Cumulus Linux 5.1 Release Notes

5.1.0 Release Notes
Open Issues in 5.1.0
Issue ID | Description | Affects | Fixed |
---|---|---|---|
3107615 | Cumulus Linux installation fails with the error Installation Problems, sub-task Installing Optional Packages . This occurs because the web server hosting the Cumulus Linux image remaps a 404 for a non-existent file image.optional_pkgs into a web page, which it then incorrectly attempts to use as a list of optional packagesTo work around this issue, on the web server hosting the image, create an empty file with the same name as the image with .optional_pkgs appended to the name. | 4.2.1-4.4.3, 5.0.0-5.1.0 | 4.4.4 |
3096918 | The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-4.4.3, 5.0.0-5.1.0 | 4.4.4 |
3096915 | Under a high load, you might see ingress drop counters increase. The drops are classified as “HwIfInDiscards” in ethtool and shown as “ingress_general” in hardware. | 4.3.0-4.4.3, 5.0.0-5.1.0 | 4.4.4 |
3093863 | The snmpd process will slowly leak memory when you poll TCP-MIB objects. To work around this issue, restart the snmpd service to free memory with the systemctl restart snmpd command. | 3.7.16-4.4.3, 5.0.0-5.1.0 | 4.4.4 |
3089148 | The clagd process uses 100 percent CPU and eventually crashes with an Unable to allocate memory error. | 4.4.3, 5.1.0 | 4.4.4 |
3084101 | CVE-2022-1664: dpkg has a vulnerability relating to directory traversal for in-place extracts with untrusted v2 and v3 source packages with debian.tarVulnerable: <= 1.19.7Fixed: 1.19.8 | 5.0.0-5.1.0 | 4.4.4 |
3082662 | syslog writes phcsync phc_ctl set clock time messages continuously every minute even when supervisord is not running, which prevents critical information from being logged. | 5.1.0 | |
3082583 | On the NVIDIA SN3420 switch, the smonctl command output shows the maximum PSU temperature higher than the critical temperature. | 4.4.2-4.4.3, 5.0.0-5.1.0 | 4.4.4 |
3081232 | On the NVIDIA Spectrum 1 switch, when a port goes down, it might not come back up To work around this issue, disable, then enable the port. | 4.4.0-4.4.3, 5.0.0-5.1.0 | 4.4.4 |
3078202 | On the NVIDIA Spectrum 1 switch, when a port goes down, it might not come back up To work around this issue, disable, then enable the port. | 4.4.0-4.4.3, 5.0.0-5.1.0 | 4.4.4 |
3077736 | When you run the NVUE command to change the minimum interval between received BFD control packets or the minimum interval for sending BFD control packets, the configuration apply fails.
| 5.0.1-5.1.0 | |
3077547 | When you configure multiple multicast RPs with groups matched by prefix lists, Cumulus Linux selects only one of the RPs and this selection is incorrect. | 5.0.1-5.1.0 | |
3074978 | On NVIDIA Spectrum A1 switches, the datapath might break when there is a QinQ bridge flap. | 5.1.0 | |
3074977 | On the on NVIDIA Spectrum-A1 switch, when the QinQ bridge flaps, you see the warning warning: NetlinkListener RX: RXed unsupported message RTM_SETLINK (type 19) . | 5.1.0 | |
3073649 | In an EVPN-MH configuration, the switch fails to redirect tagged frames with the CoS bits set. | 4.4.0-4.4.3, 5.0.0-5.1.0 | 4.4.4 |
3071652 | On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuouslyTo work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up. | 5.1.0 | |
3066280 | The python module pygments version 2.12.0 on the Cumulus Linux switch prevents NVUE from displaying colored output and produces an error or failure. The failure specifically identifies #ansidarkred as the problem color format. The error prevents any output from showing on the CLITo work around this problem, downgrade the pygments module to version 2.3.1. | 5.0.1-5.1.0 | |
3061656 | When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0 | |
3061445 | When you run the NVUE command to change the minimum interval between received BFD control packets or the minimum interval for sending BFD control packets, the configuration apply failscumulus@switch:~$ nv set vrf default router bgp neighbor 10.10.10.2 bfd min-rx-interval 400cumulus@switch:~$ nv config apply2022-05-04T21:36:10.800975+00:00 switch frrinit.sh16431: Stopped watchfrr | 5.0.1-5.1.0 | |
