Cumulus Linux 5.1 Release Notes

Download 5.1 Release Notes xls    Download all 5.1 release notes as .xls

5.1.0 Release Notes

Open Issues in 5.1.0

Issue IDDescriptionAffectsFixed
3107615
Cumulus Linux installation fails with the error Installation Problems, sub-task Installing Optional Packages. This occurs because the web server hosting the Cumulus Linux image remaps a 404 for a non-existent file image.optional_pkgs into a web page, which it then incorrectly attempts to use as a list of optional packages
To work around this issue, on the web server hosting the image, create an empty file with the same name as the image with .optional_pkgs appended to the name.
4.2.1-4.4.3, 5.0.0-5.1.04.4.4
3096918
The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install.4.2.1-4.4.3, 5.0.0-5.1.04.4.4
3096915
Under a high load, you might see ingress drop counters increase. The drops are classified as “HwIfInDiscards” in ethtool and shown as “ingress_general” in hardware.4.3.0-4.4.3, 5.0.0-5.1.04.4.4
3093863
The snmpd process will slowly leak memory when you poll TCP-MIB objects. To work around this issue, restart the snmpd service to free memory with the systemctl restart snmpd command.3.7.16-4.4.3, 5.0.0-5.1.04.4.4
3089148
The clagd process uses 100 percent CPU and eventually crashes with an Unable to allocate memory error.4.4.3, 5.1.04.4.4
3084101
CVE-2022-1664: dpkg has a vulnerability relating to directory traversal for in-place extracts with untrusted v2 and v3 source packages with debian.tarVulnerable: <= 1.19.7Fixed: 1.19.85.0.0-5.1.04.4.4
3082662
syslog writes phcsync phc_ctl set clock time messages continuously every minute even when supervisord is not running, which prevents critical information from being logged.5.1.0
3082583
On the NVIDIA SN3420 switch, the smonctl command output shows the maximum PSU temperature higher than the critical temperature.4.4.2-4.4.3, 5.0.0-5.1.04.4.4
3081232
On the NVIDIA Spectrum 1 switch, when a port goes down, it might not come back up
To work around this issue, disable, then enable the port.
4.4.0-4.4.3, 5.0.0-5.1.04.4.4
3078202
On the NVIDIA Spectrum 1 switch, when a port goes down, it might not come back up
To work around this issue, disable, then enable the port.
4.4.0-4.4.3, 5.0.0-5.1.04.4.4
3077736
When you run the NVUE command to change the minimum interval between received BFD control packets or the minimum interval for sending BFD control packets, the configuration apply fails.

cumulus@switch:~$ nv set vrf default router bgp neighbor 10.10.10.2 bfd min-rx-interval 400
cumulus@switch:~$ nv config apply
2022-05-04T21:36:10.800975+00:00 switch frrinit.sh16431: Stopped watchfrr.
5.0.1-5.1.0
3077547
When you configure multiple multicast RPs with groups matched by prefix lists, Cumulus Linux selects only one of the RPs and this selection is incorrect.5.0.1-5.1.0
3074978
On NVIDIA Spectrum A1 switches, the datapath might break when there is a QinQ bridge flap.5.1.0
3074977
On the on NVIDIA Spectrum-A1 switch, when the QinQ bridge flaps, you see the warning warning: NetlinkListener RX: RXed unsupported message RTM_SETLINK (type 19).5.1.0
3073649
In an EVPN-MH configuration, the switch fails to redirect tagged frames with the CoS bits set.4.4.0-4.4.3, 5.0.0-5.1.04.4.4
3071652
On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously
To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up.
5.1.0
3066280
The python module pygments version 2.12.0 on the Cumulus Linux switch prevents NVUE from displaying colored output and produces an error or failure. The failure specifically identifies #ansidarkred as the problem color format. The error prevents any output from showing on the CLI
To work around this problem, downgrade the pygments module to version 2.3.1.
