If you are using the current version of Cumulus Linux, the content on this page may not be up to date. The current version of the documentation is available here. If you are redirected to the main page of the user guide, then this page may have been renamed; please search for it there.

Cumulus Linux 5.0 Release Notes

Download 5.0 Release Notes xls    Download all 5.0 release notes as .xls

5.0.1 Release Notes

Open Issues in 5.0.1

Issue IDDescriptionAffectsFixed
3073649
In an EVPN-MH configuration, the switch fails to redirect tagged frames with the CoS bits set.4.4.0-4.4.3, 5.0.0-5.1.0
3067803
A change to the BFD timer does not apply to the existing session in PTM.3.7.15-3.7.16, 4.1.1-4.4.3, 5.0.0-5.1.0
3066280
The python module pygments version 2.12.0 on the Cumulus Linux switch prevents NVUE from displaying colored output and produces an error or failure. The failure specifically identifies #ansidarkred as the problem color format. The error prevents any output from showing on the CLI
To work around this problem, downgrade the pygments module to version 2.3.1.
5.0.1-5.1.0
3061445
When you run the NVUE command to change the minimum interval between received BFD control packets or the minimum interval for sending BFD control packets, the configuration apply fails
cumulus@switch:~$ nv set vrf default router bgp neighbor 10.10.10.2 bfd min-rx-interval 400cumulus@switch:~$ nv config apply2022-05-04T21:36:10.800975+00:00 switch frrinit.sh16431: Stopped watchfrr
5.0.1-5.1.0
3060400
In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command.
4.3.0-4.4.3, 5.0.0-5.1.0
3060399
When you add an interface to a layer 3 bond, traffic does not forward and you see errors similar to the following:
2022-05-02T13:14:40.118597+00:00 cumulus sx_sdk: ROUTER: Failed to delete router interface(27) ref count isn’t 0, err= Resource is in use
4.4.2-4.4.3, 5.0.1-5.1.0
3057106
Under certain conditions, the switchd process might have a slow memory leak
5.0.1-5.1.0
3054869
When you run NVUE commands as part of ZTP scripts, the commands fail with many errors
To work around this issue, before you use any NVUE commands in the ZTP script, add a section and define the HOME environment variable. Populate the variable with the default expected root user home directory value (/root). Also, you must export the HOME variable so it is available globally for NVUE to use
# Manually set HOME var for root userHOME=/rootexport HOME
5.0.0-5.1.0
3046023
The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install.4.2.1-4.4.3, 5.0.0-5.1.0
3045302
CVE-2022-1271: incorrect handling of filenames by xzgrep in xz-utils, the XZ-format compression utilities, can result in overwrite of arbitrary files or execution of arbitrary code if a file with a specially crafted filename is processed
Vulnerable: 5.2.4-1Fixed: 5.2.4-1+deb10u1
5.0.0-5.1.0
3045299
CVE-2022-1271: incorrect handling of filenames by zgrep in gzip, the GNU compression utilities, can result in overwrite of arbitrary files or execution of arbitrary code if a file with a specially crafted filename is processed.5.0.0-5.1.0
3044596
In the non-default VRF, BFD goes down after port flap.5.0.1-5.1.0
3041425
When you add or remove PortAutoEdge on a bond with the NVUE nv set interface bridge domain br_default stp auto-edge command, the command fails with the following error and then attempts to enable or disable PortAutoEdge on any interface also fail
cumulus@switch:~$ nv set interface swp1 bridge domain br_default stp auto-edge offcumulus@switch:~$ nv config applyUnable to reload-or-restart services (switchd,ifreload-nvue.service):[sudo] password for nvue: Job for ifreload-nvue.service failed because the control process exited with error code
Failure during apply. Ignore? [y/N]
5.0.1-5.1.0
3041307
If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent fdb entry for the old MAC address.3.7.15, 4.3.0-4.4.3, 5.0.0-5.1.03.7.16
3041306
If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent fdb entry for the old MAC address.3.7.15-3.7.16, 4.3.0-4.4.3, 5.0.0-5.1.0
3040080
On Spectrum-2 switches, when a packet has a CRC and the ports are in cut-though mode, the switch might stop forwarding traffic.4.4.2-4.4.3, 5.0.0-5.1.0
3035855
When you configure ACLs on the switch, you might see a switchd segmentation fault.5.0.15.1.0
3032234
In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply.5.0.15.1.0
3030238
When you change the time with NTP or manually, the clagd service stops.4.4.3-5.0.15.1.0
3025899
CVE-2018-25032: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches
Vulnerable: 1.2.11.dfsg-1Fixed: 1.2.11.dfsg-1+deb10u1
5.0.0-5.1.0
3021897
After you remove the port from the EVPN-MH bond, the port stays in the PRTDN state with the protodown flag ON.4.4.3-5.0.15.1.0
3021886
In an EVPN Multihoming configuration, when any host side bond member port is brought admin down (ifdown and up ifup), the VTEP might not program the local MAC addresses in hardware.4.4.0-4.4.3, 5.0.0-5.1.0
3021877
After you configure a new VLAN on a bond, traffic might stop forwarding on the bond interface.4.4.2-4.4.3, 5.0.0-5.1.0
3021838
PBR rules that you apply to interfaces in the default VRF install in the kernel with the action lookup local. As a result, packets that match this rule only perform a route lookup in the local table (which contains special routes for local IP addresses and broadcast addresses) but not in the main table (which contains unicast routes). As a result, policy routing might be applied to traffic incorrectly.4.4.2-5.0.15.1.0