3060399 | When you add an interface to a layer 3 bond, traffic does not forward and you see errors similar to the following:2022-05-02T13:14:40.118597+00:00 cumulus sx_sdk: ROUTER: Failed to delete router interface(27) ref count isn’t 0, err= Resource is in use | 4.4.2-4.4.3, 5.0.1-5.1.0 | 4.4.4 |
3059380 | When you configure VRF leaking from the default VRF to a non-default VRF, SSH sessions originating from the switch CLI in the default VRF do not connect to devices in the non-default VRF. | 5.0.1-5.1.0 | |
3059135 | In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.4, 5.0.0-5.1.0 | |
3054869 | When you run NVUE commands as part of ZTP scripts, the commands fail with many errors To work around this issue, before you use any NVUE commands in the ZTP script, add a section and define the HOME environment variable. Populate the variable with the default expected root user home directory value (/root). Also, you must export the HOME variable so it is available globally for NVUE to use# Manually set HOME var for root userHOME=/rootexport HOME | 5.0.0-5.1.0 | |
3053094 | When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0 | |
3053015 | Spectrum-2 and Spectrum-3 switches do not support 1G speed with Cumulus Linux. | 5.1.0 | |
3047747 | When you change the split port speed from explicitly defined to auto-negotiation, the port speed remains stuck on the previously configured value. | 5.1.0 | |
3046023 | The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-4.4.4, 5.0.0-5.1.0 | |
3045310 | When GTP Hashing is set to true , after more than two warm boots {switchd fails and a cl-support file is generated. | 5.1.0 | |
3044596 | In the non-default VRF, BFD goes down after port flap. | 5.0.1-5.1.0 | |
3043115 | NVUE configuration and show commands are not available for GTP hashing. To configure GTP hashing, modify the parameters in the /etc/cumulus/datapath/traffic.conf file. | 5.1.0 | |
3042944 | cl-ecmpcalc does not support GTP hashing | 5.1.0 | |
3041425 | When you add or remove PortAutoEdge on a bond with the NVUE nv set interface command, the command fails with the following error and then attempts to enable or disable PortAutoEdge on any interface also failcumulus@switch:~$ nv set interface swp1 bridge domain br_default stp auto-edge offcumulus@switch:~$ nv config applyUnable to reload-or-restart services (switchd,ifreload-nvue.service):[sudo] password for nvue: Job for ifreload-nvue.service failed because the control process exited with error code | 5.0.1-5.1.0 | |
3041307 | If you update the MAC address of an SVI using ifreload and hwaddress , the kernel maintains a stale permanent fdb entry for the old MAC address. | 3.7.15, 4.3.0-4.4.3, 5.0.0-5.1.0 | 3.7.16, 4.4.4 |
3040174 | When you configure EVPN multihoming with NVUE on a switch with the Spectrum-a1 ASIC, you must configure the following snippet to enable EVPN multihoming in hardware. This is not required for Spectrum-2 or Spectrum-3 switches- set:Apply the snippet with the nv config patch <snippet.yaml> command, then run the nv config apply -y command. | 5.1.0 | |
3023345 | When you run NVUE commands to unset one or more options associated with a field, the command fails with an error. For example:cumulus@switch:~$ nv unset system forwarding ecmp-hash source-portusage: nv unset system forwarding ecmp-hash [options]nv unset system forwarding ecmp-hash: error: unrecognized arguments: source-port | 5.1.0 | |
3021877 | After you configure a new VLAN on a bond, traffic might stop forwarding on the bond interface. This issue occurs only when you specify bridge-vids on the bond. This issue does not occur when you configure VLANs only on the bridge interface and let the bond get the bridge-vids applied from the bridge. | 4.4.2-4.4.3, 5.0.0-5.1.0 | 4.4.4 |
3021693 | When ARP suppression is off, Cumulus Linux sends GARPs from neighmgrd for remote neighbors over VXLAN. | 3.7.15-3.7.16, 4.3.0-4.4.4, 5.0.0-5.1.0 | |
3021692 | GARPs from neighmgrd for remote neighbors are sent over VXLAN when ARP suppression is off. | 3.7.15-4.4.3, 5.0.0-5.1.0 | 4.4.4 |
