When a spine-to-leaf link is brought down or when a spine switch is powered down completely, traffic does not fail over to the remaining ECMP paths with minimal losses, and convergence takes longer than expected.

This issue is fixed in Cumulus Linux 3.5.3.

Cumulus Linux 3.5.0 and above uses the eth0 MAC address as the MAC address for bridges. If eth0 is part of the same broadcast domain, you experience outages when upgrading to 3.5.x.

To work around this issue, manually change the bridge MAC address in the /etc/network/interfaces file.

This issue is fixed in Cumulus Linux 3.5.3

If the local tunnel IP address is not defined for the VNI interface in the /etc/network/interfaces file, the clagd service crashes.

This issue is fixed in Cumulus Linux 3.5.3.

On a Mellanox switch, if you try to add two equal cost default routes that point to interfaces instead of IP addresses, switchd crashes.

This issue is fixed in Cumulus Linux 3.5.3.

Under heavy load, switchd crashes due to an object reference count leak.

This issue is fixed in Cumulus Linux 3.5.3.

When you configure DHCP relay with VRR, the ifreload command does not work as expected; for example the IP address might be removed from an SVI.

This issue is currently being investigated.

The pam_syslog() interface is now being used to send messages to the system logger, which changes the message format. For example, with an incorrect password, the old message format for TACACS Plus is:

Feb 27 21:06:02 switch3 PAM-tacplus[17368]: auth failed 2

The new message format for TACACS Plus is:

Feb 27 21:04:08 switch3 sshd[16676]: pam_tacplus(sshd:auth): auth failed 2

This issue should be fixed in the next release of Cumulus Linux.

The net show interface command output is missing LACP, CLAG, VLAN, LLDP, and physical link failure information.

This issue should be fixed in the next release of Cumulus Linux.

If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict. To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface.

This issue should be fixed in the next release of Cumulus Linux.

PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7.

This issue should be fixed in the next release of Cumulus Linux.

When you run the vtysh -c 'show ipv6 route ospf json' command to show IPv6 routes through OSPF, you see the error Unknown route type. To work around this issue, you must specify ospf6 in the command:

cumulus@switch:~$  vtysh -c 'show ipv6 route ospf6 json'

This issue should be fixed in the next release of Cumulus Linux.

This is expected behavior. Multicast frames are being dropped at the transmit port of the same interface on which they are received. This is known as a split-horizon correction, which is required for multicast to operate correctly.

This issue should be fixed in the next release of Cumulus Linux.

The algorithm that calculates hashing is the same on every switch instead of being unique.

This issue should be fixed in the next release of Cumulus Linux.

The iptables are not counting against the default INPUT chain rule for packets ingressing ethX interfaces.

This issue should be fixed in the next release of Cumulus Linux.

The following CVE was announced in Debian Security Advisory DSA-4110-1, and affects the exim4 package. While this package is no longer in the Cumulus Linux installation image, it is still in the repo3 repository. Cumulus Linux 3.5.3 is built on Debian Jessie.

This issue should be fixed in the next version of Cumulus Linux.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4110-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 10, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : exim4
CVE ID : CVE-2018-6789
Debian Bug : 890000
Meh Chang discovered a buffer overflow flaw in a utility function used in the SMTP listener of Exim, a mail transport agent. A remote attacker can take advantage of this flaw to cause a denial of service, or potentially the execution of arbitrary code via a specially crafted message.
For the oldstable distribution (jessie), this problem has been fixed in version 4.84.2-2+deb8u5.
For the stable distribution (stretch), this problem has been fixed in version 4.89-2+deb9u3.

The following CVE was announced in Debian Security Advisory DSA-4052-1, and affects the Bazaar version control system.

This issue should be fixed in the next version of Cumulus Linux.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4052-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 29, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : bzr
CVE ID : CVE-2017-14176
Debian Bug : 874429

Adam Collard discovered that Bazaar, an easy to use distributed version control system, did not correctly handle maliciously constructed bzr+ssh URLs, allowing a remote attackers to run an arbitrary shell command.

For the oldstable distribution (jessie), this problem has been fixed in version 2.6.0+bzr6595-6+deb8u1.

For the stable distribution (stretch), this problem has been fixed in version 2.7.0+bzr6619-7+deb9u1.

The following CVEs were announced in Debian Security Advisory DSA-4098-1, and affect the curl package.

This issue should be fixed in the next version of Cumulus Linux.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4098-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
January 26, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : curl
CVE ID : CVE-2018-1000005 CVE-2018-1000007
Two vulnerabilities were discovered in cURL, an URL transfer library.

CVE-2018-1000005
Zhouyihai Ding discovered an out-of-bounds read in the code handling HTTP/2 trailers. This issue doesn't affect the oldstable distribution (jessie).

CVE-2018-1000007
Craig de Stigter discovered that authentication data might be leaked to third parties when following HTTP redirects.

For the oldstable distribution (jessie), these problems have been fixed in version 7.38.0-4+deb8u9.

The following CVEs were announced in Debian Security Advisory DSA-4091-1, and affect all mysql packages, including mysql-* and libmysql-*.

This issue should be fixed in the next version of Cumulus Linux.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4091-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 18, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : mysql-5.5
CVE ID : CVE-2018-2562 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668

Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.59, which includes additional changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-59.html
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

For the oldstable distribution (jessie), these problems have been fixed in version 5.5.59-0+deb8u1.

The following CVE was announced in Debian Security Advisory DSA-4089-1, and affects the bind9 package.

This issue should be fixed in the next version of Cumulus Linux.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4089-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 16, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : bind9

CVE ID : CVE-2017-3145
Jayachandran Palanisamy of Cygate AB reported that BIND, a DNS server implementation, was improperly sequencing cleanup operations, leading in some cases to a use-after-free error, triggering an assertion failure and crash in named.

For the oldstable distribution (jessie), this problem has been fixed in version 1:9.9.5.dfsg-9+deb8u15.

For the stable distribution (stretch), this problem has been fixed in version 1:9.10.3.dfsg.P4-12.3+deb9u4.

We recommend that you upgrade your bind9 packages.

The following CVE was announced in Debian Security Advisory DSA-4086-1, and affects the libxml2 package.

This issue should be fixed in the next version of Cumulus Linux.

--------------------------------------------------------------------------
Debian Security Advisory DSA-4086-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 13, 2018 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : libxml2
CVE ID : CVE-2017-15412
Debian Bug : 883790

Nick Wellnhofer discovered that certain function calls inside XPath
predicates can lead to use-after-free and double-free errors when
executed by libxml2's XPath engine via an XSLT transformation.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.9.1+dfsg1-5+deb8u6.

The following CVEs were announced in Debian Security Advisory DSA-4086-1, and affect the Linux kernel.

These issues should be fixed in the next version of Cumulus Linux.

--------------------------------------------------------------------------
Debian Security Advisory DSA-4082-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 09, 2018 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2017-8824 CVE-2017-15868 CVE-2017-16538
CVE-2017-16939 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450
CVE-2017-17558 CVE-2017-17741 CVE-2017-17805 CVE-2017-17806
CVE-2017-17807 CVE-2017-1000407 CVE-2017-1000410

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2017-8824

Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free. A local user could use this for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it:

echo >> /etc/modprobe.d/disable-dccp.conf install dccp false

CVE-2017-15868

Al Viro found that the Bluebooth Network Encapsulation Protocol (BNEP) implementation did not validate the type of the second socket passed to the BNEPCONNADD ioctl(), which could lead to memory corruption. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation.

CVE-2017-16538

Andrey Konovalov reported that the dvb-usb-lmedm04 media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash).

CVE-2017-16939

Mohamed Ghannam reported (through Beyond Security's SecuriTeam Secure Disclosure program) that the IPsec (xfrm) implementation did not correctly handle some failure cases when dumping policy information through netlink. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation.

CVE-2017-17448

Kevin Cernekee discovered that the netfilter subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace, not just the root namespace, to enable and disable connection tracking helpers. This could lead to denial of service, violation of network security policy, or have other impact.

CVE-2017-17449

Kevin Cernekee discovered that the netlink subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace to monitor netlink traffic in all net namespaces, not just those owned by that user namespace. This could lead to exposure of sensitive information.

CVE-2017-17450

Kevin Cernekee discovered that the xt_osf module allowed users with the CAP_NET_ADMIN capability in any user namespace to modify the global OS fingerprint list.

CVE-2017-17558

Andrey Konovalov reported that that USB core did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation.

CVE-2017-17741

Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash).

CVE-2017-17805

Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash).

CVE-2017-17806

It was discovered that the HMAC implementation could be used with an underlying hash algorithm that requires a key, which was not intended. A local user could use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation.

CVE-2017-17807

Eric Biggers discovered that the KEYS subsystem lacked a check for write permission when adding keys to a process's default keyring. A local user could use this to cause a denial of service or to obtain sensitive information.

CVE-2017-1000407

Andrew Honig reported that the KVM implementation for Intel processors allowed direct access to host I/O port 0x80, which is not generally safe. On some systems this allows a guest VM to cause a denial of service (crash) of the host.