3021696
When you run the /usr/share/snmp/resq_pp.py script used by SNMP, you see the following log message in syslog regardless of the forwarding table profile set in the /etc/cumulus/datapath/traffic.conf file.4.4.0-5.0.15.1.0
3021693
When ARP suppression is off, Cumulus Linux sends GARPs from neighmgrd for remote neighbors over VXLAN.3.7.15-3.7.16, 4.3.0-4.4.3, 5.0.0-5.1.0
3021692
GARPs from neighmgrd for remote neighbors are sent over VXLAN when ARP suppression is off.3.7.15-3.7.16, 4.3.0-4.4.3, 5.0.0-5.1.0
3020254
GARPs from neighmgrd for remote neighbors are sent over VXLAN when ARP suppression is off.3.7.15-3.7.16, 4.3.0-4.4.3, 5.0.0-5.1.0
3017127
After you convert a port from a layer 2 bond member to a layer 3 port, the switch drops transmitted untagged packets as egress VLAN membership discards.4.4.2-4.4.3, 5.0.0-5.1.0
3016882
When you power-cycle a newly installed switch and apply the default configuration, the underlying NVUE repository becomes corrupted. Even if you correct the corruption, NVUE cannot run
To recover, uninstall NVUE and delete the /var/lib/nvue directory:
cumulus@leaf01:~$ sudo apt remove python3-nvuecumulus@leaf01:~$ rm -r /var/lib/nvuecumulus@leaf01:~$ sudo apt updatecumulus@leaf01:~$ sudo apt install python3-nvuecumulus@leaf01:~$ sudo systemctl enable nvuedcumulus@leaf01:~$ sudo systemctl start nvued
5.0.1-5.1.0
3008388
When you set vlan-bridge-binding on for a VLAN interface, the VLAN interface status does not change to down even when all bridge member ports are down.4.4.3, 5.0.0-5.1.0
3007564
After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed.3.7.15-5.0.15.1.0
3007020
The sudo smonctl command output shows an error for the ASIC temperature sensor (temp6).5.0.0-5.0.15.1.0
3003167
Updating an existing tunnel configuration with NVUE or directly in the /etc/network/interfaces file causes traffic loss. The original tunnel is destroyed and then recreated (with a new ifindex)
The new behavior will make sure to apply the configuration delta without disrupting any traffic as much as possible. Note that a tunnel mode change can’t be applied without causing traffic loss.
5.0.0-5.0.15.1.0
2999342
CVE-2020-36311, CVE-2021-3609, CVE-2021-33909, CVE-2021-34693Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks
Fixed: 4.19.194-3
4.2.1-4.4.1, 5.0.0-5.1.04.4.2-4.4.3
2999253
If you remove NGINX from the switch, then run apt autoremove, switchd does not reload. This occurs because removing NGINX also removes the libyaml-0-2 and python-yaml packages, which are required for the switchd consistency check.4.3.0-5.0.15.1.0
2999243
sFlow fails to send flow samples.5.0.0-5.0.15.1.0
2994402
When you run ifquery as non-root, EVPN multihoming bond configuration fails
To work around this issue, always use sudo when running ifupdown2 commands (ifup, ifreload, ifdown, and ifquery).
4.4.2-5.0.15.1.0
2993471
When switchd restarts, the port watch daemon (portwd) attempts to send requests to switchd before switchd is ready. As a result, portwd goes into a failed state because there is no response from switchd.3.7.15-3.7.16, 4.3.0-4.4.3, 5.0.0-5.1.0
2991501
The snmpd process using the Zabbix template “Template Net Mellanox SNMP” causes a slow memory leak.4.2.1-4.4.3, 5.0.0-5.1.0
2984205
CVE-2021-43612: in lldpd, by sending short SONMP packets, an attacker can make the decoder crashby reading too much data on the heap
Vulnerable: <= 1.0.4-0-cl5.1.0u7, 1.0.4-0-cl4.4.0u0, 1.0.4-0-cl4.3.0u2, 1.0.4-0-cl3u15Fixed:
3.7.0-3.7.15, 4.0.0-4.4.3, 5.0.0-5.1.03.7.16
2982534
CVE-2022-25235, CVE-2022-25236, CVE-2022-25313, CVE-2022-25314, CVE-2022-25315: Several vulnerabilities have been discovered in Expat, an XML parsing Clibrary, which could result in denial of service or potentially theexecution of arbitrary code, if a malformed XML file is processed
Vulnerable: <= 2.2.6-2+deb10u2Fixed: 2.2.6-2+deb10u3
5.0.0-5.1.0
2978165
When you use NVUE to configure an ACL rule with a set cos action, the nv config apply command fails with the following error message:{nofromat}$ cumulus@switch:~$ nv config applyFailed to prepare to applyUnrecoverable internal error{nofromat}5.0.15.1.0
2972540
With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts.3.7.15-3.7.16, 4.2.1-4.4.3, 5.0.0-5.1.0
2972538
With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts.3.7.15-3.7.16, 4.2.1-4.4.3, 5.0.0-5.1.0
2971159
On rare occasions, the link up time on optical media can be more than five seconds.4.4.3-5.0.15.1.0
2968495
If switchd requires more time to update port or bond configuration after the port or bond flaps, the systemd watchdog times out. As result, systemd might assume that switchd is unresponsive and restarts it.4.2.1-4.4.2, 5.0.0-5.1.04.4.3
2964279
The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under layer 3 VNIs.3.7.15, 4.4.2-4.4.3, 5.0.0-5.1.03.7.16
2961216
When there is a peer link failure followed by a power failure or a crash on the primary switch, the MLAG secondary switch takes up to 24 seconds to change roles to the Primary.4.4.2-4.4.3, 5.0.0-5.1.0
2959550
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry.4.4.0-4.4.2, 5.0.0-5.1.04.4.3
2957968