3020254 | GARPs from neighmgrd for remote neighbors are sent over VXLAN when ARP suppression is off. | 3.7.15-4.4.3, 5.0.0-5.1.0 | 4.4.4 |
3016882 | In certain cases, when you power cycle the switch, the NVUE configuration might become corrupted, which prevents NVUE from running. You see an critical error in the log file similar to:{nofromat}CRITICAL: cue_versions_v1.repo: The NVUE internal data store is corrupted or has been initialized incorrectly. The is an unrecoverable errorTo work around this issue, remove the |
5.0.1-5.1.0 | |
2999342 |
CVE-2020-36311, CVE-2021-3609, CVE-2021-33909, CVE-2021-34693Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks Fixed: 4.19.194-3 |
4.2.1-4.4.1, 5.0.0-5.1.0 | 4.4.2-4.4.4 |
2993471 |
When switchd restarts, the port watch daemon (portwd ) attempts to send requests to switchd before switchd is ready. As a result, portwd goes into a failed state because there is no response from switchd . |
3.7.15, 4.3.0-4.4.4, 5.0.0-5.1.0 | 3.7.16 |
2972540 |
With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 3.7.15-3.7.16, 4.2.1-4.4.4, 5.0.0-5.1.0 | |
2972538 |
With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 3.7.15-3.7.16, 4.2.1-4.4.4, 5.0.0-5.1.0 | |
2968495 |
If switchd requires more time to update port or bond configuration after the port or bond flaps, the systemd watchdog times out. As result, systemd might assume that switchd is unresponsive and restarts it. |
4.2.1-4.4.2, 5.0.0-5.1.0 | 4.4.3-4.4.4 |
2964279 |
The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under layer 3 VNIs. |
3.7.15, 4.4.2-4.4.4, 5.0.0-5.1.0 | 3.7.16 |
2959550 |
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-4.4.2, 5.0.0-5.1.0 | 4.4.3-4.4.4 |
2951110 |
The net show time ntp servers command does not show any output with management VRF. |
3.7.15-3.7.16, 4.1.1-4.4.4, 5.0.0-5.1.0 | |
2949123 |
The NVUE command nv show service ntp mgmt server does not show any configured servers. |
5.0.0-5.1.0 | |
2939231 |
If you use NVUE to configure selective route leaking to exclude certain prefixes, the route map fails to apply when you run the nv config apply command. |
5.0.0-5.1.0 | |
2923737 |
When switchd restarts, the port watch daemon (portwd ) attempts to send requests to switchd before switchd is ready. As a result, portwd goes into a failed state because there is no response from switchd . |
3.7.15, 4.3.0-4.4.4, 5.0.0-5.1.0 | 3.7.16 |
2895333 |
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-4.4.1, 5.0.0-5.1.0 | 4.4.2-4.4.4 |
2891257 |
CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2 |
4.0.0-4.4.1, 5.0.0-5.1.0 | 4.4.2-4.4.4 |
2890683 |
CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 |
4.0.0-4.4.1, 5.0.0-5.1.0 | 4.4.2-4.4.4 |
2875338 |
In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. | 4.2.1-4.4.4, 5.0.0-5.1.0 | 3.7.16 |
2875279 |
In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. | 4.2.1-4.4.4, 5.0.0-5.1.0 | 3.7.16 |
2873053 |
In an EVPN Multihoming configuration, when ES bond members go down, all software forwarded traffic destined to the access port, except for unicast ARP requests and replies, and unicast IPv6 NS and NA, is dropped and not forwarded through the VXLAN overlay. To work around this issue, bring the host side bond admin down and up (ifdown/ifup) on the bond interface itself and not on its member port. | 5.0.0-5.1.0 | |
2867248 |
The validate-ports -d command does not return the correct speeds for ports. Use the speeds specified in the /etc/cumulus/ports.conf file. |
5.0.0-5.1.0 | |
2859015 |
In a static VXLAN configuration with a traditional VXLAN device, enabling bridge learning on the VNI leads to an incorrect warning and the setting is removed in the next commit. The warning is similar to the following:warning: vni10: possible mis-configuration detected: l2-vni configured with bridge-learning ON while EVPN is also configured - these two parameters conflict with each other | 5.0.0-5.1.0 | |
2847755 | When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. | 5.0.0-5.1.0 | |