CVE-2017-1000410

Ben Seri reported that the Bluetooth subsystem did not correctly handle short EFS information elements in L2CAP messages. An attacker able to communicate over Bluetooth could use this to obtain sensitive information from the kernel.

For the oldstable distribution (jessie), these problems have been fixed in version 3.16.51-3+deb8u1.

If a bridge is previously configured and you run the net del all and the net add bridge commands in the same net commit, all bridge and VLAN commands fail and there will not be any bridge or VLAN configuration added to the switch.

This issue should be fixed in the next version of Cumulus Linux.

When adding new SVIs and static VRF routes in FRR, the appropriate VRF is applied to the interface in the kernel after the static routes are configured in FRR. When the kernel interface changes to the appropriate VRF, FRR next-hop resolution is not updated with the valid connected next-hop interface.

To work around this issue, remove and re-add the static routes.

This issue is being investigated at this time.

In an MLAG environment, when both peer switches in an MLAG pair are enabled, intermittent connectivity resulted, with around 50% packet loss. This issue wasn't seen when shutting down the peerlink and traffic flowed only on one switch in the MLAG pair.

This issue is fixed in Cumulus Linux 3.5.2.

For type-5 routes, when an MLAG pair is used as border leaf nodes, the MLAG primary and secondary nodes use their respective loopback IP addresses as the originator IP address to start, but switch to using the MLAG anycast IP address after an FRR restart.

This issue is fixed in Cumulus Linux 3.5.2.

When you use the net add command for a configuration that already exists, NCLU displays an error instead of a warning.

This issue is fixed in Cumulus Linux 3.5.2.

EVPN routes were getting re-injected back into EVPN as type-5 routes when a type-5 advertisement was enabled. This issue occurred when advertising different subnets from different VTEPs into a type-5 EVPN symmetric mode environment.

This issue is fixed in Cumulus Linux 3.5.2.

When redistributing connected VRF routes into BGP, sometimes the routes are not redistributed into BGP after you restart the networking service or after certain interface flap conditions.

To work around this issue, restart FRR with the systemctl restart frr.service command.

This issue is fixed in Cumulus Linux 3.5.2.

After creating a new VNI on a Mellanox switch, VXLAN encapsulated packets are dropped as ingress general discards.

To work around this issue, flap the newly created VNI using the sudo ifdown <vni> and sudo ifup <vni> commands, or trunk the associated VLAN on an interface that is not currently forwarding that VLAN.

This issue is fixed in Cumulus Linux 3.5.2.

Whenever FRR is restarted, it deletes all routes in the kernel with a protocol type of BGP, ISIS, OSPF, and static. When you upgrade FRR and the service is stopped, the static routes defined in the interfaces file and installed using ifupdown2 are also removed.

To work around this issue, configure static routes in the /etc/network/interfaces file as follows:

post-up ip route add <prefix> via <next-hop address> proto kernel

For example:

auto swp2
iface swp2
    post-up ip route add 0.0.0.0/0 via 192.0.2.249 proto kernel

This issue should be fixed in the next release of Cumulus Linux.

The output of the NCLU net show interface <bond> command shows misleading and incorrect interface counters.

This issue is currently being investigated.

In EVPN environments, sticky MAC addresses move from one bridge port to another on soft nodes.

This issue is currently being investigated.

When running the netshow lldp command, the output displays the following error:

cumulus@switch:~# netshow lldp
ERROR: The lldpd service is running, but '/usr/sbin/lldpctl -f xml' failed.

However, the NCLU net show lldp command works correctly.

This issue should be fixed in the next release of Cumulus Linux.

The Wireshark security vulnerabilities were announced after the branch for Cumulus Linux 3.5.2 was frozen.

Wireshark is not installed in the base Cumulus Linux image; it is an optional package. And since these vulnerabilities are relatively minor, they will be fixed in the next Cumulus Linux release.

Following is the Debian security advisory DSA-4101-1:

--------------------------------------------------------------------------
Debian Security Advisory DSA-4101-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 28, 2018 https://www.debian.org/security/faq
--------------------------------------------------------------------------
Package : wireshark
CVE ID : CVE-2018-5334 CVE-2018-5335 CVE-2018-5336
It was discovered that wireshark, a network protocol analyzer, contained
several vulnerabilities in the dissectors/file parsers for IxVeriWave,
WCP, JSON, XML, NTP, XMPP and GDB, which could result in denial of
dervice or the execution of arbitrary code.
For the oldstable distribution (jessie), these problems have been fixed
in version (1.12.1+g01b65bf-4+deb8u13.
For the stable distribution (stretch), these problems have been fixed in
version 2.2.6+g32dac6a-2+deb9u2.

The BGP unnumbered neighbor does not come back up after issuing the reload command or after an interface flap. This issue is specific to how RA suppression is disabled by FRRouting for BGP unnumbered interfaces. By default, RA suppression is enabled. However, when BGP unnumbered interfaces are configured, RA suppression is disabled.

The issue can arise depending on your FRR configuration. If you push an frr.conf configuration to the switch and it did not include the no ipv6 nd suppress-ra option, then FRR adds that to running configuration, but it is still not present in frr.conf. When you run FRR reload, RA suppression gets enabled again, as it's not in frr.conf. The next time an interface flaps, BGP unnumbered is unable to establish peering.

To work around this issue, frr.conf has been pushed and the frr.service gets restarted. The additional write in FRR syncs both saved and running configurations.

This issue should be fixed in the next release of Cumulus Linux.

When creating a VNI, the vxlan id parameter must be specified first to instantiate the VXLAN type interface object. When running net show configuration commands however, the commands are printed in a different order so a copy and paste will fail.

To work around this issue, manually reorder the commands so that vxlan id is executed before any other bridging or VXLAN parameters.

This issue should be fixed in the next release of Cumulus Linux.

Cumulus Linux 3.5.0 and above uses the eth0 MAC address as the MAC address for bridges. If eth0 is part of the same broadcast domain, you experience outages when upgrading to 3.5.x.

To work around this issue, manually change the bridge MAC address in the /etc/network/interfaces file.

This issue should be fixed in the next release of Cumulus Linux.

When configuring a DHCP relay on a VRR interface using the NCLU commands, errors are seen when running sudo ifreload -a and net commit.

cumulus@switch:~$ sudo ifreload -a
error: 'scope'

To work around this issue, edit the /etc/network/interfaces file and remove any vlanX-v0 stanzas, then run sudo ifreload -a again.

This issue is fixed in Cumulus Linux 3.5.1.

Adding an OSPF passive interface to an OSPF VRF that has not been defined previously causes ospfd to crash.

To work around this issue, create the VRF before you add the passive OSPF interface.

This issue is fixed in Cumulus Linux 3.5.1.

With management VRF, the output of the NCLU command net show time ntp servers is empty.

This issue is fixed in Cumulus Linux 3.5.1.

1G and 100M speeds on SFP ports are not working on the Dell S4148T-ON.

To enable a speed lower than 10G on a port on the S4148T platform, you must dedicate an entire port group (four interfaces) to a lower speed setting. Within a port group, you can mix 1G and 100M speeds, if needed. You cannot mix 10G and lower speeds.

To work around this issue:

1. In the /etc/cumulus/ports.conf file, add each of the four ports in the port group as 1G interfaces. You must set each of the ports in the port group to be 1G. Port groups are swp1-4, swp5-8, swp9-12, and so on, and starting with swp31-35 on the right half of the switch. For example, to enable ports swp5-swp8 to autonegotiate to 100M or 1G speeds, add the following to the ports.conf file:
   

   5=1G
   6=1G
   7=1G
   8=1G

2. Restart switchd:
   

   cumulus@switch:~$ sudo systemctl reset-failed switchd; sudo systemctl restart switchd

   After this is done ports swp5-8 will be enabled to autonegotiate with the neighbor devices to 1G or 100M speeds.

As of 3.5.1, 1G interfaces are supported when using the ports.conf file workaround as described above. As of 3.6.0, editing the ports.conf file is no longer required.

Using NCLU to assign the link autoneg off setting to a list of interfaces fails to complete the list if one of the interfaces in the list already has the link autoneg off setting.

This issue is fixed in Cumulus Linux 3.5.1.

On Mellanox switches, you can have a maximum of 2048 VLANs, less the number of physical interfaces. Typically, you have no more than 48 physical interfaces, which leaves 2000 VLANs available. If you create more than 48 interfaces, there are only 1991 VLANs available.

This issue is fixed in Cumulus Linux 3.5.1.

An issue with the DC power supply on the Edgecore AS5812 and AS5712 models causes the switch to be inoperable.

This issue is fixed in Cumulus Linux 3.5.1.

When VXLAN symmetric routing in enabled, sometimes packets get forwarded to the CPU after switchd is restarted.

To work around this issue, restart the networking service:

cumulus@switch:~$ sudo systemctl restart networking

This issue is fixed in Cumulus Linux 3.5.1.

The output for the NCLU net show interface command for bridge interfaces is missing or incorrect. The interface mode does not show Bridge/L2 and the member interfaces are shown.

This issue was a regression of an earlier issue and has been fixed again in Cumulus Linux 3.5.1.