After you install the RADIUS libnss-mapuser package, the nvued service fails to start.5.0.0-5.0.15.1.0
2951110
The net show time ntp servers command does not show any output with management VRF.3.7.15-3.7.16, 4.1.1-4.4.3, 5.0.0-5.1.0
2949123
The NVUE command nv show service ntp mgmt server does not show any configured servers.5.0.0-5.1.0
2947679
If the clagd service stops during initDelay, the peerlink flag does not clear from any VNIs that become dual connected during this time. switchd uses the peerlink flag to program MLAG loop prevention. As a result of the overlapping stale flags, traffic destined for the VXLAN might drop.3.7.15-3.7.16, 4.3.0-4.4.3, 5.0.0-5.1.0
2943443
Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd, expect a single VNI for a given bridge or VLAN.3.7.15, 4.2.1-5.0.13.7.16, 5.1.0
2943080
The overlay ASN is removed after a route flap.4.4.0-5.0.15.1.0
2940005
If you reboot the switch when using WJH, you need to start the what-just-happened service even if the service is enabled.5.0.15.1.0
2939231
If you use NVUE to configure selective route leaking to exclude certain prefixes, the route map fails to apply when you run the nv config apply command.5.0.0-5.1.0
2933466
You cannot run NVUE commands to configure route leaking. To work around this issue, create a snippet in yaml format and add the configuration to the /etc/frr/frr.conf file.4.4.0-5.0.15.1.0
2923737
When switchd restarts, the port watch daemon (portwd) attempts to send requests to switchd before switchd is ready. As a result, portwd goes into a failed state because there is no response from switchd.3.7.15, 4.3.0-4.4.3, 5.0.0-5.1.03.7.16
2914835
NVUE flexible snippets create invalid YAML files.5.0.0-5.0.15.1.0
2913859
ECMP error messages, similar to the following, show in log files:
Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:361 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:621 ERR ECMP: failed to CREATE static ecmp in hwDec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:656 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1540 ERR ECMP: failed to allocate hw ecmp status No More ResourcesDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1561 ERR ECMP: error allocating static ecmpDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find ecmp container
4.4.0-5.0.15.1.0
2910017
SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces.3.7.15-4.4.2, 5.0.0-5.1.04.4.3
2904450
When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show.4.4.0-5.0.15.1.0
2903374
The nv show interfaces command returns a 500 error and syslog shows a python error, triggered by third party devices (non CL) missing LLDP fields
To work around this issue, disable LLDP on a single interface.
5.0.0-5.0.15.1.0
2898044
NVUE commands including the nv config apply command might fail with the following error because the /etc/resolv.conf file is missing
Failed to prepare to applyUnrecoverable internal error
5.0.0-5.0.15.1.0
2896733
Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send
To work around this issue, run the vtysh clear ip mroute command.
3.7.15-3.7.16, 4.3.0-4.4.3, 5.0.0-5.1.0
2896672
When you add a new VLAN, the VLAN interface type shows as unknown and cannot be reached.3.7.15-3.7.16, 4.3.0-4.4.3, 5.0.0-5.1.0
2895333
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry.4.4.0-4.4.1, 5.0.0-5.1.04.4.2-4.4.3
2891257
CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file
Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2
4.0.0-4.4.1, 5.0.0-5.1.04.4.2-4.4.3
2890683
CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1
4.0.0-4.4.1, 5.0.0-5.1.04.4.2-4.4.3
2886488
NVUE commands fail to configure port mirroring.5.0.0-5.0.15.1.0
2885287
When you change the port breakout configuration, you must restart switchd to clean up any previously-associated port states and reinitialize the ports. Reloading switchd does not work.5.0.0-5.0.15.1.0
2879645
When you add a new VLAN, the VLAN interface type shows as unknown and cannot be reached.3.7.15, 4.3.0-4.4.3, 5.0.0-5.1.03.7.16
2875338
In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally.4.2.1-4.4.3, 5.0.0-5.1.0
2875279
In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally.4.2.1-4.4.3, 5.0.0-5.1.03.7.16
2873053
In an EVPN Multihoming configuration, when any host side bond member port is brought admin admin down (ifdown and up ifup), the VTEP might not program the local MAC addresses in hardware.5.0.0-5.1.0
2867248
The validate-ports -d command does not return the correct speeds for ports. Use the speeds specified in the /etc/cumulus/ports.conf file.5.0.0-5.1.0
2861989
Incomplete or unnecessary configuration in FRR results in FRR restarting instead of rejecting the configuration with an error.5.0.0-5.0.15.1.0
2860323
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry.4.4.0-5.0.15.1.0
2859015
In a static VXLAN configuration with a traditional VXLAN device, enabling bridge learning on the VNI leads to an incorrect warning and the setting is removed in the next commit. The warning is similar to the following:
warning: vni10: possible mis-configuration detected: l2-vni configured with bridge-learning ON while EVPN is also configured - these two parameters conflict with each other
5.0.0-5.1.0
2855908
Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send
To work around this issue, run the vtysh clear ip mroute command.