5.0.1-5.1.0
3061656
When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds.5.1.0
3061445
When you run the NVUE command to change the minimum interval between received BFD control packets or the minimum interval for sending BFD control packets, the configuration apply fails
cumulus@switch:~$ nv set vrf default router bgp neighbor 10.10.10.2 bfd min-rx-interval 400cumulus@switch:~$ nv config apply2022-05-04T21:36:10.800975+00:00 switch frrinit.sh16431: Stopped watchfrr
5.0.1-5.1.0
3060399
When you add an interface to a layer 3 bond, traffic does not forward and you see errors similar to the following:
2022-05-02T13:14:40.118597+00:00 cumulus sx_sdk: ROUTER: Failed to delete router interface(27) ref count isn’t 0, err= Resource is in use
4.4.2-4.4.3, 5.0.1-5.1.04.4.4
3059380
When you configure VRF leaking from the default VRF to a non-default VRF, SSH sessions originating from the switch CLI in the default VRF do not connect to devices in the non-default VRF.5.0.1-5.1.0
3059135
In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command.
4.3.0-4.4.4, 5.0.0-5.1.0
3054869
When you run NVUE commands as part of ZTP scripts, the commands fail with many errors
To work around this issue, before you use any NVUE commands in the ZTP script, add a section and define the HOME environment variable. Populate the variable with the default expected root user home directory value (/root). Also, you must export the HOME variable so it is available globally for NVUE to use
# Manually set HOME var for root userHOME=/rootexport HOME
5.0.0-5.1.0
3053094
When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds.5.1.0
3053015
Spectrum-2 and Spectrum-3 switches do not support 1G speed with Cumulus Linux.5.1.0
3047747
When you change the split port speed from explicitly defined to auto-negotiation, the port speed remains stuck on the previously configured value.5.1.0
3046023
The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install.4.2.1-4.4.4, 5.0.0-5.1.0
3045310
When GTP Hashing is set to true, after more than two warm boots {switchd fails and a cl-support file is generated.5.1.0
3044596
In the non-default VRF, BFD goes down after port flap.5.0.1-5.1.0
3043115
NVUE configuration and show commands are not available for GTP hashing. To configure GTP hashing, modify the parameters in the /etc/cumulus/datapath/traffic.conf file.5.1.0
3042944
cl-ecmpcalc does not support GTP hashing
5.1.0
3041425
When you add or remove PortAutoEdge on a bond with the NVUE nv set interface bridge domain br_default stp auto-edge command, the command fails with the following error and then attempts to enable or disable PortAutoEdge on any interface also fail
cumulus@switch:~$ nv set interface swp1 bridge domain br_default stp auto-edge offcumulus@switch:~$ nv config applyUnable to reload-or-restart services (switchd,ifreload-nvue.service):[sudo] password for nvue: Job for ifreload-nvue.service failed because the control process exited with error code
Failure during apply. Ignore? [y/N]
5.0.1-5.1.0
3041307
If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent fdb entry for the old MAC address.3.7.15, 4.3.0-4.4.3, 5.0.0-5.1.03.7.16, 4.4.4
3040174
When you configure EVPN multihoming with NVUE on a switch with the Spectrum-a1 ASIC, you must configure the following snippet to enable EVPN multihoming in hardware. This is not required for Spectrum-2 or Spectrum-3 switches
- set:
system:
config:
snippet:
switchd:
file: “/etc/cumulus/switchd.conf”
content: |
evpn.multihoming.enable=TRUE
permissions: “0644”
services:
schedule:
service: switchd
action: restart
Apply the snippet with the nv config patch <snippet.yaml> command, then run the nv config apply -y command.
5.1.0
3023345
When you run NVUE commands to unset one or more options associated with a field, the command fails with an error. For example:
cumulus@switch:~$ nv unset system forwarding ecmp-hash source-portusage: nv unset system forwarding ecmp-hash [options]nv unset system forwarding ecmp-hash: error: unrecognized arguments: source-port
5.1.0
3021877
After you configure a new VLAN on a bond, traffic might stop forwarding on the bond interface. This issue occurs only when you specify bridge-vids on the bond. This issue does not occur when you configure VLANs only on the bridge interface and let the bond get the bridge-vids applied from the bridge.4.4.2-4.4.3, 5.0.0-5.1.04.4.4
3021693
When ARP suppression is off, Cumulus Linux sends GARPs from neighmgrd for remote neighbors over VXLAN.3.7.15-3.7.16, 4.3.0-4.4.4, 5.0.0-5.1.0
3021692
GARPs from neighmgrd for remote neighbors are sent over VXLAN when ARP suppression is off.3.7.15-4.4.3, 5.0.0-5.1.04.4.4
3020254
GARPs from neighmgrd for remote neighbors are sent over VXLAN when ARP suppression is off.3.7.15-4.4.3, 5.0.0-5.1.04.4.4
3016882
In certain cases, when you power cycle the switch, the NVUE configuration might become corrupted, which prevents NVUE from running. You see an critical error in the log file similar to:{nofromat}CRITICAL: cue_versions_v1.repo: The NVUE internal data store is corrupted or has been initialized incorrectly. The is an unrecoverable error
To work around this issue, remove the /var/lib/nvue/config and /var/lib/nvue/meta directories, then restart the nvued service with the sudo systemctl start nvued command. If possible, NVUE recovers user configuration and saves it in the /etc/nvue.d directory. You can reapply the recovered configuration with the nv config patch nvue-recovery-.yaml command.