For VXLAN routing, when ARP suppression is disabled, the CPU is not placed in the flood group so ARP requests do not reach the CPU.

This issue is fixed in Cumulus Linux 3.5.1.

When the switch boots, DNS issues sometimes causes ZTP to fail when searching for an install script.

This issue is fixed in Cumulus Linux 3.5.1.

The output of the NCLU net show config commands is not formatted correctly. Trying to copy and paste the output produces an error.

This issue is fixed in Cumulus Linux 3.5.1.

The netd service crashes if you issue the snmp-server trap-link-up command with a non-default snmpd.conf file. The configuration file is expected to include the following default configuration option:

monitor -r 60 -o laNames -o laErrMessage "laTable" laErrorFlag != 0'

To workaround this issue, you can manually edit the /etc/snmp/snmpd.conf file and add the missing default configuration option.

This issue is fixed in Cumulus Linux 3.5.1.

Previously, with NCLU, you were unable to add multiple IP addresses without defining a unique community for each. You can now add multiple access IP addresses to use the same community password.

This issue is fixed in Cumulus Linux 3.5.1.

Certain unicode characters in the /etc/network/interfaces.d/vlans.intf file, which is used by the interfaces file, cause a decode error when running the net show interface command.

This issue is fixed in Cumulus Linux 3.5.1.

The net show interface swp# command returns the same output as net show interface swp# detail.

To view the additional information typically presented, use alternative commands. For example, to view the module information and statistics use ethtool swp# and ethtool -S swp#.

This issue is currently being investigated.

Running net add hostname <hostname> updates both /etc/hostname and /etc/hosts. However, NCLU modifies the hostname value passed to /etc/hostname, removing certain characters and converting the hostname to lowercase, whereas the hostname passed to /etc/hosts is passed through as is, creating an inconsistency between the two files.

To work around this issue, manually set the hostname in both /etc/hostname and /etc/hosts using a text editor such as vi or nano.

This issue is currently being investigated.

The dhcrelay command does not bind to an interface if the interface's name is longer than 14 characters.

To work around this issue, change the interface name to be 14 or fewer characters if dhcrelay is required to bind to it.

This issue is currently being investigated.

n a Trident II+ switch, it's been reported that when there is an auto-negotiation mismatch between the switch and the NIC, a 40G 3 meter DAC may not link up, or could take more than a minute to do so. The issue has not been seen with 1 meter DACs or any active cable.

To work around this issue, configure auto-negotiation for the interface to allow it to operate properly.

This issue is currently being investigated.

FRR correctly detects the bandwidth for both 10G interfaces and 40G interfaces. However, it does not do so for 100G interfaces. Setting link speed manually does not fix this issue.

To work around this issue, restart the FRR service:

cumulus@switch:~$ sudo systemctl restart frr.service

This issue is currently being investigated.

The results from running the net add ospf auto-cost reference-bandwidth command are applied to an OSPFv3 (net add ospf6) configuration even though it is expected to be applied to an OSPFv2 (net add ospf) configuration.

This issue should be fixed in the next release of Cumulus Linux.

If you manually edit the snmpd.conf to specify the agentaddress, net show config commands outputs the command in a way that cannot be pasted back into the file.

For example, you can specify the agentaddress in any of the following ways:

agentaddress udp:1.1.1.1:161,2.2.2.2:171,3.3.3.3
agentaddress 4.4.4.4,5.5.5.5:171,6.6.6.6:161
agentaddress tcp:7.7.7.7

This issue is currently being investigated.

You cannot use NCLU or ifupdown2 to enable or disable of the IPv6 link-local eui-64 format.

To work around this limitation, you can use the following iproute2 command:

cumulus@switch:~$ sudo ip link set swp# addrgenmode {eui-64|none}

Note that this command does not persist across a reboot of the switch.

This issue is currently being investigated.

When the router ID is changed, the router should remove the previous network LSA (link-state advertisement) that it generated based on the IP address on the interface in the Network LSA.

Cumulus Linux did not remove the old LSA , so it would only change when it naturally aged out. 

This issue is fixed in Cumulus Linux 3.5.0. The fix now changes the router ID upon changing rather than having to wait for the max age timer.

In a VRR configuration, any interface-specific routing configuration (e.g., OSPF mode of operation) specified on the subinterface having a virtual IP address does not take effect. This is because when an operator has specified a virtual IP on a bridge, the system creates another internal interface bridge with the virtual IP and MAC. These two interfaces are treated distinctly by Quagga, so any interface-specific routing configuration on the bridge does not get carried over to the second bridge.

As a workaround, a VRR deployment needing any interface-specific routing configuration on the interface with a virtual IP address, the routing configuration must also be specified against the internally-created virtual interface.

This issue is fixed in Cumulus Linux 3.5.0.

This issue causes peer session flaps on Penguin Arctica 4806XP and Supermicro SSE-X3648S switches. It occurs with 16K IPv4 prefixes and only when you run show ip bgp json.

However, on switches with Tomahawk ASICs, with 61K IPv4 prefixes and default timers, the same show ip bgp json command causes all peer sessions to go down.

This issue is fixed in Cumulus Linux 3.5.0.

This is a known issue that's currently being investigated. The Quagga log shows these commands taking a very long to execute.

To work around this issue, Cumulus Networks recommends you use larger keepalive/hold timers — 60 and 180 seconds, respectively.

This issue is fixed in Cumulus Linux 3.5.0.

An error was found when an accidental change was made to the backup IP, and then corrected. ifreload -a would restart the clagd process to invoke the daemon with the new backup IP, rather than updating the backup IP with the change.

This issue is fixed in Cumulus Linux 3.5.0.

When auto-negotiation is enabled on a 10G LR or SR interface, switchd might crash and cannot be restarted unless you reboot the whole switch.

This issue was a regression of an earlier issue and has been fixed again in Cumulus Linux 3.5.0.

The clagd service fails to start up if the backup is in the non-default VRF. For example, a configuration like clagd-backup-ip 192.1.1.1 vrf green results in a clagd startup failure.

This issue was a regression of an earlier issue and has been fixed again in Cumulus Linux 3.5.0.

This issue was a regression of an earlier issue and has been fixed again in Cumulus Linux 3.5.0.

On Cumulus Linux versions 3.3.0 and later, enabling priority flow control (PFC), explicit congestion notification (ECN) or link pause on Mellanox Spectrum-based switches may cause the switchd process to crash.

To work around this issue, populate the appropriate unlimited_egress_buffer_port_set parameter in the /etc/cumulus/datapath/traffic.conf file. The default range should be "swp<a>-swp<z>", where "swp<a>" is the first front panel port in /var/lib/cumulus/porttab and "swp<z>" is the last front panel port in the porttab file. For example, to configure this parameter for PFC, use:

# priority flow control
pfc.port_group_list = [pfc_port_group]
pfc.pfc_port_group.cos_list = [0]
pfc.pfc_port_group.port_set = swp1-swp5
pfc.pfc_port_group.port_buffer_bytes = 25000
pfc.pfc_port_group.xoff_size = 10000
pfc.pfc_port_group.xon_delta = 2000
pfc.pfc_port_group.tx_enable = true
pfc.pfc_port_group.rx_enable = true
pfc.pfc_port_group.unlimited_egress_buffer_port_set = swp1-swp16

For ECN, the parameter would be ecn.ecn_port_group.unlimited_egress_buffer_port_set = swp1-swp16.

For link pause, the parameter would be link_pause.pause_port_group.unlimited_egress_buffer_port_set = swp1-swp16.

This issue was a regression of an earlier issue and has been fixed again in Cumulus Linux 3.5.0.

When RIOT is enabled on a Trident II+ switch, all multicast traffic gets software forwarded.

To work around this issue, disable RIOT on the switch. Edit the /usr/lib/python2.7/dist-packages/cumulus/__chip_config/bcm/datapath.conf file and change the vxlan_routing_overlay.profile setting to disable:

vxlan_routing_overlay.profile = disable

Then restart switchd for the change to take effect. This causes all network ports to reset in addition to resetting the switch hardware configuration.

cumulus@switch:~$ sudo systemctl restart switchd.service

This issue is fixed in Cumulus Linux 3.5.0.

Switches with the Trident II+ chipset running Cumulus Linux 3.3.0 or later may experience a failure to transmit frames from the control plane following a power-cycle of a device connected via 10GBASE-T. This can result in complete loss of connectivity from the switch control plane to connected devices.

To work around this issue, restart switchd with sudo systemctl restart switchd.

This issue was a regression of an earlier issue and has been fixed again in Cumulus Linux 3.5.0.

This situation occurs if the host was reachable via a given port (say swp1), and then also becomes reachable via a second port (say swp2). In this case, the routing table entry gets updated to point to swp2, but the neighbor entry on swp1 remains reachable.

If the host stops responding on swp2, the neighbor entry on swp1 remains reachable and keeps getting refreshed. As the entry on swp2 transitions to a FAILED status, the rdnbrd service removes the route from table 10, but table 10 does not get notified of a neighbor change and thus doesn't have an entry for this connected neighbor.

The only workaround is to restart the rdnbrd service, but this is not advised, especially in the case if the host moves around the network frequently, as would be the case if the host is a virtual machine.