3.7.15-5.0.15.1.0
2854787
An unexpected software system shutdown can occur due to a thermal zones issue in the hw-management package. The following message might appear in /var/log/syslog before the shutdown:
thermal thermal_zoneX: critical temperature reached (33 C), shutting down
4.3.0-5.0.15.1.0
2847919
Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only
To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API.
5.0.0-5.0.15.1.0
2847755
When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit.5.0.0-5.1.0
2847618
When you enable PIM on VLAN interfaces, multicast throughput might not achieve line rate depending on packet sizes in the multicast flow.5.0.0-5.1.0
2823307
Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration.5.0.0-5.1.0
2815646
In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence.3.7.12-3.7.15, 4.3.0-5.0.13.7.16, 5.1.0
2812075
When you configure PIM, you can either configure RP mappings for different multicast groups or use a prefix list to specify the RP to group mapping. You cannot use the two methods together.5.0.0-5.1.0
2743186
When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish.4.4.0-4.4.3, 5.0.0-5.1.0
2713888
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode.
3.7.15-5.0.15.1.0
2685994
When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
4.0.0-5.0.15.1.0

Fixed Issues in 5.0.1

Issue IDDescriptionAffects
2908541
Running apt dist-upgrade causes switchd to stop and never start again. Do not use apt dist-upgrade; use apt upgrade instead. Cumulus Linux does not support apt dist-upgrade
To work around this issue, if you run apt dist-upgrade and switchd no longer works, run the apt install sx-sdk-eth-dev command (and run the command for any other removed package) or reinstall the Cumulus Linux image.
5.0.0

5.0.0 Release Notes

Open Issues in 5.0.0

Issue IDDescriptionAffectsFixed
3073649
In an EVPN-MH configuration, the switch fails to redirect tagged frames with the CoS bits set.4.4.0-4.4.3, 5.0.0-5.1.0
3067803
A change to the BFD timer does not apply to the existing session in PTM.3.7.15-3.7.16, 4.1.1-4.4.3, 5.0.0-5.1.0
3060400
In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command.
4.3.0-4.4.3, 5.0.0-5.1.0
3054869
When you run NVUE commands as part of ZTP scripts, the commands fail with many errors
To work around this issue, before you use any NVUE commands in the ZTP script, add a section and define the HOME environment variable. Populate the variable with the default expected root user home directory value (/root). Also, you must export the HOME variable so it is available globally for NVUE to use
# Manually set HOME var for root userHOME=/rootexport HOME
5.0.0-5.1.0
3046023
The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install.4.2.1-4.4.3, 5.0.0-5.1.0
3045302
CVE-2022-1271: incorrect handling of filenames by xzgrep in xz-utils, the XZ-format compression utilities, can result in overwrite of arbitrary files or execution of arbitrary code if a file with a specially crafted filename is processed
Vulnerable: 5.2.4-1Fixed: 5.2.4-1+deb10u1
5.0.0-5.1.0
3045299
CVE-2022-1271: incorrect handling of filenames by zgrep in gzip, the GNU compression utilities, can result in overwrite of arbitrary files or execution of arbitrary code if a file with a specially crafted filename is processed.5.0.0-5.1.0
3041307
If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent fdb entry for the old MAC address.3.7.15, 4.3.0-4.4.3, 5.0.0-5.1.03.7.16
3041306
If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent fdb entry for the old MAC address.3.7.15-3.7.16, 4.3.0-4.4.3, 5.0.0-5.1.0
3040080
On Spectrum-2 switches, when a packet has a CRC and the ports are in cut-though mode, the switch might stop forwarding traffic.4.4.2-4.4.3, 5.0.0-5.1.0
3030238
When you change the time with NTP or manually, the clagd service stops.4.4.3-5.0.15.1.0
3025899
CVE-2018-25032: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches
Vulnerable: 1.2.11.dfsg-1Fixed: 1.2.11.dfsg-1+deb10u1
5.0.0-5.1.0
3021897
After you remove the port from the EVPN-MH bond, the port stays in the PRTDN state with the protodown flag ON.4.4.3-5.0.15.1.0
3021886
In an EVPN Multihoming configuration, when any host side bond member port is brought admin down (ifdown and up ifup), the VTEP might not program the local MAC addresses in hardware.4.4.0-4.4.3, 5.0.0-5.1.0
3021877
After you configure a new VLAN on a bond, traffic might stop forwarding on the bond interface.4.4.2-4.4.3, 5.0.0-5.1.0
3021838
PBR rules that you apply to interfaces in the default VRF install in the kernel with the action lookup local. As a result, packets that match this rule only perform a route lookup in the local table (which contains special routes for local IP addresses and broadcast addresses) but not in the main table (which contains unicast routes). As a result, policy routing might be applied to traffic incorrectly.4.4.2-5.0.15.1.0
3021696
When you run the /usr/share/snmp/resq_pp.py script used by SNMP, you see the following log message in syslog regardless of the forwarding table profile set in the /etc/cumulus/datapath/traffic.conf file.4.4.0-5.0.15.1.0
3021693
When ARP suppression is off, Cumulus Linux sends GARPs from neighmgrd for remote neighbors over VXLAN.3.7.15-3.7.16, 4.3.0-4.4.3, 5.0.0-5.1.0
3021692
GARPs from neighmgrd for remote neighbors are sent over VXLAN when ARP suppression is off.3.7.15-3.7.16, 4.3.0-4.4.3, 5.0.0-5.1.0
3020254
GARPs from neighmgrd for remote neighbors are sent over VXLAN when ARP suppression is off.3.7.15-3.7.16, 4.3.0-4.4.3, 5.0.0-5.1.0
3017127
After you convert a port from a layer 2 bond member to a layer 3 port, the switch drops transmitted untagged packets as egress VLAN membership discards.4.4.2-4.4.3, 5.0.0-5.1.0
3008388
When you set vlan-bridge-binding on for a VLAN interface, the VLAN interface status does not change to down even when all bridge member ports are down.4.4.3, 5.0.0-5.1.0
3007564
After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed.3.7.15-5.0.15.1.0
3007020
The sudo smonctl command output shows an error for the ASIC temperature sensor (temp6).5.0.0-5.0.15.1.0
3003167
Updating an existing tunnel configuration with NVUE or directly in the /etc/network/interfaces file causes traffic loss. The original tunnel is destroyed and then recreated (with a new ifindex)
The new behavior will make sure to apply the configuration delta without disrupting any traffic as much as possible. Note that a tunnel mode change can’t be applied without causing traffic loss.
