754684
CVE-2021-38165: lynx, a non-graphical (text-mode) web browser, does not properly handle the userinfo subcomponent of a URI, which can lead to leaking of credential in cleartext in SNI data
Vulnerable: 2.8.9rel.1-3Fixed: 2.8.9rel.1-3+deb10u1
4.0.0-4.4.1
2754678
CVE-2020-26558 / CVE-2021-0129: Bluez does not properly check permissions during pairing operation, which could allow an attacker to impersonate the initiating device
CVE-2020-27153: a double free flaw in the disconnect_cb() routine in the gattool. A remote attacker can take advantage of this flaw during service discovery for denial of service, or potentially, execution of arbitrary code
Vulnerable: <= 5.50-1.2~deb10u1Fixed: 5.50-1.2~deb10u2
4.0.0-4.4.1
2752330
With BGP and layer 2 forwarding, Smart System Manager warm boot mode can cause packet loss.4.4.0-4.4.2
2747750
Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted.4.4.2
2747604
CVE-2021-3246: a buffer overflow in libsndfile, a libraryfor reading/writing audio files, which could result in denial of serviceor potentially the execution of arbitrary code when processing amalformed audio file
Vulnerable: 1.0.28-6Fixed: 1.0.28-6+deb10u1
4.0.0-4.4.1
2739638
CVE-2021-36222: It was discovered that the Key Distribution Center (KDC) in krb5, the MIT implementation of Kerberos, is prone to a NULL pointer dereference flaw. An unauthenticated attacker can take advantage of this flaw to cause a denial of service (KDC crash) by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST
Vulnerable: <= 1.17-3+deb10u1Fixed: 1.17-3+deb10u2
4.0.0-4.4.1
2739402
The destination MAC address of ERSPAN GRE packets is set to all zeros.4.3.0-4.4.2
2736249
If you configure BGP graceful restart in the /etc/frr/frr.conf file, then apply the configuration with systemctl reload frr, the configuration fails to apply and you see the following error:
Job for frr.service failed
See “systemctl status frr.service” and “journalctl -xe” for details.
2736244
When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error:
% The Graceful Restart command used is not valid at this moment.
4.4.0-4.4.2
2734275
On NVIDIA Spectrum-1, -2, and -3 switches, the decode-syseeprom command does not return the correct value
cumulus@switch:~$  decode-syseeprom -t psu1Device is not ready: absent 
2734119
The ESI line of show bgp l2vpn evpn route command always shows VNI: 0. This is a cosmetic software issue.4.3.0-4.4.2
2732587
The bridge MAC address is updated during a port change on bridge interfaces.4.3.0-4.4.2
2728119
When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command.4.3.0-4.4.2
2716838
CVE-2021-22918: An out-of-bounds read was discovered in the uv__idna_to_ascii() function of Libuv, an asynchronous event notification library, which could result in denial of service or information disclosure
Vulnerable: 1.24.1-1Fixed: 1.24.1-1+deb 10u1
4.0.0-4.4.1
2698649
When configuring a single VXLAN device in the /etc/network/interfaces file, if you edit the multicast group address in vxlan-mcastgrp-map, then revert the change, the change does not take effect.4.4.0-4.4.2
2687344
On the NVIDIA SN3700 switch, the decode-syseeprom shows device absent for a PSU that is present.4.4.0-4.4.2
2556811
CM-33416
Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file.3.7.12-4.4.2
2554783
CM-32274
If you apply an outbound route map to a BGP peer that uses set as-path prepend last-as, advertised locally-originated routes have the ASN of the peer prepended to the AS path.
This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes.
4.2.1-4.4.2