This issue is fixed in Cumulus Linux 3.5.0.

This issue arose after upgrading to Cumulus Linux 3.4.2 and occurs under the following conditions:

• Mellanox switch running Cumulus Linux 3.4.2 only
• auto-negotiation is set to off
• The remote side negotiates a different speed than what the switch uses as default speed setting

To work around this issue, set auto-negotiation to on for every affected interface at both ends:

cumulus@switch:~$ net add interface swp1-52 link autoneg on
cumulus@switch:~$ net pending
cumulus@switch:~$ net commit

This issue was a regression of an earlier issue and has been fixed again in Cumulus Linux 3.5.0.

You cannot set both a global MTU and an individual MTU in a policy file. For example, this configuration does not work:

root@leaf01:/home/cumulus# cat /etc/network/ifupdown2/policy.d/mtu.json
{
 "address": {"defaults": { "mtu": "9216" }},
 "ethtool": {"iface_defaults": {"eth0": {"mtu": "1500"}}}
}

This issue is fixed in Cumulus Linux 3.5.0.

When ARP suppression is turned on, a VXLAN SVI is configured on the bridge. In Cumulus Linux 3.4.z, VXLAN routing is enabled by default, so the neighbors are being learned and programmed in the Broadcom Trident II+ ASIC. The Trident II+ default profile supports up to 8k next hop entries, after which the following error messages are logged:

switchd[20053]: hal_bcm_l3.c:1283 CRIT bcm_l3_egress_create unit 0 mod 0 \
        port -2147483640 vlan 0 intf 10240 failed: Table full

These messages do not affect forwarding.

To work around this issue, disable VXLAN routing.

1. Edit the /usr/lib/python2.7/dist-packages/cumulus/__chip_config/bcm/datapath.conf file and set vxlan_routing_overlay.profile to disable.
2. Restart switchd:
   cumulus@switch:~$ sudo systemctl restart switchd.service

Note: Restarting switchd causes all network ports to reset in addition to resetting the switch hardware configuration.

This issue is fixed in Cumulus Linux 3.5.0.

On a Trident II+ switch, VXLAN RIOT is enabled by default. However, a problem occurred with the VLAN-to-L3_IIF table setting that indicates the VRF. This caused switchd to fail to set the L3_IIF attribute in a new table entry, thus incorrect L3_IIF and profile attributes, including the VRF ID, were used for packet processing. This affected any routed interface, such as bonds, VLAN subinterfaces, and SVIs. As a result, you might be unable to ping the address of the WAN-facing interface on a border leaf switch.

The workaround involved disabling the VXLAN RIOT setting in the datapath.conf file.

This issue was a regression of an earlier issue and has been fixed again in Cumulus Linux 3.5.0.

For 1000Base-T interfaces, auto-negotation should be set to no. To work around this issue, disable auto-negotation on these interfaces.

This issue is fixed in Cumulus Linux 3.5.0.

This error occurs when VRR is configured.

This issue is fixed in Cumulus Linux 3.5.0.

On Cumulus Linux, the ifupdown2 policy files stored in /etc/network/ifupdown2/policy.d/ might not be applied correctly to the eth0 interface.

This issue is fixed in Cumulus Linux 3.5.0.

When configuring MLAG, if the clagd-peer-ip is the same as the switch's IP address, it causes the switch to peer with itself, resulting in a loop.

This issue is fixed in Cumulus Linux 3.5.0. The clagd-peer-ip cannot be the same as the peerlink subinterface IP address.

The switch stops the clagd.service when it detects a mismatched configuration, such as different sys-mac or clagd-vxlan-anycast-ip among the MLAG pair.

This issue is fixed in Cumulus Linux 3.5.0.

This issue is fixed in Cumulus Linux 3.5.0.

If lacp-bypass-allow is configured on an interface, the output of net show configuration commands is displayed in an order that NCLU rejects if you try to copy and paste the commands and run them again. Consider the following command output:

cumulus@leaf03:~$ net show config commands
...
net add bridge bridge vlan-aware
net add bond server03 bond lacp-bypass-allow
net add bond server03 bond slaves swp1
net add bond server03 bridge access 20
net add bond server03 clag id 3
net add bond server03 stp bpduguard
net add hostname leaf03

Since net add bond server03 bond lacp-bypass-allow appears before the bond is defined with bond slaves, NCLU will reject the command.

This issue is fixed in Cumulus Linux 3.5.0.

Multicast traffic is flooded to all bridge ports even if there is a valid snooped (*,G) entry.

This issue is fixed in Cumulus Linux 3.5.0.

In an MLAG configuration, when the primary switch goes down, Cumulus Linux now sends a goodbye message over the backup link as well as over the peerlink.

MLAG does not sync the bridge mdb state between peers. 

This issue is fixed in Cumulus Linux 3.5.0.

A Mellanox switch returns the following errors in syslog for a bond configuration:

2017-08-28T10:06:17.596911-07:00 mlx-2700-01 sx_sdk: VLAN: Failure - port is LAG member (Parameter Error)
2017-08-28T10:06:17.616588-07:00 mlx-2700-01 sx_sdk: VLAN: Failure - port is LAG member (Parameter Error)
2017-08-28T10:06:17.619505-07:00 mlx-2700-01 sx_sdk: VLAN: Failure - port is LAG member (Parameter Error)

This issue is fixed in Cumulus Linux 3.5.0.

Valid IPv6 addresses cannot be bound by snmpd because the square brackets are missing in the configuration. These square brackets are required to distinguish between an IPv6 address and a port configuration (both contain a colon).

This issue is fixed in Cumulus Linux 3.5.0.

The net show lldp command should display Access/L2 for the mode, but actually reports it as Trunk/L2.

This issue is fixed in Cumulus Linux 3.5.0.

BGP unnumbered does not support IPv6 GUA addresses on the interface which is peering IPv6. 

This issue is fixed in Cumulus Linux 3.5.0.

All NCLU components are now enabled by default after an upgrade, unless explicitly disabled. If you edit the netd.conf file, you can keep your version of the file when performing an upgrade. 

If a 1G fibre SFP is installed in a 10G SFP+ port and the port speed is not specified (auto-negotiation is on), reloading settings with the ifreload -a command causes the link to flap because of redundant ethtool set commands in ifupdown2.

This issue is fixed in Cumulus Linux 3.5.0.

In an MLAG configuration, clagctl incorrectly reports offline servers as single connected when both of its MLAG switches are down. The proto-down reason should not indicate any active members.

This issue is fixed in Cumulus Linux 3.5.0.

If you remove the default user cumulus from the system, netd fails to produce output and generates a traceback message when you run NCLU commands. Some commands return no output to the terminal screen, other commands indicate that netd is not working correctly. 

This issue is fixed in Cumulus Linux 3.5.0.

NCLU does not add ip igmp under an interface configuration before it applies the ip igmp join-group command, so a command like net add vlan 2 igmp join 192.0.2.0 0.0.0.0 silently fails.

This issue is fixed in Cumulus Linux 3.5.0.

The following NCLU command:

cumulus@switch:~$ net add vlan 501 ospf message-digest-key 7 md5 ospf

Gets incorrectly translated to the following in the FRRouting configuration, /etc/frr/frr.conf:

 ip ospf message-digest-key 7 md5 ip ospf

The correct syntax should be:

 ip ospf message-digest-key 7 md5 ospf

This issue is fixed in Cumulus Linux 3.5.0.

If you stop the hsflowd service, the sFlow sampling appears to continue, sending the samples to the kernel. The sampled ports end up pushing a lot of traffic, and the added sFlow data was causing buffer drops.

This issue is fixed in Cumulus Linux 3.5.0.

Sending multicast traffic to several interfaces while one interface is congested leads to dropped packets on all receivers. In Cumulus Linux 3.5.0, the default multicast buffer size has been changed so that the buffer size per port cannot be more than 128K (1024 cells).

This issue is fixed in Cumulus Linux 3.5.0.

The Mellanox Spectrum switch does not create or export flow samples when the sampled traffic flow is ingress AND egress on a bond interface. 

This issue is fixed in Cumulus Linux 3.5.0.

To work around this issue, edit the configuration in /etc/network/interfaces and move the IPv6 configuration after the IPv4 configuration.

This is incorrect:

auto lo 
iface lo inet loopback 
    address 2001:db8::1/128 
    address 192.0.2.1/32

This is correct:

auto lo 
iface lo inet loopback 
    address 192.0.2.1/32
    address 2001:db8::1/128 

This issue is fixed in Cumulus Linux 3.5.0.

 A new status line is added to the output to indicate the LACP protocol status per member interface.

fupdown2 does not merge all the attributes defined in the policy files by default.

This issue is fixed in Cumulus Linux 3.5.0.

If a license file is not installed for switchd, ifreload and NCLU commands display an error on a setting that it can't apply (such as link speed).

You now see a warning message indicating that a license file is not installed.

It is not clear in MLAG logging what the switch's role is at any given time.

More logging is now added to specify what the role of the switch is. 

If you remove the /etc/resolv.conf file, then try to apply a name server configuration with NCLU, netd crashes.