5.0.0-5.0.15.1.0
2999342
CVE-2020-36311, CVE-2021-3609, CVE-2021-33909, CVE-2021-34693Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks
Fixed: 4.19.194-3
4.2.1-4.4.1, 5.0.0-5.1.04.4.2-4.4.3
2999253
If you remove NGINX from the switch, then run apt autoremove, switchd does not reload. This occurs because removing NGINX also removes the libyaml-0-2 and python-yaml packages, which are required for the switchd consistency check.4.3.0-5.0.15.1.0
2999243
sFlow fails to send flow samples.5.0.0-5.0.15.1.0
2994402
When you run ifquery as non-root, EVPN multihoming bond configuration fails
To work around this issue, always use sudo when running ifupdown2 commands (ifup, ifreload, ifdown, and ifquery).
4.4.2-5.0.15.1.0
2993471
When switchd restarts, the port watch daemon (portwd) attempts to send requests to switchd before switchd is ready. As a result, portwd goes into a failed state because there is no response from switchd.3.7.15-3.7.16, 4.3.0-4.4.3, 5.0.0-5.1.0
2991501
The snmpd process using the Zabbix template “Template Net Mellanox SNMP” causes a slow memory leak.4.2.1-4.4.3, 5.0.0-5.1.0
2984205
CVE-2021-43612: in lldpd, by sending short SONMP packets, an attacker can make the decoder crashby reading too much data on the heap
Vulnerable: <= 1.0.4-0-cl5.1.0u7, 1.0.4-0-cl4.4.0u0, 1.0.4-0-cl4.3.0u2, 1.0.4-0-cl3u15Fixed:
3.7.0-3.7.15, 4.0.0-4.4.3, 5.0.0-5.1.03.7.16
2982534
CVE-2022-25235, CVE-2022-25236, CVE-2022-25313, CVE-2022-25314, CVE-2022-25315: Several vulnerabilities have been discovered in Expat, an XML parsing Clibrary, which could result in denial of service or potentially theexecution of arbitrary code, if a malformed XML file is processed
Vulnerable: <= 2.2.6-2+deb10u2Fixed: 2.2.6-2+deb10u3
5.0.0-5.1.0
2972540
With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts.3.7.15-3.7.16, 4.2.1-4.4.3, 5.0.0-5.1.0
2972538
With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts.3.7.15-3.7.16, 4.2.1-4.4.3, 5.0.0-5.1.0
2971159
On rare occasions, the link up time on optical media can be more than five seconds.4.4.3-5.0.15.1.0
2968495
If switchd requires more time to update port or bond configuration after the port or bond flaps, the systemd watchdog times out. As result, systemd might assume that switchd is unresponsive and restarts it.4.2.1-4.4.2, 5.0.0-5.1.04.4.3
2964279
The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under layer 3 VNIs.3.7.15, 4.4.2-4.4.3, 5.0.0-5.1.03.7.16
2961216
When there is a peer link failure followed by a power failure or a crash on the primary switch, the MLAG secondary switch takes up to 24 seconds to change roles to the Primary.4.4.2-4.4.3, 5.0.0-5.1.0
2959550
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry.4.4.0-4.4.2, 5.0.0-5.1.04.4.3
2957968
After you install the RADIUS libnss-mapuser package, the nvued service fails to start.5.0.0-5.0.15.1.0
2951110
The net show time ntp servers command does not show any output with management VRF.3.7.15-3.7.16, 4.1.1-4.4.3, 5.0.0-5.1.0
2949123
The NVUE command nv show service ntp mgmt server does not show any configured servers.5.0.0-5.1.0
2947679
If the clagd service stops during initDelay, the peerlink flag does not clear from any VNIs that become dual connected during this time. switchd uses the peerlink flag to program MLAG loop prevention. As a result of the overlapping stale flags, traffic destined for the VXLAN might drop.3.7.15-3.7.16, 4.3.0-4.4.3, 5.0.0-5.1.0
2943443
Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd, expect a single VNI for a given bridge or VLAN.3.7.15, 4.2.1-5.0.13.7.16, 5.1.0
2943080
The overlay ASN is removed after a route flap.4.4.0-5.0.15.1.0
2939231
If you use NVUE to configure selective route leaking to exclude certain prefixes, the route map fails to apply when you run the nv config apply command.5.0.0-5.1.0
2933466
You cannot run NVUE commands to configure route leaking. To work around this issue, create a snippet in yaml format and add the configuration to the /etc/frr/frr.conf file.4.4.0-5.0.15.1.0
2923737
When switchd restarts, the port watch daemon (portwd) attempts to send requests to switchd before switchd is ready. As a result, portwd goes into a failed state because there is no response from switchd.3.7.15, 4.3.0-4.4.3, 5.0.0-5.1.03.7.16
2914835
NVUE flexible snippets create invalid YAML files.5.0.0-5.0.15.1.0
2913859
ECMP error messages, similar to the following, show in log files:
Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:361 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:621 ERR ECMP: failed to CREATE static ecmp in hwDec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:656 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1540 ERR ECMP: failed to allocate hw ecmp status No More ResourcesDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1561 ERR ECMP: error allocating static ecmpDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find ecmp container
4.4.0-5.0.15.1.0
2910017
SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces.3.7.15-4.4.2, 5.0.0-5.1.04.4.3
2908541
Running apt dist-upgrade causes switchd to stop and never start again. Do not use apt dist-upgrade; use apt upgrade instead. Cumulus Linux does not support apt dist-upgrade
To work around this issue, if you run apt dist-upgrade and switchd no longer works, run the apt install sx-sdk-eth-dev command (and run the command for any other removed package) or reinstall the Cumulus Linux image.
5.0.05.0.1-5.1.0
2904450
When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show.4.4.0-5.0.15.1.0
2903374
The nv show interfaces command returns a 500 error and syslog shows a python error, triggered by third party devices (non CL) missing LLDP fields
To work around this issue, disable LLDP on a single interface.
5.0.0-5.0.15.1.0
2898044
NVUE commands including the nv config apply command might fail with the following error because the /etc/resolv.conf file is missing
Failed to prepare to applyUnrecoverable internal error
5.0.0-5.0.15.1.0
2896733
Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send
To work around this issue, run the vtysh clear ip mroute command.
3.7.15-3.7.16, 4.3.0-4.4.3, 5.0.0-5.1.0
2896672
When you add a new VLAN, the VLAN interface type shows as unknown and cannot be reached.3.7.15-3.7.16, 4.3.0-4.4.3, 5.0.0-5.1.0
2895333
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry.4.4.0-4.4.1, 5.0.0-5.1.04.4.2-4.4.3
2891257
CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file
Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2
4.0.0-4.4.1, 5.0.0-5.1.04.4.2-4.4.3
2890683
CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1
4.0.0-4.4.1, 5.0.0-5.1.04.4.2-4.4.3
2886488
NVUE commands fail to configure port mirroring.5.0.0-5.0.15.1.0
2885287
When you change the port breakout configuration, you must restart switchd to clean up any previously-associated port states and reinitialize the ports. Reloading switchd does not work.5.0.0-5.0.15.1.0
2879645
When you add a new VLAN, the VLAN interface type shows as unknown and cannot be reached.3.7.15, 4.3.0-4.4.3, 5.0.0-5.1.03.7.16
2875338
In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally.4.2.1-4.4.3, 5.0.0-5.1.0
2875279
In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally.4.2.1-4.4.3, 5.0.0-5.1.03.7.16
2873053
In an EVPN Multihoming configuration, when any host side bond member port is brought admin admin down (ifdown and up ifup), the VTEP might not program the local MAC addresses in hardware.5.0.0-5.1.0
2867248
The validate-ports -d command does not return the correct speeds for ports. Use the speeds specified in the /etc/cumulus/ports.conf file.5.0.0-5.1.0
2861989
Incomplete or unnecessary configuration in FRR results in FRR restarting instead of rejecting the configuration with an error.5.0.0-5.0.15.1.0
2860323
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry.4.4.0-5.0.15.1.0
2859015
In a static VXLAN configuration with a traditional VXLAN device, enabling bridge learning on the VNI leads to an incorrect warning and the setting is removed in the next commit. The warning is similar to the following:
warning: vni10: possible mis-configuration detected: l2-vni configured with bridge-learning ON while EVPN is also configured - these two parameters conflict with each other
5.0.0-5.1.0
2855908
Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send
To work around this issue, run the vtysh clear ip mroute command.
3.7.15-5.0.15.1.0
2854787
An unexpected software system shutdown can occur due to a thermal zones issue in the hw-management package. The following message might appear in /var/log/syslog before the shutdown:
thermal thermal_zoneX: critical temperature reached (33 C), shutting down
4.3.0-5.0.15.1.0
2847919
Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only
To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API.