5.0.1-5.1.0
2999342
CVE-2020-36311, CVE-2021-3609, CVE-2021-33909, CVE-2021-34693Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks
Fixed: 4.19.194-3
4.2.1-4.4.1, 5.0.0-5.1.0 4.4.2-4.4.4
2993471
When switchd restarts, the port watch daemon (portwd) attempts to send requests to switchd before switchd is ready. As a result, portwd goes into a failed state because there is no response from switchd. 3.7.15, 4.3.0-4.4.4, 5.0.0-5.1.0 3.7.16
2972540
With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. 3.7.15-3.7.16, 4.2.1-4.4.4, 5.0.0-5.1.0
2972538
With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. 3.7.15-3.7.16, 4.2.1-4.4.4, 5.0.0-5.1.0
2968495
If switchd requires more time to update port or bond configuration after the port or bond flaps, the systemd watchdog times out. As result, systemd might assume that switchd is unresponsive and restarts it. 4.2.1-4.4.2, 5.0.0-5.1.0 4.4.3-4.4.4
2964279
The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under layer 3 VNIs. 3.7.15, 4.4.2-4.4.4, 5.0.0-5.1.0 3.7.16
2959550
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. 4.4.0-4.4.2, 5.0.0-5.1.0 4.4.3-4.4.4
2951110
The net show time ntp servers command does not show any output with management VRF. 3.7.15-3.7.16, 4.1.1-4.4.4, 5.0.0-5.1.0
2949123
The NVUE command nv show service ntp mgmt server does not show any configured servers. 5.0.0-5.1.0
2939231
If you use NVUE to configure selective route leaking to exclude certain prefixes, the route map fails to apply when you run the nv config apply command. 5.0.0-5.1.0
2923737
When switchd restarts, the port watch daemon (portwd) attempts to send requests to switchd before switchd is ready. As a result, portwd goes into a failed state because there is no response from switchd. 3.7.15, 4.3.0-4.4.4, 5.0.0-5.1.0 3.7.16
2895333
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. 4.4.0-4.4.1, 5.0.0-5.1.0 4.4.2-4.4.4
2891257
CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file
Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2
4.0.0-4.4.1, 5.0.0-5.1.0 4.4.2-4.4.4
2890683
CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1
4.0.0-4.4.1, 5.0.0-5.1.0 4.4.2-4.4.4
2875338
In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. 4.2.1-4.4.4, 5.0.0-5.1.0 3.7.16
2875279
In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. 4.2.1-4.4.4, 5.0.0-5.1.0 3.7.16
2873053
In an EVPN Multihoming configuration, when ES bond members go down, all software forwarded traffic destined to the access port, except for unicast ARP requests and replies, and unicast IPv6 NS and NA, is dropped and not forwarded through the VXLAN overlay. To work around this issue, bring the host side bond admin down and up (ifdown/ifup) on the bond interface itself and not on its member port. 5.0.0-5.1.0
2867248
The validate-ports -d command does not return the correct speeds for ports. Use the speeds specified in the /etc/cumulus/ports.conf file. 5.0.0-5.1.0
2859015
In a static VXLAN configuration with a traditional VXLAN device, enabling bridge learning on the VNI leads to an incorrect warning and the setting is removed in the next commit. The warning is similar to the following:
warning: vni10: possible mis-configuration detected: l2-vni configured with bridge-learning ON while EVPN is also configured - these two parameters conflict with each other
5.0.0-5.1.0
2847755
When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit.5.0.0-5.1.0
2847618
When you enable PIM on VLAN interfaces, multicast throughput might not achieve line rate depending on packet sizes in the multicast flow.5.0.0-5.1.0
2837378