2847618 | When you enable PIM on VLAN interfaces, multicast throughput might not achieve line rate depending on packet sizes in the multicast flow. | 5.0.0-5.1.0 | |
2837378 | The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-4.4.4, 5.0.0-5.1.0 | |
2823307 | Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.1.0 | |
2812075 | When you configure PIM, you can either configure RP mappings for different multicast groups or use a prefix list to specify the RP to group mapping. You cannot use the two methods together. | 5.0.0-5.1.0 | |
2743186 | When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-3.7.16, 4.4.0-4.4.4, 5.0.0-5.1.0 |
Fixed Issues in 5.1.0
Issue ID | Description | Affects |
---|---|---|
3055255 | When you run the NVUE nv show interface command, a watchdog timeout might occur and the nvued service fails. | 5.0.1 |
3053013 | CVE-2022-29799, CVE-2022-29800: The networkd-dispatcher program has directory traversal, symlink race, and time-of-check-time-of-use race condition which can allow a local attacker to gain root access. This vulnerability is sometimes called “nimbuspwn”. Cumulus Linux does not include the networkd-dispatcher package or script in the default image or in the package repository. However, networkd-dispatcher_2.0-2 from Debian 10 upstream is vulnerable and should not be installed. | |
3045302 | CVE-2022-1271: incorrect handling of filenames by xzgrep in xz-utils, the XZ-format compression utilities, can result in overwrite of arbitrary files or execution of arbitrary code if a file with a specially crafted filename is processed Vulnerable: 5.2.4-1Fixed: 5.2.4-1+deb10u1 | 5.0.0-5.0.1 |
3045299 | CVE-2022-1271: incorrect handling of filenames by zgrep in gzip, the GNU compression utilities, can result in overwrite of arbitrary files or execution of arbitrary code if a file with a specially crafted filename is processed. | 5.0.0-5.0.1 |
3040080 | On Spectrum-2 switches, when a packet has a CRC and the ports are in cut-though mode, the switch might stop forwarding traffic. | 4.4.2-4.4.3, 5.0.0-5.0.1 |
3036114 | When you upgrade Cumulus Linux from 4.0 and later to Cumulus Linux 5.1.0 with package upgrade apt-get upgrade , the upgrade fails with the following error and the NVUE service does not startSetting up python3-nvue (0.22.04.06.0-cl5.1.0u1) ..To work around this issue, reboot the system. | |
3035855 | When you configure ACLs on the switch, you might see a switchd segmentation fault. | 5.0.1 |
3032234 | In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply. | 5.0.1 |
3030238 | When you change the time with NTP or manually, the clagd service stops. | 4.4.3-5.0.1 |
3025899 | CVE-2018-25032: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches Vulnerable: 1.2.11.dfsg-1Fixed: 1.2.11.dfsg-1+deb10u1 | 5.0.0-5.0.1 |
3022955 | Docker creates a bridge called docker0 and this causes compatibility issues with WJH, which runs in a Docker container. | |
3021897 | After you remove the port from the EVPN-MH bond, the port stays in the PRTDN state with the protodown flag ON. | 4.4.3, 5.0.0-5.0.1 |
3021838 | PBR rules that you apply to interfaces in the default VRF install in the kernel with the action lookup local . As a result, packets that match this rule only perform a route lookup in the local table (which contains special routes for local IP addresses and broadcast addresses) but not in the main table (which contains unicast routes). As a result, policy routing might be applied to traffic incorrectly. | 4.4.2-5.0.1 |
3021696 | When you run the /usr/share/snmp/resq_pp.py script used by SNMP, you see the following log message in syslog regardless of the forwarding table profile set in the /etc/cumulus/datapath/traffic.conf file. | 4.4.0-4.4.3, 5.0.0-5.0.1 |
3017127 | After you convert a port from a layer 2 bond member to a layer 3 port, the switch drops transmitted untagged packets as egress VLAN membership discards To work around this issue, restart switchd with the sudo systemctl restart switchd.service command. | 4.4.2-4.4.3, 5.0.0-5.0.1 |