This issue is fixed in Cumulus Linux 3.5.0.

After issuing the ifreload -a command when adding VXLAN-interfaces, the new XVLAN interfaces remain in the NO CARRIER state. This issue occurs

only if there is no MLAG peer connectivity.

This issue is fixed in Cumulus Linux 3.5.0.

Installing SPAN rules on a VXLAN VNI interface results in an installation error.

This issue is fixed in Cumulus Linux 3.5.0.

If a VRF name contains a dash (-), any service you try to start fails with the message "Invalid VRF name." 

This issue is fixed in Cumulus Linux 3.5.0.

Multiple DHCP relay forwarding requests are replicated erroneously to a server that does not serve that subnet.

This issue is fixed in Cumulus Linux 3.5.0.

When DHCP relay is configured and a DHCP packet is received on an IP unnumbered interface, a Discard message is logged even though the DHCP packet is forwarded.

This issue is fixed in Cumulus Linux 3.5.0.

When traffic originating from the kernel is generated and destined to a connected VRF IPv6 global address while the connected interface is carrier-down, an unreachable route cache entry is created against the loopback interface:

cumulus@leaf01:~$ ip -6 ro ls cache table NAME
unreachable 2001:DB8::5 dev lo  metric 0 
    cache  error -101 pref medium

When the carrier is restored, this entry remains and subsequent route lookups continue to return unreachable results erroneously:

cumulus@leaf01:~$ sudo vrf task exec NAME ping6 2001:DB8::5
connect: Network is unreachable

This issue is fixed in Cumulus Linux 3.5.0.

When you reboot the switch, VXLAN MAC addresses change. The bridge MAC address also changes and is set to the MAC address of eth0.

This issue is fixed in Cumulus Linux 3.5.0.

The following CVEs that were announced in Debian Security Advisory DSA-3945-1 apply to packages maintained and built by Cumulus Networks. They have been fixed in Cumulus Linux 3.5.0 (package version 4.1.33-1+cl3u10):

--------------------------------------------------------------------------
Debian Security Advisory DSA-3945-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 17, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2017-7346 CVE-2017-7482 CVE-2017-7533 CVE-2017-7541
CVE-2017-7542 CVE-2017-9605 CVE-2017-10810 CVE-2017-10911
CVE-2017-11176 CVE-2017-1000365

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2017-7346
Li Qiang discovered that the DRM driver for VMware virtual GPUs does not properly check user-controlled values in the vmw_surface_define_ioctl() functions for upper limits. A local user can take advantage of this flaw to cause a denial of service.

CVE-2017-7482
Shi Lei discovered that RxRPC Kerberos 5 ticket handling code does not properly verify metadata, leading to information disclosure, denial of service or potentially execution of arbitrary code.

CVE-2017-7533
Fan Wu and Shixiong Zhao discovered a race condition between inotify events and VFS rename operations allowing an unprivileged local attacker to cause a denial of service or escalate privileges.

CVE-2017-7541
A buffer overflow flaw in the Broadcom IEEE802.11n PCIe SoftMAC WLAN driver could allow a local user to cause kernel memory corruption, leading to a denial of service or potentially privilege escalation.

CVE-2017-7542
An integer overflow vulnerability in the ip6_find_1stfragopt() function was found allowing a local attacker with privileges to open raw sockets to cause a denial of service.

CVE-2017-9605
Murray McAllister discovered that the DRM driver for VMware virtual GPUs does not properly initialize memory, potentially allowing a local attacker to obtain sensitive information from uninitialized kernel memory via a crafted ioctl call.

CVE-2017-10810
Li Qiang discovered a memory leak flaw within the VirtIO GPU driver resulting in denial of service (memory consumption).

CVE-2017-10911 / XSA-216
Anthony Perard of Citrix discovered an information leak flaw in Xen blkif response handling, allowing a malicious unprivileged guest to obtain sensitive information from the host or other guests.

CVE-2017-11176
It was discovered that the mq_notify() function does not set the sock pointer to NULL upon entry into the retry logic. An attacker can take advantage of this flaw during a user-space close of a Netlink socket to cause a denial of service or potentially cause other impact.

CVE-2017-1000365
It was discovered that argument and environment pointers are not taken properly into account to the imposed size restrictions on arguments and environmental strings passed through RLIMIT_STACK/RLIMIT_INFINITY. A local attacker can take advantage of this flaw in conjunction with other flaws to execute arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed in version 3.16.43-2+deb8u3.

The following CVEs that were announced in Debian Security Advisory DSA-3981-1 apply to packages maintained and built by Cumulus Networks. They have been fixed in Cumulus Linux 3.5.0 (package version 4.1.33-1+cl3u10):

--------------------------------------------------------------------------
Debian Security Advisory DSA-3981-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 20, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2017-7518 CVE-2017-7558 CVE-2017-10661 CVE-2017-11600
CVE-2017-12134 CVE-2017-12146 CVE-2017-12153 CVE-2017-12154
CVE-2017-14106 CVE-2017-14140 CVE-2017-14156 CVE-2017-14340
CVE-2017-14489 CVE-2017-14497 CVE-2017-1000111 CVE-2017-1000112
CVE-2017-1000251 CVE-2017-1000252 CVE-2017-1000370 CVE-2017-1000371
CVE-2017-1000380

Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks.

CVE-2017-7518
Andy Lutomirski discovered that KVM is prone to an incorrect debug exception (#DB) error occurring while emulating a syscall instruction. A process inside a guest can take advantage of this flaw for privilege escalation inside a guest.

CVE-2017-10661 (jessie only)
Dmitry Vyukov of Google reported that the timerfd facility does not properly handle certain concurrent operations on a single file descriptor. This allows a local attacker to cause a denial of service or potentially execute arbitrary code.

CVE-2017-11600
Bo Zhang reported that the xfrm subsystem does not properly validate one of the parameters to a netlink message. Local users with the CAP_NET_ADMIN capability can use this to cause a denial of service or potentially to execute arbitrary code.

CVE-2017-12134 / #866511 / XSA-229
Jan H. Schoenherr of Amazon discovered that when Linux is running in a Xen PV domain on an x86 system, it may incorrectly merge block I/O requests. A buggy or malicious guest may trigger this bug in dom0 or a PV driver domain, causing a denial of service or potentially execution of arbitrary code.

This issue can be mitigated by disabling merges on the underlying back-end block devices, e.g.:
echo 2 > /sys/block/nvme0n1/queue/nomerges

CVE-2017-12153
Bo Zhang reported that the cfg80211 (wifi) subsystem does not properly validate the parameters to a netlink message. Local users with the CAP_NET_ADMIN capability (in any user namespace with a wifi device) can use this to cause a denial of service.

CVE-2017-12154
Jim Mattson of Google reported that the KVM implementation for Intel x86 processors did not correctly handle certain nested hypervisor configurations. A malicious guest (or nested guest in a suitable L1 hypervisor) could use this for denial of service.

CVE-2017-14106
Andrey Konovalov discovered that a user-triggerable division by zero in the tcp_disconnect() function could result in local denial of service.

CVE-2017-14140
Otto Ebeling reported that the move_pages() system call performed insufficient validation of the UIDs of the calling and target processes, resulting in a partial ASLR bypass. This made it easier for local users to exploit vulnerabilities in programs installed with the set-UID permission bit set.

CVE-2017-14156
"sohu0106" reported an information leak in the atyfb video driver. A local user with access to a framebuffer device handled by this driver could use this to obtain sensitive information.

CVE-2017-14340
Richard Wareing discovered that the XFS implementation allows the creation of files with the "realtime" flag on a filesystem with no realtime device, which can result in a crash (oops). A local user with access to an XFS filesystem that does not have a realtime device can use this for denial of service.

CVE-2017-14489
ChunYu Wang of Red Hat discovered that the iSCSI subsystem does not properly validate the length of a netlink message, leading to memory corruption. A local user with permission to manage iSCSI devices can use this for denial of service or possibly to execute arbitrary code.

CVE-2017-14497 (stretch only)
Benjamin Poirier of SUSE reported that vnet headers are not properly handled within the tpacket_rcv() function in the raw packet (af_packet) feature. A local user with the CAP_NET_RAW capability can take advantage of this flaw to cause a denial of service (buffer overflow, and disk and memory corruption) or have other impact.

Cumulus Linux is not vulnerable. The vulnerable code is not present in the Cumulus Linux kernel.

CVE-2017-1000111
Andrey Konovalov of Google reported a race condition in the raw packet (af_packet) feature. Local users with the CAP_NET_RAW capability can use this for denial of service or possibly to execute arbitrary code.

CVE-2017-1000112
Andrey Konovalov of Google reported a race condition flaw in the UDP Fragmentation Offload (UFO) code. A local user can use this flaw for denial of service or possibly to execute arbitrary code.

CVE-2017-1000251 / #875881
Armis Labs discovered that the Bluetooth subsystem does not properly validate L2CAP configuration responses, leading to a stack buffer overflow. This is one of several vulnerabilities dubbed "Blueborne". A nearby attacker can use this to cause a denial of service or possibly to execute arbitrary code on a system with Bluetooth enabled.