The switch duplicates DHCP packets that pass through the VTEP.4.3.0-4.4.4, 5.0.0-5.1.0
2823307
Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration.5.0.0-5.1.0
2812075
When you configure PIM, you can either configure RP mappings for different multicast groups or use a prefix list to specify the RP to group mapping. You cannot use the two methods together.5.0.0-5.1.0
2743186
When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish.3.7.15-3.7.16, 4.4.0-4.4.4, 5.0.0-5.1.0

Fixed Issues in 5.1.0

Issue IDDescriptionAffects
3055255
When you run the NVUE nv show interface command, a watchdog timeout might occur and the nvued service fails.5.0.1
3053013
CVE-2022-29799, CVE-2022-29800: The networkd-dispatcher program has directory traversal, symlink race, and time-of-check-time-of-use race condition which can allow a local attacker to gain root access. This vulnerability is sometimes called “nimbuspwn”. Cumulus Linux does not include the networkd-dispatcher package or script in the default image or in the package repository. However, networkd-dispatcher_2.0-2 from Debian 10 upstream is vulnerable and should not be installed.
3045302
CVE-2022-1271: incorrect handling of filenames by xzgrep in xz-utils, the XZ-format compression utilities, can result in overwrite of arbitrary files or execution of arbitrary code if a file with a specially crafted filename is processed
Vulnerable: 5.2.4-1Fixed: 5.2.4-1+deb10u1
5.0.0-5.0.1
3045299
CVE-2022-1271: incorrect handling of filenames by zgrep in gzip, the GNU compression utilities, can result in overwrite of arbitrary files or execution of arbitrary code if a file with a specially crafted filename is processed.5.0.0-5.0.1
3040080
On Spectrum-2 switches, when a packet has a CRC and the ports are in cut-though mode, the switch might stop forwarding traffic.4.4.2-4.4.3, 5.0.0-5.0.1
3036114
When you upgrade Cumulus Linux from 4.0 and later to Cumulus Linux 5.1.0 with package upgrade apt-get upgrade, the upgrade fails with the following error and the NVUE service does not start
Setting up python3-nvue (0.22.04.06.0-cl5.1.0u1) ..
Adding user nvue to group netshow/usr/sbin/policy-rc.d returned 101, not running ‘restart nvued.service’/usr/sbin/policy-rc.d returned 101, not running ‘restart nvue-startup.service’/usr/sbin/policy-rc.d returned 101, not running ‘try-restart ifreload-nvue.service’To enable the newly installed bash completion for CUE in this shell, execute..
source /etc/bash_completionCreated symlink /etc/systemd/system/multi-user.target.wants/nvued.service _ /lib/systemd/system/nvued.service
Created symlink /etc/systemd/system/multi-user.target.wants/nvue-startup.service _ /lib/systemd/system/nvue-startup.service
Job for nvue-startup.service failed because the control process exited with error code
See “systemctl status nvue-startup.service” and “journalctl -xe” for details
dpkg: error processing package python3-nvue (–configure):installed python3-nvue package post-installation script subprocess returned error exit status 1
To work around this issue, reboot the system.
3035855
When you configure ACLs on the switch, you might see a switchd segmentation fault.5.0.1
3032234
In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply.5.0.1
3030238
When you change the time with NTP or manually, the clagd service stops.4.4.3-5.0.1
3025899
CVE-2018-25032: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches
Vulnerable: 1.2.11.dfsg-1Fixed: 1.2.11.dfsg-1+deb10u1
5.0.0-5.0.1
3022955
Docker creates a bridge called docker0 and this causes compatibility issues with WJH, which runs in a Docker container.