5.0.0-5.0.15.1.0
2847755
When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit.5.0.0-5.1.0
2847618
When you enable PIM on VLAN interfaces, multicast throughput might not achieve line rate depending on packet sizes in the multicast flow.5.0.0-5.1.0
2823307
Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration.5.0.0-5.1.0
2815646
In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence.3.7.12-3.7.15, 4.3.0-5.0.13.7.16, 5.1.0
2812075
When you configure PIM, you can either configure RP mappings for different multicast groups or use a prefix list to specify the RP to group mapping. You cannot use the two methods together.5.0.0-5.1.0
2743186
When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish.4.4.0-4.4.3, 5.0.0-5.1.0
2713888
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode.
3.7.15-5.0.15.1.0
2685994
When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
4.0.0-5.0.15.1.0

Fixed Issues in 5.0.0

Issue IDDescriptionAffects
2877793
CVE-2021-43527: The NSS package is vulnerable to a heap overflow when verifying DSA/RSA-PSS DER-encoded signatures
Vulnerable: <= 3.42.1-1+deb10u3Fixed: 3.42.1-1+deb10u4
4.0.0-4.4.1
2873320
CVE-2020-21913: International Components for Unicode (ICU-20850) v66.1 was discovered to contain a use after free bug in the pkg_createWithAssemblyCode function in the file tools/pkgdata/pkgdata.cpp.4.0.0-4.4.1
2873186
In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges.3.7.14.2-3.7.15, 4.3.0-4.4.3
2862211
On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart
To work around this issue, load the port configuration in a staggered manner (groups of five downlink ports).
3.7.12-3.7.15, 4.3.0-4.4.3
2845647
The mpls_enable = TRUE parameter in the /etc/cumulus/datapath/traffic.conf does not enable MPLS.
2845536
CVE-2020-19143: A flaw was discovered in tiff, a Tag Image File Format library, which may result in denial of service or the execution of arbitrary code if malformed image files are processed
Vulnerable: <= 4.1.0+git191117-2~deb10u2Fixed: 4.1.0+git191117-2~deb10u3
4.0.0-4.4.1
2845531
If you update the MAC address of an SVI when the SVI is in a protodown state (for example, when no bridge ports that carry this VNI are operationally up or if the MAC address of the SVI’s parent bridge changes), clagd does not notice the change. The MLAG peer incorrectly maintains a PERMANENT neighbor entry for the SVI IP that points to the old MAC address.4.2.1-4.4.3
2845290
The following vulnerabilities in gdb, as embedded in the crash handling program, have been announced:CVE-2019-1010180: Buffer overflow which can be triggered by debugging an ELF file
CVE-2017-9778: Vulnerability to a negative length field in DWARF section, resulting in excessive memory allocation
Vulnerable: crash 7.2.8-1+cl4u1 and 7.2.8-1+cl3u1 with embedded gdb 7.6Fixed: crash 7.2.8-1+cl5.0.0u6
3.7.15-4.4.3
2841584
After you upgrade Cumulus Linux on one of the MLAG peers, the bonds do not come up and the reason shows anycast-ip-mismatch even though there is no VXLAN configuration on the switch. To work around this issue, configure an anycast IP address under the loopback interface on both switches in the MLAG pair.4.4.2-4.4.3
2840817
CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts).4.0.0-4.4.1
2839140
After building VLAN or VXLAN interfaces, MLAG becomes unstable.4.3.0-4.4.1
2835817
Multicast packets are not seen on a SPAN port.
2826121
When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds.3.7.15, 4.3.0-4.4.1
2821869
The cl-route-check –layer3 command fails with a memory error. For example:
cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last):
File “/usr/cumulus/bin/cl-route-check”, line 1270, in
routing.collect_data()
File “/usr/cumulus/bin/cl-route-check”, line 528, in collect_data
self.collect_data_bgp_ipv4()
File “/usr/cumulus/bin/cl-route-check”, line 711, in collect_data_bgp_ipv4
bgp_ipv4 = json.loads(output)
File “/usr/lib/python2.7/json/init.py”, line 338, in loads
return _default_decoder.decode(s)
File “/usr/lib/python2.7/json/decoder.py”, line 366, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File “/usr/lib/python2.7/json/decoder.py”, line 382, in raw_decode
obj, end = self.scan_once(s, idx)MemoryError
3.7.15-4.4.3
2820565
SNMP does not start and you see errors similar to the following:
cumulus@switch:~$ sudo systemctl status snmpd.service snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
Loaded: loaded (/lib/systemd/system/snmpd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2021-10-11 14:38:13 UTC; 1min 8s ago
Process: 1987 ExecStart=/usr/sbin/snmpd $SNMPDOPTS -f (code=exited, status=1/FAILURE)
Main PID: 1987 (code=exited, status=1/FAILURE)
To work around this issue, run the sudo systemctl restart snmpd.service command.
4.3.0-4.4.3
2799575
When next hop tracking fails for a global next hop, BGP invalidates the entire path instead of only invalidating the global next hop.4.4.0-4.4.3
2799568
When you add or remove a global unicast address from an interface, BGP does not update the global next hop advertised to the unnumbered BGP peer.4.4.0-4.4.3
2798406
If an MLAG failure of an EVPN Active-Active VTEP pair occurs after you disable EVPN Advertise Primary IP Address, remote VTEPs might not be able to install the anycast RMAC of the failed MLAG peers or the related bridge FDB entry
To work around this issue, do not disable EVPN Advertise Primary IP Address, which is enabled by default when you use address-virtual for layer 3 VNI SVI interfaces.
