Cumulus RMP 3.5 Release Notes

Follow

Overview

These release notes support Cumulus RMP 3.5.0 and 3.5.1 and describe currently available features and known issues.

Cumulus RMP 3.5.0 supports these features and is available on the Penguin Computing Arctica 4804IP-RMP out-of-band switch.

Stay up to Date 

  • Please sign in and click Follow above so you can receive a notification when we update these release notes.
  • Subscribe to our product bulletin mailing list to receive important announcements and updates about issues that arise in our products.
  • Subscribe to our security announcement mailing list to receive alerts whenever we update our software for security issues.

{{table_of_contents}}

What's New in Cumulus RMP 3.5

Cumulus RMP 3.5 contains the following new features and improvements:

Note: The EA version of netq is not supported under Cumulus RMP 3.5.0.

Installing Version 3.5

If you are upgrading from version 3.0.0 or later, use apt-get to update the software.

Cumulus Networks recommends you use the -E option with sudo whenever you run any apt-get command. This option preserves your environment variables — such as HTTP proxies — before you install new packages or upgrade your distribution.

  1. Run apt-get update.
  2. Run apt-get upgrade.
  3. Reboot the switch.

New Install or Upgrading from Versions Older than 3.0.0

If you are upgrading from a version older than 3.0.0, or installing Cumulus RMP for the first time, download the Cumulus RMP 3.5.0 installer for Broadcom switches from the Cumulus Networks website, then use ONIE to perform a complete install, following the instructions in the user guide.

Note: This method is destructive; any configuration files on the switch will not be saved, so please copy them to a different server before upgrading via ONIE.

Important! After you install, run apt-get update, then apt-get upgrade on your switch to make sure you update Cumulus RMP to include any important or other package updates.

Documentation

You can read the technical documentation here.

Issues Fixed in Cumulus RMP 3.5.1

The following is a list of issues fixed in Cumulus RMP 3.5.1 from earlier versions of Cumulus RMP.

Release Note ID Summary Description

RN-732 (CM-16550)
With management VRF, net show time ntp servers command shows empty output

With management VRF, the output of the NCLU command net show time ntp servers is empty.

This issue is fixed in Cumulus RMP 3.5.1.


RN-746 (CM-19031)
LEDs for ports 1-16 on a Cumulus RMP switch with BMC don't work  

On a Cumulus RMP Pebble-B with BMC switch, also known as the Celestica E1052, the port LEDs do not work on ports 1-16. The ports themselves work.

This issue is fixed in Cumulus RMP 3.5.1.


RN-748 (CM-19202)
The `link autoneg off` setting not applied to the last set of interfaces in a list if OFF already set on one of the interfaces

Using NCLU to assign the link autoneg off setting to a list of interfaces fails to complete the list if one of the interfaces in the list already has the link autoneg off setting.

This issue is fixed in Cumulus RMP 3.5.1.


RN-786 (CM-19300)
NCLU net show interface command output for bridge interfaces is incorrect or missing

The output for the NCLU net show interface command for bridge interfaces is missing or incorrect. The interface mode does not show Bridge/L2 and the member interfaces are shown.

This issue was a regression of an earlier issue and has been fixed again in Cumulus RMP 3.5.1.


RN-794 (CM-19153)
NCLU net show config command output is incorrectly formatted

The output of the NCLU net show config commands is not formatted correctly. Trying to copy and paste the output produces an error.

This issue is fixed in Cumulus RMP 3.5.1.


RN-796 (CM-19045)
netd sometimes crashes with SNMP trap configuration

The netd service crashes if you issue the snmp-server trap-link-up command with a non-default snmpd.conf file. The configuration file is expected to include the following default configuration option:

monitor -r 60 -o laNames -o laErrMessage "laTable" laErrorFlag != 0'

To workaround this issue, you can manually edit the /etc/snmp/snmpd.conf file and add the missing default configuration option.

This issue is fixed in Cumulus RMP 3.5.1.


RN-797 (CM-18980)
NCLU needs support for multiple access client IP addresses associated with a single community

Previously, with NCLU, you were unable to add multiple IP addresses without defining a unique community for each. You can now add multiple access IP addresses to use the same community password.

This issue is fixed in Cumulus RMP 3.5.1.

Issues Fixed in Cumulus RMP 3.5.0

The following is a list of issues fixed in Cumulus RMP 3.5.0 from earlier versions of Cumulus RMP.

Release Note ID Summary Description

RN-646 (CM-17704)
switchd crashes when auto-negotiation is enabled on 10G LR/SR interfaces  

When auto-negotiation is enabled on a 10G LR or SR interface, switchd might crash and cannot be restarted unless you reboot the whole switch.

This issue was a regression of an earlier issue and has been fixed again in Cumulus RMP 3.5.0.


RN-674 (CM-17577)
Cannot set the MTU for switch ports that is different than the MTU for eth0

You cannot set both a global MTU and an individual MTU in a policy file. For example, this configuration does not work:

root@leaf01:/home/cumulus# cat /etc/network/ifupdown2/policy.d/mtu.json
{
 "address": {"defaults": { "mtu": "9216" }},
 "ethtool": {"iface_defaults": {"eth0": {"mtu": "1500"}}}
}

This issue is fixed in Cumulus RMP 3.5.0.


RN-684 (CM-17698) 
Default RMP configuration is not compatible with NCLU due to presence of a glob 

If you use NCLU to update a switch port configuration in Cumulus RMP, you cannot commit the change, and errors like the following get returned:

ERROR: 'ifreload -a' failed due to:
warning: bridge: error parsing glob expression 'swp1' (supported glob syntax: swp1-10.300 or swp[1-10].300  or swp[1-10]sub[0-4].300
error: cmd 'ip link set dev swp1-48 master bridge' failed: returned 1 (Cannot find device "swp1-48"
)
error: bridge: bridge port swp1-48 does not exist

This is due to the default Cumulus RMP configuration, which uses a glob when assigning the switch ports to the bridge. NCLU did not support globs in Cumulus RMP 3.4.2 or earlier.