3021897
After you remove the port from the EVPN-MH bond, the port stays in the PRTDN state with the protodown flag ON.4.4.3, 5.0.0-5.0.1
3021838
PBR rules that you apply to interfaces in the default VRF install in the kernel with the action lookup local. As a result, packets that match this rule only perform a route lookup in the local table (which contains special routes for local IP addresses and broadcast addresses) but not in the main table (which contains unicast routes). As a result, policy routing might be applied to traffic incorrectly.4.4.2-5.0.1
3021696
When you run the /usr/share/snmp/resq_pp.py script used by SNMP, you see the following log message in syslog regardless of the forwarding table profile set in the /etc/cumulus/datapath/traffic.conf file.4.4.0-4.4.3, 5.0.0-5.0.1
3017127
After you convert a port from a layer 2 bond member to a layer 3 port, the switch drops transmitted untagged packets as egress VLAN membership discards
To work around this issue, restart switchd with the sudo systemctl restart switchd.service command.
4.4.2-4.4.3, 5.0.0-5.0.1
3017042
CVE-2022-0561 CVE-2022-0562 CVE-2022-0865 CVE-2022-0891 CVE-2022-0907 CVE-2022-0908 CVE-2022-0909 CVE-2022-0924 CVE-2022-22844: Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service if malformed image files are processed
Vulnerable: <= 4.1.0+git191117-2~deb10u3Fixed: 4.1.0+git191117-2~deb10u4
4.4.0-4.4.3
3010290
CVE-2021-25220: When using forwarders, bogus NS records supplied by, or via, those forwarders may be cached and used by named if it needs to recurse for any reason, causing it to obtain and pass on potentially incorrect answers
Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u6Fixed: 9.11.5.P4+dfsg-5.1+deb10u7
4.0.0-4.4.3
3008388
When you set vlan-bridge-binding on for a VLAN interface, the VLAN interface status does not change to down even when all bridge member ports are down.4.4.3-5.0.1
3007603
CVE-2022-0778: the BN_mod_sqrt() function of OpenSSL could be tricked into an infinite loop. This could result in denial of service via malformed certificates
Vulnerable: <= 1.1.1d-0+deb10u7Fixed: 1.1.1d-0+deb10u8
4.4.0-4.4.3
3007564
After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed.3.7.15-5.0.1
3007020
The sudo smonctl command output shows an error for the ASIC temperature sensor (temp6).5.0.0-5.0.1
3003167
Updating an existing tunnel configuration with NVUE or directly in the /etc/network/interfaces file causes traffic loss. The original tunnel is destroyed and then recreated (with a new ifindex)
The new behavior will make sure to apply the configuration delta without disrupting any traffic as much as possible. Note that a tunnel mode change can’t be applied without causing traffic loss.
5.0.0-5.0.1
3001439
CVE-2022-0847: This vulnerability, known as “dirty pipe”, does not affect Cumulus Linux through 5.1.0, which use earlier kernels which do not have the vulnerable code.
2999253
If you remove NGINX from the switch, then run apt autoremove, switchd does not reload. This occurs because removing NGINX also removes the libyaml-0-2 and python-yaml packages, which are required for the switchd consistency check.4.3.0-5.0.1
2999243
sFlow fails to send flow samples.5.0.0-5.0.1
2994402
When you run ifquery as non-root, EVPN multihoming bond configuration fails
To work around this issue, always use sudo when running ifupdown2 commands (ifup, ifreload, ifdown, and ifquery).
4.4.2-5.0.1
2993786
When you configure QoS remarking on a bond, the port stops forwarding traffic.