3017042 | CVE-2022-0561 CVE-2022-0562 CVE-2022-0865 CVE-2022-0891 CVE-2022-0907 CVE-2022-0908 CVE-2022-0909 CVE-2022-0924 CVE-2022-22844: Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service if malformed image files are processed Vulnerable: <= 4.1.0+git191117-2~deb10u3Fixed: 4.1.0+git191117-2~deb10u4 | 4.4.0-4.4.3 |
3010290 | CVE-2021-25220: When using forwarders, bogus NS records supplied by, or via, those forwarders may be cached and used by named if it needs to recurse for any reason, causing it to obtain and pass on potentially incorrect answers Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u6Fixed: 9.11.5.P4+dfsg-5.1+deb10u7 | 4.0.0-4.4.3 |
3008388 | When you set vlan-bridge-binding on for a VLAN interface, the VLAN interface status does not change to down even when all bridge member ports are down. | 4.4.3-5.0.1 |
3007603 | CVE-2022-0778: the BN_mod_sqrt() function of OpenSSL could be tricked into an infinite loop. This could result in denial of service via malformed certificates Vulnerable: <= 1.1.1d-0+deb10u7Fixed: 1.1.1d-0+deb10u8 | 4.4.0-4.4.3 |
3007564 | After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed. | 3.7.15-5.0.1 |
3007020 | The sudo smonctl command output shows an error for the ASIC temperature sensor (temp6). | 5.0.0-5.0.1 |
3003167 | Updating an existing tunnel configuration with NVUE or directly in the /etc/network/interfaces file causes traffic loss. The original tunnel is destroyed and then recreated (with a new ifindex)The new behavior will make sure to apply the configuration delta without disrupting any traffic as much as possible. Note that a tunnel mode change can’t be applied without causing traffic loss. | 5.0.0-5.0.1 |
3001439 | CVE-2022-0847: This vulnerability, known as “dirty pipe”, does not affect Cumulus Linux through 5.1.0, which use earlier kernels which do not have the vulnerable code. | |
2999253 | If you remove NGINX from the switch, then run apt autoremove , switchd does not reload. This occurs because removing NGINX also removes the libyaml-0-2 and python-yaml packages, which are required for the switchd consistency check. | 4.3.0-5.0.1 |
2999243 | sFlow fails to send flow samples. | 5.0.0-5.0.1 |
2994402 | When you run ifquery as non-root, EVPN multihoming bond configuration failsTo work around this issue, always use sudo when running ifupdown2 commands ( ifup , ifreload , ifdown , and ifquery ). | 4.4.2-5.0.1 |
2993786 | When you configure QoS remarking on a bond, the port stops forwarding traffic. | |
2989098 | CVE-2022-24407: The SQL plugin in cyrus-sasl2, a library implementing the Simple Authentication and Security Layer, is prone to a SQL injection attack. An authenticated remote attacker can take advantage of this flaw to execute arbitrary SQL commands and for privilege escalation. | 4.4.0-4.4.3 |
2984205 | CVE-2021-43612: in lldpd, by sending short SONMP packets, an attacker can make the decoder crashby reading too much data on the heap Vulnerable: <= 1.0.4-0-cl5.1.0u7, 1.0.4-0-cl4.4.0u0, 1.0.4-0-cl4.3.0u2, 1.0.4-0-cl3u15Fixed: | 3.7.0-3.7.15, 4.0.0-5.0.1 |
2982534 | CVE-2022-25235, CVE-2022-25236, CVE-2022-25313, CVE-2022-25314, CVE-2022-25315: Several vulnerabilities have been discovered in Expat, an XML parsing Clibrary, which could result in denial of service or potentially theexecution of arbitrary code, if a malformed XML file is processed Vulnerable: <= 2.2.6-2+deb10u2Fixed: 2.2.6-2+deb10u3 | 5.0.0-5.0.1 |
2980891 | The snmpd process will slowly leak memory when you poll TCP-MIB objects. To work around this issue, restart the snmpd service to free memory with the systemctl restart snmpd command. | 4.2.1-5.0.1 |
2978165 | When you use NVUE to configure an ACL rule with a set cos action, the nv config apply command fails with the following error message:{nofromat}$ cumulus@switch:~$ nv config applyFailed to prepare to applyUnrecoverable internal error{nofromat} | 5.0.1 |
2971342 | CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990: Several vulnerabilities have been discovered in Expat, an XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code, if a malformed XML file is processed Vulnerable: <= 2.2.6-2+deb10u1Fixed: 2.2.6-2+deb10u2 | 4.0.0-4.4.2 |