4.4.0-4.4.3
2792616
If a neighbor entry (ARP or NDP) is used as a next hop of a route that is synchronized into hardware, the neighbor entry is not removed from hardware after the neighbor is no longer reachable. As a result, routed traffic matching this prefix is incorrectly hardware forwarded through the stale neighbor information.4.3.0-4.4.3
2782032
The following vulnerabilities have been announced in the openssl packages:CVE-2021-3711: buffer overflow vulnerability in SM2 decryption
CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function
More details at https://www.openssl.org/news/secadv/20210824.txt
Vulnerable: <= 1.1.1d-0+deb10u6Fixed: 1.1.1d-0+deb10u7
4.0.0-4.4.1
2780915
In NVUE, you can’t deactivate the IPv4 address family per neighbor.4.4.0-4.4.3
2780834
To enable an address family on a peer, you have to enable the address family globally.4.4.0-4.4.3
2780211
When you use the NVUE nv set vrf default router bgp peer local-as asn command to configure a local AS, Cumulus Linux does not update the etc/frr/frr.conf file.4.4.0-4.4.3
2755615
When route_preferred_over_neigh is set to FALSE in the /etc/cumulus/switchd.conf file, host routes (/32 or /128) are used for forwarding in hardware instead of a local neighbor entry.4.0.0-4.4.1
2754690
CVE-2021-3672: in c-ares, a library that performs DNS requests and name resolution asynchronously, missing input validation of hostnames returned by DNS servers can lead to output of wrong hostnames (leading to Domain Hijacking)
Vulnerable: 1.14.0-1Fixed: 1.14.0-1+deb10u1
4.0.0-4.4.1
2754684
CVE-2021-38165: lynx, a non-graphical (text-mode) web browser, does not properly handle the userinfo subcomponent of a URI, which can lead to leaking of credential in cleartext in SNI data
Vulnerable: 2.8.9rel.1-3Fixed: 2.8.9rel.1-3+deb10u1
4.0.0-4.4.1
2754678
CVE-2020-26558 / CVE-2021-0129: Bluez does not properly check permissions during pairing operation, which could allow an attacker to impersonate the initiating device
CVE-2020-27153: a double free flaw in the disconnect_cb() routine in the gattool. A remote attacker can take advantage of this flaw during service discovery for denial of service, or potentially, execution of arbitrary code
Vulnerable: <= 5.50-1.2~deb10u1Fixed: 5.50-1.2~deb10u2
4.0.0-4.4.1
2752330
With BGP and layer 2 forwarding, Smart System Manager warm boot mode can cause packet loss.4.4.0-4.4.3
2747750
Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted.4.4.2-4.4.3
2747604
CVE-2021-3246: a buffer overflow in libsndfile, a libraryfor reading/writing audio files, which could result in denial of serviceor potentially the execution of arbitrary code when processing amalformed audio file
Vulnerable: 1.0.28-6Fixed: 1.0.28-6+deb10u1
4.0.0-4.4.1
2739638
CVE-2021-36222: It was discovered that the Key Distribution Center (KDC) in krb5, the MIT implementation of Kerberos, is prone to a NULL pointer dereference flaw. An unauthenticated attacker can take advantage of this flaw to cause a denial of service (KDC crash) by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST
Vulnerable: <= 1.17-3+deb10u1Fixed: 1.17-3+deb10u2
4.0.0-4.4.1
2739402
The destination MAC address of ERSPAN GRE packets is set to all zeros.4.3.0-4.4.3
2736249
If you configure BGP graceful restart in the /etc/frr/frr.conf file, then apply the configuration with systemctl reload frr, the configuration fails to apply and you see the following error:
Job for frr.service failed
See “systemctl status frr.service” and “journalctl -xe” for details.
2736244
When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error:
% The Graceful Restart command used is not valid at this moment.
4.4.0-4.4.3
2734275
On NVIDIA Spectrum-1, -2, and -3 switches, the decode-syseeprom command does not return the correct value
cumulus@switch:~$  decode-syseeprom -t psu1Device is not ready: absent 
2734119
The ESI line in the show bgp l2vpn evpn route command output always shows VNI: 0. This is a cosmetic software issue.4.3.0-4.4.3
2732587
The bridge MAC address is updated during a port change on bridge interfaces.4.3.0-4.4.3
2728119
When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command.4.3.0-4.4.3
2716838
CVE-2021-22918: An out-of-bounds read was discovered in the uv__idna_to_ascii() function of Libuv, an asynchronous event notification library, which could result in denial of service or information disclosure
Vulnerable: 1.24.1-1Fixed: 1.24.1-1+deb 10u1
4.0.0-4.4.1
2698649
When configuring a single VXLAN device in the /etc/network/interfaces file, if you edit the multicast group address in vxlan-mcastgrp-map, then revert the change, the change does not take effect.4.4.0-4.4.3
2687344
On the NVIDIA SN3700 switch, the decode-syseeprom shows device absent for a PSU that is present.4.4.0-4.4.3
2599274
On Mellanox Spectrum platforms, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress.4.3.0-4.4.3
2556811
CM-33416
Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file.3.7.12-3.7.15, 4.1.1-4.4.3
2554783
CM-32274
If you apply an outbound route map to a BGP peer that uses set as-path prepend last-as, advertised locally-originated routes have the ASN of the peer prepended to the AS path.
This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes.
4.2.1-4.4.3