CVE-2017-1000252 (stretch only)
Jan H. Schoenherr of Amazon reported that the KVM implementation for Intel x86 processors did not correctly validate interrupt injection requests. A local user with permission to use KVM could use this for denial of service.

Cumulus Linux does not enable KVM functionality, and therefore is not vulnerable.

CVE-2017-1000370
The Qualys Research Labs reported that a large argument or environment list can result in ASLR bypass for 32-bit PIE binaries.

CVE-2017-1000371
The Qualys Research Labs reported that a large argument or environment list can result in a stack/heap clash for 32-bit PIE binaries.

CVE-2017-1000380
Alexander Potapenko of Google reported a race condition in the ALSA (sound) timer driver, leading to an information leak. A local user with permission to access sound devices could use this to obtain sensitive information.

Debian disables unprivileged user namespaces by default, but if they are enabled (via the kernel.unprivileged_userns_clone sysctl) then CVE-2017-11600, CVE-2017-14497 and CVE-2017-1000111 can be exploited by any local user.

For the oldstable distribution (jessie), these problems have been fixed in version 3.16.43-2+deb8u5.

The following CVEs that were announced in Debian Security Advisory DSA-4011-1 apply to the FRRouting package and upstream Quagga package. They have been fixed in Cumulus Linux 3.5.0 (package version 3.1+cl3u1 and 3.1+cl3u3):

--------------------------------------------------------------------------
Debian Security Advisory DSA-4011-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 30, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : quagga
CVE ID : CVE-2017-16227

It was discovered that the bgpd daemon in the Quagga routing suite does not properly calculate the length of multi-segment AS_PATH UPDATE messages, causing bgpd to drop a session and potentially resulting in loss of network connectivity.

For the oldstable distribution (jessie), this problem has been fixed in version 0.99.23.1-1+deb8u4 or the stable distribution (stretch), this problem has been fixed in version 1.1.1-3+deb9u1.

The following security issues announced in DSA-4002-1 apply to Debian packages distributed as part of Cumulus Linux. They have been fixed in the Cumulus Linux 3.5.0 release (version 5.5.58-0+deb8u1 of the mysql package):

-------------------------------------------------------------------------
Debian Security Advisory DSA-4002-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 19, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : mysql-5.5
CVE ID : CVE-2017-10379 CVE-2017-10378 CVE-2017-10268 CVE-2017-10384
Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.58, which includes additional changes, such as performance improvements, bug fixes, new features, and possibly incompatible changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-58.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

For the oldstable distribution (jessie), these problems have been fixed in version 5.5.58-0+deb8u1.

The following security issues announced in DSA-4007-1 apply to Debian packages distributed as part of Cumulus Linux. They have been fixed in the Cumulus Linux 3.5.0 release (version 7.38.0-4+deb8u8 of the curl package).

--------------------------------------------------------------------------
Debian Security Advisory DSA-4007-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
October 27, 2017 https://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : curl
CVE ID : CVE-2017-1000257

Brian Carpenter, Geeknik Labs and 0xd34db347 discovered that cURL, an URL transfer library, incorrectly parsed an IMAP FETCH response with size 0, leading to an out-of-bounds read.

For the oldstable distribution (jessie), this problem has been fixed in version 7.38.0-4+deb8u7.

The following security issues announced in DSA-4051-1 apply to Debian packages distributed as part of Cumulus Linux. They have been fixed in the Cumulus Linux 3.5.0 release (version 7.38.0-4+deb8u8 of the curl and libcurl3 packages).

--------------------------------------------------------------------------
Debian Security Advisory DSA-4051-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
November 29, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : curl
CVE ID : CVE-2017-8816 CVE-2017-8817

Two vulnerabilities were discovered in cURL, an URL transfer library.

CVE-2017-8816
Alex Nichols discovered a buffer overrun flaw in the NTLM authentication code which can be triggered on 32bit systems where an integer overflow might occur when calculating the size of a memory allocation.

CVE-2017-8817
Fuzzing by the OSS-Fuzz project led to the discovery of a read out of bounds flaw in the FTP wildcard function in libcurl. A malicious server could redirect a libcurl-based client to an URL using a wildcard pattern, triggering the out-of-bound read.

For the oldstable distribution (jessie), these problems have been fixed in version 7.38.0-4+deb8u8.

The following security issues announced in DSA-4008-1 apply to Debian packages distributed as part of Cumulus Linux. They have been fixed in the Cumulus Linux 3.5.0 release (version 1.16-1+deb8u4 of the wget package).

--------------------------------------------------------------------------
Debian Security Advisory DSA-4008-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 28, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : wget
CVE ID : CVE-2017-13089 CVE-2017-13090

Antti Levomaeki, Christian Jalio, Joonas Pihlaja and Juhani Eronen discovered two buffer overflows in the HTTP protocol handler of the Wget download tool, which could result in the execution of arbitrary code
when connecting to a malicious HTTP server.

For the oldstable distribution (jessie), these problems have been fixed in version 1.16-1+deb8u4.

The following security issues announced in DSA-4017-1 apply to Debian packages distributed as part of Cumulus Linux. They have been fixed in the Cumulus Linux 3.5.0 release (version 1.0.1t-1+deb8u7 of the openssl package).

--------------------------------------------------------------------------
Debian Security Advisory DSA-4017-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 03, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : openssl1.0
CVE ID : CVE-2017-3735 CVE-2017-3736

Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues:

CVE-2017-3735
It was discovered that OpenSSL is prone to a one-byte buffer overread while parsing a malformed IPAddressFamily extension in an X.509 certificate.

Details can be found in the upstream advisory: https://www.openssl.org/news/secadv/20170828.txt

CVE-2017-3736
It was discovered that OpenSSL contains a carry propagation bug in the x86_64 Montgomery squaring procedure.

Details can be found in the upstream advisory: https://www.openssl.org/news/secadv/20171102.txt

The following security issues announced in DSA-4029-1 apply to Debian packages distributed as part of Cumulus Linux. They have been fixed in the Cumulus Linux 3.5.0 release (version 165+deb8u3 of the postgresql-common package).

--------------------------------------------------------------------------
Debian Security Advisory DSA-4029-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 09, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : postgresql-common
CVE ID : CVE-2017-8806

It was discovered that the pg_ctlcluster, pg_createcluster and pg_upgradecluster commands handled symbolic links insecurely which could result in local denial of service by overwriting arbitrary files.

For the oldstable distribution (jessie), this problem has been fixed in version 165+deb8u3.

The following security issues announced in DSA-4027-1 apply to Debian packages distributed as part of Cumulus Linux. They have been fixed in the Cumulus Linux 3.5.0 release (version 9.4.15-0+deb8u1 of the postgresql-9.4 package).

--------------------------------------------------------------------------
Debian Security Advisory DSA-4027-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 09, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : postgresql-9.4
CVE ID : CVE-2017-15098

A vulnerabilitiy has been found in the PostgreSQL database system: Denial of service and potential memory disclosure in the json_populate_recordset() and jsonb_populate_recordset() functions.

For the oldstable distribution (jessie), this problem has been fixed in version 9.4.15-0+deb8u1.

The following security issues announced in DSA-4042-1 apply to Debian packages distributed as part of Cumulus Linux. They have been fixed in the Cumulus Linux 3.5.0 release (version 2.0116+dfsg-1+deb8u2 of the libxml-libxml-perl package).

--------------------------------------------------------------------------
Debian Security Advisory DSA-4042-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 19, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : libxml-libxml-perl
CVE ID : CVE-2017-10672

A use-after-free vulnerability was discovered in XML::LibXML, a Perl interface to the libxml2 library, allowing an attacker to execute arbitrary code by controlling the arguments to a replaceChild() call.

For the oldstable distribution (jessie), this problem has been fixed in version 2.0116+dfsg-1+deb8u2.

On Dell S4148F-ON and S4128F-ON switches, the following cables do not work on SFP ports:

• 10G optical modules (10G SR, LR, AOC)
• 1G optical modules (1G SX, LX, AOC)
• 1G copper RJ45 modules might fail, depending on how the tx_enable signal is used

This issue is fixed in Cumulus Linux 3.5.0.

There is an additional issue that prevents 1G interfaces from working on Dell 4148F and 4128F switches. For further details and the workaround for 1G SFP ports on Dell 4148F and 4128F switches, see RN-778.

A Mellanox switch cannot create and export flow samples when the sampled traffic flow is both ingress and egress on a bond interface. This affects topologies where bonded hosts are transiting the switch to a bonded uplink.

This issue is fixed in Cumulus Linux 3.5.0.

When configuring a DHCP relay on a VRR interface using the NCLU commands, errors are seen when running sudo ifreload -a and net commit.

cumulus@switch:~$ sudo ifreload -a
error: 'scope'

To work around this issue, edit the /etc/network/interfaces file and remove any vlanX-v0 stanzas, then run sudo ifreload -a again.

This issue is fixed in Cumulus Linux 3.5.1.

Adding an OSPF passive interface to an OSPF VRF that has not been defined previously causes ospfd to crash.

To work around this issue, create the VRF before you add the passive OSPF interface.