2961078 | CVE-2021-28965 CVE-2021-31799 CVE-2021-31810 CVE-2021-41817 CVE-2021-41819 CVE-2021-32066: Several vulnerabilities have been discovered in the interpreter for the Ruby language and the Rubygems included, which may result on result in XML roundtrip attacks, the execution of arbitrary code, information disclosure, StartTLS stripping in IMAP or denial of service Vulnerable: <= 2.5.5-3+deb10u3Fixed: 2.5.5-3+deb10u4 | 4.0.0-4.4.2 |
2957968 | After you install the RADIUS libnss-mapuser package, the nvued service fails to start. | 5.0.0-5.0.1 |
2949511 | CVE-2022-22747: Incorrect parsing of pkcs7 sequences in nss, the Mozilla Network Security Service library, may result in denial of service Vulnerable: <= 2:3.42.1-1+deb10u4Fixed: 2:3.42.1-1+deb10u5 | 4.0.0-4.4.2 |
2943443 | Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd , expect a single VNI for a given bridge or VLAN. | 3.7.15, 4.2.1-5.0.1 |
2943080 | The overlay ASN is removed after a route flap. | 4.4.0-5.0.1 |
2940005 | If you reboot the switch when using WJH, you need to start the what-just-happened service even if the service is enabled. | 5.0.1 |
2933466 | You cannot run NVUE commands to configure route leaking. To work around this issue, create a snippet in yaml format and add the configuration to the /etc/frr/frr.conf file. | 4.4.0-5.0.1 |
2914835 | NVUE flexible snippets create invalid YAML files. | 5.0.0-5.0.1 |
2913859 | ECMP error messages, similar to the following, show in log files:Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:361 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:621 ERR ECMP: failed to CREATE static ecmp in hwDec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:656 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1540 ERR ECMP: failed to allocate hw ecmp status No More ResourcesDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1561 ERR ECMP: error allocating static ecmpDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find ecmp container | 4.4.0-5.0.1 |
2910017 | SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces. | 3.7.15-4.4.2, 5.0.0-5.0.1 |
2903374 | The nv show interfaces command returns a 500 error and syslog shows a python error, triggered by third party devices (non CL) missing LLDP fieldsTo work around this issue, disable LLDP on a single interface. | 5.0.0-5.0.1 |
2898044 | NVUE commands including the nv config apply command might fail with the following error because the /etc/resolv.conf file is missingFailed to prepare to applyUnrecoverable internal error | 5.0.0-5.0.1 |
2893895 CM-33315 | CVE-2020-35498: A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability Vulnerable: <= 2.8.90-1-cl4u5Fixed: 2.8.90-1-cl4u6, 2.8.90-1-cl4.4.0u1, 2.8.90-1-cl5.0.0u8 | 4.0.0-4.3.0 |
2886488 | NVUE commands fail to configure port mirroring. | 5.0.0-5.0.1 |
2885287 | When you change the port breakout configuration, you must restart switchd to clean up any previously-associated port states and reinitialize the ports. Reloading switchd does not work. | 5.0.0-5.0.1 |
2861989 | Incomplete or unnecessary configuration in FRR results in FRR restarting instead of rejecting the configuration with an error. | 5.0.0-5.0.1 |
2860323 | If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-5.0.1 |
2855908 | Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send To work around this issue, run the vtysh clear ip mroute command. | 3.7.15-5.0.1 |
2854787 | An unexpected software system shutdown can occur due to a thermal zones issue in the hw-management package. The following message might appear in /var/log/syslog before the shutdown:thermal thermal_zoneX: critical temperature reached (33 C), shutting down | 4.3.0-5.0.1 |
2815646 | In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence. | 3.7.12-3.7.15, 4.3.0-5.0.1 |
2713888 | With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctlyhal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More ResourcesTo work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 |
2685994 | When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to applyTo work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32 | 4.0.0-5.0.1 |