2989098
CVE-2022-24407: The SQL plugin in cyrus-sasl2, a library implementing the Simple Authentication and Security Layer, is prone to a SQL injection attack. An authenticated remote attacker can take advantage of this flaw to execute arbitrary SQL commands and for privilege escalation.4.4.0-4.4.3
2984205
CVE-2021-43612: in lldpd, by sending short SONMP packets, an attacker can make the decoder crashby reading too much data on the heap
Vulnerable: <= 1.0.4-0-cl5.1.0u7, 1.0.4-0-cl4.4.0u0, 1.0.4-0-cl4.3.0u2, 1.0.4-0-cl3u15Fixed:
3.7.0-3.7.15, 4.0.0-5.0.1
2982534
CVE-2022-25235, CVE-2022-25236, CVE-2022-25313, CVE-2022-25314, CVE-2022-25315: Several vulnerabilities have been discovered in Expat, an XML parsing Clibrary, which could result in denial of service or potentially theexecution of arbitrary code, if a malformed XML file is processed
Vulnerable: <= 2.2.6-2+deb10u2Fixed: 2.2.6-2+deb10u3
5.0.0-5.0.1
2980891
The snmpd process will slowly leak memory when you poll TCP-MIB objects. To work around this issue, restart the snmpd service to free memory with the systemctl restart snmpd command.4.2.1-5.0.1
2978165
When you use NVUE to configure an ACL rule with a set cos action, the nv config apply command fails with the following error message:{nofromat}$ cumulus@switch:~$ nv config applyFailed to prepare to applyUnrecoverable internal error{nofromat}5.0.1
2971342
CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Several vulnerabilities have been discovered in Expat, an XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code, if a malformed XML file is processed
Vulnerable: <= 2.2.6-2+deb10u1Fixed: 2.2.6-2+deb10u2
4.0.0-4.4.2
2961078
CVE-2021-28965 CVE-2021-31799 CVE-2021-31810 CVE-2021-41817 CVE-2021-41819 CVE-2021-32066: Several vulnerabilities have been discovered in the interpreter for the Ruby language and the Rubygems included, which may result on result in XML roundtrip attacks, the execution of arbitrary code, information disclosure, StartTLS stripping in IMAP or denial of service
Vulnerable: <= 2.5.5-3+deb10u3Fixed: 2.5.5-3+deb10u4
4.0.0-4.4.2
2957968
After you install the RADIUS libnss-mapuser package, the nvued service fails to start.5.0.0-5.0.1
2949511
CVE-2022-22747: Incorrect parsing of pkcs7 sequences in nss, the Mozilla Network Security Service library, may result in denial of service
Vulnerable: <= 2:3.42.1-1+deb10u4Fixed: 2:3.42.1-1+deb10u5
4.0.0-4.4.2
2943443
Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd, expect a single VNI for a given bridge or VLAN.3.7.15, 4.2.1-5.0.1
2943080
The overlay ASN is removed after a route flap.4.4.0-5.0.1
2940005
If you reboot the switch when using WJH, you need to start the what-just-happened service even if the service is enabled.5.0.1
2933466
You cannot run NVUE commands to configure route leaking. To work around this issue, create a snippet in yaml format and add the configuration to the /etc/frr/frr.conf file.4.4.0-5.0.1
2914835
NVUE flexible snippets create invalid YAML files.5.0.0-5.0.1
2913859
ECMP error messages, similar to the following, show in log files:
Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:361 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:621 ERR ECMP: failed to CREATE static ecmp in hwDec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:656 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1540 ERR ECMP: failed to allocate hw ecmp status No More ResourcesDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1561 ERR ECMP: error allocating static ecmpDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find ecmp container
4.4.0-5.0.1
2910017
SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces.3.7.15-4.4.2, 5.0.0-5.0.1
2903374
The nv show interfaces command returns a 500 error and syslog shows a python error, triggered by third party devices (non CL) missing LLDP fields
To work around this issue, disable LLDP on a single interface.
5.0.0-5.0.1
2898044
NVUE commands including the nv config apply command might fail with the following error because the /etc/resolv.conf file is missing
Failed to prepare to applyUnrecoverable internal error
5.0.0-5.0.1
2893895
CM-33315
CVE-2020-35498: A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability
Vulnerable: <= 2.8.90-1-cl4u5Fixed: 2.8.90-1-cl4u6, 2.8.90-1-cl4.4.0u1, 2.8.90-1-cl5.0.0u8
4.0.0-4.3.0
2886488
NVUE commands fail to configure port mirroring.5.0.0-5.0.1
2885287
When you change the port breakout configuration, you must restart switchd to clean up any previously-associated port states and reinitialize the ports. Reloading switchd does not work.5.0.0-5.0.1
2861989
Incomplete or unnecessary configuration in FRR results in FRR restarting instead of rejecting the configuration with an error.5.0.0-5.0.1
2860323
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry.4.4.0-5.0.1
2855908
Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send
To work around this issue, run the vtysh clear ip mroute command.
3.7.15-5.0.1
2854787
An unexpected software system shutdown can occur due to a thermal zones issue in the hw-management package. The following message might appear in /var/log/syslog before the shutdown:
thermal thermal_zoneX: critical temperature reached (33 C), shutting down
4.3.0-5.0.1
2815646
In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence.3.7.12-3.7.15, 4.3.0-5.0.1
2713888
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode.
3.7.15-5.0.1
2685994
When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
4.0.0-5.0.1