This issue is fixed in Cumulus Linux 3.5.1.

When you run the ifreload command on a bridge SVI with an MTU higher than 1500, the MTU gets reset to 1500 after the initial ifreload -a, then resets to its original value when running ifreload -a a second time.

This is a known issue and should be fixed in the next release of Cumulus Linux.

With management VRF, the output of the NCLU command net show time ntp servers is empty.

This issue is fixed in Cumulus Linux 3.5.1.

1G and 100M speeds on SFP ports are not working on the Dell S4148T-ON.

To enable a speed lower than 10G on a port on the S4148T platform, you must dedicate an entire port group (four interfaces) to a lower speed setting. Within a port group, you can mix 1G and 100M speeds, if needed. You cannot mix 10G and lower speeds.

To work around this issue:

1. In the /etc/cumulus/ports.conf file, add each of the four ports in the port group as 1G interfaces. You must set each of the ports in the port group to be 1G. Port groups are swp1-4, swp5-8, swp9-12, and so on, and starting with swp31-35 on the right half of the switch. For example, to enable ports swp5-swp8 to autonegotiate to 100M or 1G speeds, add the following to the ports.conf file:
   

   5=1G
   6=1G
   7=1G
   8=1G

2. Restart switchd:
   

   cumulus@switch:~$ sudo systemctl reset-failed switchd; sudo systemctl restart switchd

   After this is done ports swp5-8 will be enabled to autonegotiate with the neighbor devices to 1G or 100M speeds.

As of 3.5.1, 1G interfaces are supported when using the ports.conf file workaround as described above. As of 3.6.0, editing the ports.conf file is no longer required.

When running VXLAN routing, the VRR interface MAC address is missing in the fdb table (permanent entry), which causes duplicate packets.

If you encounter this issue, update the interface configuration on all gateway VTEPs using the ifreload -a -X eth0 command.

After editing the frr.conf file to modify the the BGP ASN for a VRF associated with a layer 3 VNI, the change is not applied.

To work around this issue, first delete the layer 3 VNI, then try to modify the BGP VRF instance.

On a Dell Z9100, the 4x10G breakout ports not working and the speed is still set to the default of 25G.

To work around this issue, change the interface speed for each port in the /etc/cumulus/ports.conf file to 10G, then restart switchd.

Using NCLU to assign the link autoneg off setting to a list of interfaces fails to complete the list if one of the interfaces in the list already has the link autoneg off setting.

This issue is fixed in Cumulus Linux 3.5.1.

When you run the net show bgp ipv4 unicast json command on a large configuration (for example, 64K routes from each of a dozen or more peers), an out of memory issue occurs.

Cumulus Networks is currently working to fix this issue. Avoid running this command on large configurations. Instead, you can run the command vtysh -c 'show bgp ipv4 unicast json.

On Mellanox switches, you can have a maximum of 2048 VLANs, less the number of physical interfaces. Typically, you have no more than 48 physical interfaces, which leaves 2000 VLANs available. If you create more than 48 interfaces, there are only 1991 VLANs available.

This issue is fixed in Cumulus Linux 3.5.1.

On the Broadcom Trident II+ and Maverick based switch, in an external VXLAN routing environment, when a lookup is done on the external-facing switch (exit/border leaf) after VXLAN decapsulation, the switch doesn't rewrite the MAC addresses and TTL. So for through traffic, packets are dropped by the next hop instead of correctly routing from a VXLAN overlay network into a non-VXLAN external network (for example, to the Internet).

This issue affects all traffic from VXLAN overlay hosts that need to be routed after VXLAN decapsulation on an exit/border leaf, including:

• Traffic destined to external networks (through traffic)
• Traffic destined to the exit leaf SVI address

This issue should be fixed in the Trident III ASIC.

To work around this issue, modify the external-facing interface for each VLAN sub-interface by creating a temporary VNI and associating it with the existing VLAN ID.

For example, if the expected interface configuration is:

auto swp3.2001
iface swp3.2001
    vrf vrf1
    address 45.0.0.2/24
# where swp3 is the external facing port and swp3.2001 is the VLAN sub-interface

auto bridge
iface bridge
    bridge-vlan-aware yes
    bridge ports vx-4001
    bridge-vids 4001

auto vx-4001
iface vx-4001
    vxlan-id 4001
    <... usual vxlan config ...>
    bridge-access 4001
# where vnid 4001 represents the L3 VNI

auto vlan4001
iface vlan4001
    vlan-id 4001
    vlan-raw-device bridge
    vrf vrf1

You would modify the configuration as follows:

auto swp3
iface swp3
    bridge-access 2001
# associate the port (swp3) with bridge 2001

auto bridge
iface bridge
    bridge-vlan-aware yes
    bridge ports swp3 vx-4001 vx-16000000
    bridge-vids 4001 2001
# where vx-4001 is the existing VNI and vx-16000000 is a new temporary VNI
# this is now bridging the port (swp3), the VNI (vx-4001),
# and the new temporary VNI (vx-16000000)
# the bridge VLAN IDs are now 4001 and 2001

auto vlan2001
iface vlan2001
    vlan-id 2001
    vrf vrf1
    address 45.0.0.2/24
    vlan-raw-device bridge
# create a VLAN 2001 with the associated VRF and IP address

auto vx-16000000
iface vx-16000000
    vxlan-id 16000000
    bridge-access 2001
    <... usual vxlan config ...>
# associate the temporary VNI (vx-16000000) with bridge 2001

auto vx-4001
iface vx-4001
    vxlan-id 4001
    <... usual vxlan config ...>
    bridge-access 4001
# where vnid 4001 represents the L3 VNI

auto vlan4001
iface vlan4001
    vlan-id 4001
    vlan-raw-device bridge
    vrf vrf1

An issue with the DC power supply on the Edgecore AS5812 and AS5712 models causes the switch to be inoperable.

This issue is fixed in Cumulus Linux 3.5.1.

When VXLAN symmetric routing in enabled, sometimes packets get forwarded to the CPU after switchd is restarted.

To work around this issue, restart the networking service:

cumulus@switch:~$ sudo systemctl restart networking

This issue is fixed in Cumulus Linux 3.5.1.

If either of the following is configured:

net.ipv4.ip_forward == 0

or:

net.ipv6.conf.all.forwarding == 0

The hardware still forwards packets if there is a neighbor table entry pointing to the destination.

routes: 16384 <<<< if all routes are ipv4 
 long mask routes 256 <<<< i.e., routes with a mask longer 
       than the route mask limit 
 route mask limit 64
 host_routes: 8192 
 ecmp_nhs: 4044 
 ecmp_nhs_per_route: 52

cumulus@switch:~$ sudo cl-resource-query
 hosts : 3 
 all routes : 29 
 IP4 routes : 17 
 IP6 routes : 12 
 nexthops : 3 
 ecmp_groups : 0
 ecmp_nexthops : 0
 mac entries : 0 / 131072 
 bpdu entries : 500 / 512

It's been observed that port LEDs behave differently depending upon the make and model of the switch. For example:

• Agema AG-7448CU: the LED is off when the link is up. It blinks on briefly when there is traffic.
• Edge-Core AS4600-54T: the LED is off when the link is up. It blinks on briefly when there is traffic.
• QuantaMesh T3048-LY2R: the LED is on when the link is up. It blinks off briefly when there is traffic.

Cumulus Networks is currently working to fix this issue.

Cumulus Linux triggers a route-map update before the user finishes editing the route map, resulting in an incorrect route map being used. The route-map update trigger should only occur when user finishes editing the map.

Cumulus Networks is working to fix this issue.

To work around this issue, remove any old redistribute command configurations before adding a new one with or without route-map as a parameter.

For example, if OSPF has a redistribute configuration such as redistribute bgp route-map redist-map-name, you would enable redistribution without a route-map by following these steps in OSPF configuration mode:

1. no redistribute bgp
2. redistribute bgp

You would perform a similar sequence of commands for redistribution changes in BGP as well.

switchd currently allows only the standard port 4789 as the UDP port for VXLAN packets. There are cases where a hypervisor could be using non-standard UDP port, which would cause VXLAN exchanges with the hardware VTEP to not work. In such a case, packets would not be terminated and encapsulated packets would be sent out on UDP port 4789.

When BGP is configured with aggregate addresses with as-set configuration and there are many routes to be aggregated, the BGP process gets into high CPU usage.

To work around this issue, do not specify the as-set parameter for the aggregate-address configuration.

On the Mellanox SN2700 and SN2700B switches, if any of the following occur:

• A shutdown or poweroff command is executed
• A temperature sensor hits a critical value and shuts down the box

Once a PDU power cycle is issued, the box appears to be dead for at least 3 minutes.

This issue is currently being investigated.

Existing BGP issues caused peering between a VRF device and a loopback BGP session to stay up if the loopback session doesn’t advertise its local address.

This issue will be fixed in a future release.

While upgrading from Cumulus Linux 3.0.1 to 3.1.z, the clag package does not update if the logrotate file contains an invalid date. This can occur due to bad batteries in the switch or RTC clock chip issues. The error may look like the following:

error: bad year 1929 for file /var/log/boot.log in state file /var/lib/logrotate/status
dpkg: error processing package clag (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 clag
E: Sub-process /usr/bin/dpkg returned an error code (1)

You can work around this issue by removing the /var/lib/logrotate/status file, and forcing a logrotate. After you do this, the upgrade should be successful.

An issue exists when link pause or priority flow control (PFC) is enabled on a Broadcom Tomahawk-based switch, and there is over-subscription on a link, where the ASIC sends pause frames aggressively, causing the upstream switch not to throttle enough.

If you need link pause or PFC functionality, then to work around this issue, you must use a switch that does not use the Tomahawk ASIC.

Trying to rename a table map — essentially deleting the current table map and adding a new one — causes Quagga to try to install all the routes again, which fills the FIB. The table map begins functioning again on its own after some time and without any intervention, and the FIB usage returns to a normal level.

This issue is currently being investigated.

Counter samples exported from the switch show an incorrect interface speed.

 This issue is being investigated at this time.

On a switch with a Broadcom Tomahawk ASIC, you cannot mix 10G and 25G speeds within the same warp core (a warp core is a cluster of 4 sequential switch ports, such as swp1 through swp4 or swp29 through swp32).

On a 100G switch, each of the 4 physical ports in the core can be broken out into 4x10G or each of the 4 ports can be broken out into 4x25G speeds; you cannot have a mix of speeds.

On a 25G switch, each port in the warp core must be configured for the same speed. You can configure all ports in the warp core for 10G speed, but you cannot have a mix of 25G and 10G speeds.

These restrictions apply to SFP modules; for QSPF modules, the restriction applies if you want to break out one of the ports to 4x10G or 4x25G.

If you want to modify the speed of the ports in a warp core, you must hand edit the /etc/cumulus/ports.conf file. You cannot use NCLU to configure the port speeds on a Tomahawk switch.

This issue is being investigated at this time.

In some instances, ARP requests do not get suppressed (when they ought to be) in a VXLAN active-active scenario, but instead get flooded over VXLAN tunnels. This issue is caused because there is no control plane syncing the snooped local neighbor entries between the MLAG pair; MLAG does not perform this sync, and neither does EVPN.

This issue is being investigated at this time.

It was determined that the MD5 password configured against a BGP listen-range peer-group (used to accept and create dynamic BGP neighbors) is not enforced. This means that connections are accepted from peers that don't specify a password; and only if they don't.

This issue is being investigated.

The default port group discards_pg does not accept packet_extended or packet_all collection types.

This issue is being investigated at this time.

It has been verified that, after booting a Cumulus VX virtual machine running the VMware OVA image, sometimes messages from sensors appear, saying the "Avg state" is critical, with all values displayed as 100.0; then it generates a cl-support.

This issue is being investigated at this time.

When a Tomahawk switch has 512 VXLAN interfaces configured, the switchd heartbeat fails. This can cause switchd to dump core.

To work around this issue, disable VXLAN statistics in switchd. Edit /etc/cumulus/switchd.conf and comment out the following line:

cumulus@switch:~$ sudo nano /etc/cumulus/switchd.conf

...

#stats.vxlan.member = BRIEF

...

Then restart switchd for the change to take effect. This causes all network ports to reset in addition to resetting the switch hardware configuration.

cumulus@switch:~$ sudo systemctl restart switchd.service

On a Facebook Wedge-100 switch, you cannot change the advertisement settings on eth0 and still have a link. eth0 only operates at 1000BASE-T. This is a hardware limitation and there is no workaround.

In certain scenarios, the routes learned through BGP unnumbered become unusable. The BGP neighbor relationships remain but the routes cannot be forwarded due to a failure in layer 2 and layer 3 next hop/MAC address resolution.

To work around this issue, restart FRR.

The Maverick switch limits multicast traffic by the lowest speed port that has joined a particular group.

This issue is being investigated at this time.

The upstream OVSDB VTEP schema has been updated multiple times and now contains a patch to support source-node replication. This patch is not included with the latest version of Cumulus Linux.

Cumulus Networks is currently working to fix this issue.

The MLAG neighbor entries are deleted when the switch goes down; however, the ARP table is out of sync when the bond comes back up and the system MAC address is changed.

To work around this issue, ping the SVI address of the MLAG switch or issue an arping command to the host from the broken switch.

Multicast forwarding fails for IP addresses whose DMAC overlaps with reserved DIPs.

This issue is being investigated at this time.

If a two nodes on both sides of a link change from auto-negotiation off to auto-negotiation on for both sides during a short interval (around one second), the link might start flapping or stay down.

To work around this issue and stop the flapping, turn the link down on the switch with the command ifdown swpX, wait a few seconds, then bring the link back up with the command ifup swpX. Repeat this on the other side if necessary.

On the Mellanox switch, packet drops due to congestion are not counted.

To work around this issue, run the command sudo ethtool -S swp1 to collect interface traffic statistics.

When sFlow is enabled, some sampled packets, such as IPMC, are forwarded twice (in the ASIC and then again through the kernel networking stack).

This issue is being investigated at this time.

The output for the NCLU net show config command is incorrect.

This issue is being investigated at this time.

There is a parsing error with the smonctl utility. In some cases when JSON output is chosen, the smonctl utility crashes. The JSON output is necessary to make the information available through SNMP.

This issue should be fixed in the next release of Cumulus Linux.

For static tunnels, the vxlan-ageing command defaults to 300 seconds, which does not align with the bridge-ageing timer of 1800 seconds. As a result, silent hosts learned over VXLAN static tunnels time out after five minutes, which causes the VTEPs to flood all traffic.

To work around this issue, configure the vxlan-ageing timer to align with the brige-aging timer. 

SBUS error warnings display on Tomahawk switches.

This issue is being investigated at this time.

IPv6 ECMP not working in OSPFv3 as expected.

This issue is being investigated at this time.

On Broadcom switches, IPv4 and IPv6 multicast traffic always maps into queue 0.

This issue is being investigated at this time.

1G and 100M speeds on SFP ports do not work automatically on Dell S4148F-ON and S4128F-ON switches.

To enable a speed lower than 10G on a port on the S4148F and S4128F platforms, you must dedicate an entire port group (four interfaces) to a lower speed setting. Within a port group, you can mix 1G and 100M speeds, if needed. You cannot mix 10G and lower speeds.

To work around this issue:

1. In the /etc/cumulus/ports.conf file, set each of the four ports in the port group to 1G. Port groups are swp1-4, swp5-8, swp9-12, and so on, and start with swp31-35 on the right half of the switch. For example, to enable ports swp5-swp8 to link up at to 100M or 1G speeds, add the following to the ports.conf file:
   

   5=1G
   6=1G
   7=1G
   8=1G

2. Restart switchd:

   cumulus@switch:~$ sudo systemctl reset-failed switchd; sudo systemctl restart switchd

3. Configure the interfaces.

   On RJ45 SFPs (1G-BaseT), set the link speed to 1000 for 1G or 100 for 100M and turn off auto-negotiation for each of the four ports in the port group, as shown in the example commands below. Note that auto-negotiation still functions internally on the RJ45 side from within the 1G-BaseT SFP PHY to the neighboring NIC.

   cumulus@switch:~$ net add interface swpXX
   cumulus@switch:~$ net add interface swpXX link speed 1000
   cumulus@switch:~$ net add interface swpXX link autoneg off
   cumulus@switch:~$ net commit

   These commands create the following configuration in the /etc/network/interfaces file:

   auto swpXX
   iface swpXX
    link-speed 1000
    link-duplex full
    link-autoneg off

   On Fiber SFPs (1G-BaseSX, 1G-BaseLX), enable auto-negotiation for each of the four ports in the port group, as shown in the example commands below. Auto-negotiation is not required but allows unidirectional fiber link detection.

   cumulus@switch:~$ net add interface swpXX
   cumulus@switch:~$ net add interface swpXX link autoneg on
   cumulus@switch:~$ net commit

   These commands create the following configuration in the /etc/network/interfaces file:

   auto swpXX
   iface swpXX
     link-autoneg on

When a spine-to-leaf link is brought down or when a spine switch is powered down completely, traffic does not fail over to the remaining ECMP paths with minimal losses, and convergence takes longer than expected.

Certain Dell Z9100 switches running Cumulus Linux 3.5.2 have a different string coded in the Manufacturer field of the SMBIOS/DMI information. This discrepancy sometimes causes a problem with timing during the boot sequence that leaves switchd in a failed state.

To work around this issue, perform a cold reboot or power cycle the switch.

This issue should be fixed in an upcoming version of Cumulus Linux.

After creating a new VNI on a Mellanox switch, VXLAN encapsulated packets are dropped as ingress general discards.

To work around this issue, flap the newly created VNI using the sudo ifdown <vni> and sudo ifup <vni> commands, or trunk the associated VLAN on an interface that is not currently forwarding that VLAN.

This issue is fixed in Cumulus Linux 3.5.2.

Certain unicode characters in the /etc/network/interfaces.d/vlans.intf file, which is used by the interfaces file, cause a decode error when running the net show interface command.

This issue is fixed in Cumulus Linux 3.5.1.