As of Cumulus RMP 3.4.3, globs are supported in NCLU.

This issue was a regression of an earlier issue and has been fixed again in Cumulus RMP 3.5.0.


RN-696 (CM-17040)
After rebooting a Cumulus Express 5812-54X switch, ports with 1000Base-T SFP are down when auto-negotiation is on

For 1000Base-T interfaces, auto-negotation should be set to no. To work around this issue, disable auto-negotation on these interfaces.

This issue is fixed in Cumulus RMP 3.5.0.


RN-699 (CM-18951)
ifupdown2 policy applied incorrectly for eth0 

On Cumulus RMP, the ifupdown2 policy files stored in /etc/network/ifupdown2/policy.d/ may not be correctly applied to the eth0 interface.

This issue is fixed in Cumulus RMP 3.5.0.


RN-704 (CM-18886)
ifreload causes MTU to drop on bridge SVIs

When you run the ifreload command on a bridge SVI with an MTU higher than 1500, the MTU gets reset to 1500 after the initial ifreload -a, then resets to its original value when running ifreload -a a second time.

This issue is fixed in Cumulus RMP 3.5.0.


RN-706 (CM-18771)
On Broadcom switches, IGMP snooping not working as expected 

Multicast traffic is flooded to all bridge ports even if there is a valid snooped (*,G) entry.

This issue is fixed in Cumulus RMP 3.5.0.


RN-711 (CM-17842)
NCLU net show lldp command reports wrong mode in LLDP output for Trunk/L2

The net show lldp command should display Access/L2 for the mode, but actually reports it as Trunk/L2.

This issue is fixed in Cumulus RMP 3.5.0.


RN-713 (CM-18473)
New functionality within NCLU is enabled automatically after an upgrade 

All NCLU components are now enabled by default after an upgrade, unless explicitly disabled. If you edit the netd.conf file, you can keep your version of the file when performing an upgrade. 


RN-714 (CM-18458)
1G SFP ports flap when reloading settings with ifreload -a 

If a 1G fibre SFP is installed in a 10G SFP+ port and the port speed is not specified (auto-negotiation is on), reloading settings with the ifreload -a command causes the link to flap because of redundant ethtool set commands in ifupdown2.

This issue is fixed in Cumulus RMP 3.5.0.


RN-716 (CM-18433)
netd crashes if the default user cumulus is removed 

If you remove the default user cumulus from the system, netd fails to produce output and generates a traceback message when you run NCLU commands. Some commands return no output to the terminal screen, other commands indicate that netd is not working correctly. 

This issue is fixed in Cumulus RMP 3.5.0.


RN-719 (CM-18052)
After stopping the hsflowd service, sFlow continues to sample, causing buffer drops

If you stop the hsflowd service, the sFlow sampling appears to continue, sending the samples to the kernel. The sampled ports end up pushing a lot of traffic, and the added sFlow data was causing buffer drops.

This issue is fixed in Cumulus RMP 3.5.0.


RN-720 (CM-18355)
Change in default multicast buffer size 

Sending multicast traffic to several interfaces while one interface is congested leads to dropped packets on all receivers. In Cumulus RMP 3.5.0, the default multicast buffer size has been changed so that the buffer size per port cannot be more than 128K (1024 cells).


RN-723 (CM-18161)
Running ifreload bounces the loopback interface if an IPv6 address defined before an IPv4 address

To work around this issue, edit the configuration in /etc/network/interfaces and move the IPv6 configuration after the IPv4 configuration.

This is incorrect:

auto lo 
iface lo inet loopback 
    address 2001:db8::1/128 
    address 192.0.2.1/32

This is correct:

auto lo 
iface lo inet loopback 
    address 192.0.2.1/32
    address 2001:db8::1/128 

This issue is fixed in Cumulus RMP 3.5.0.


RN-728 (CM-14790)
No license error message from ifreload and NCLU commands

If a license file is not installed for switchd, ifreload and NCLU commands display an error on a setting that it can't apply (such as link speed).

You now see a warning message indicating that a license file is not installed.


RN-731 (CM-16233)
netd crashes when configuring nameserver with no resolv.conf file

If you remove the /etc/resolv.conf file, then try to apply a name server configuration with NCLU, netd crashes.

This issue is fixed in Cumulus RMP 3.5.0.


RN-736 (CM-18619)
Multiple DHCP relay forwarding requests overlap on outgoing interface 

Multiple DHCP relay forwarding requests are replicated erroneously to a server that does not serve that subnet.

This issue is fixed in Cumulus RMP 3.5.0.


RN-739 (CM-18790)
Confusing message received on IP unnumbered interface even though packet is forwarded

When DHCP relay is configured and a DHCP packet is received on an IP unnumbered interface, a Discard message is logged even though the DHCP packet is forwarded.

This issue is fixed in Cumulus RMP 3.5.0.


RN-740 (CM-18847)
Unreachable IPv6 route cache entries for connected network not removed when carrier restored

When traffic originating from the kernel is generated and destined to a connected VRF IPv6 global address while the connected interface is carrier-down, an unreachable route cache entry is created against the loopback interface:

cumulus@leaf01:~$ ip -6 ro ls cache table NAME
unreachable 2001:DB8::5 dev lo  metric 0 
    cache  error -101 pref medium

When the carrier is restored, this entry remains and subsequent route lookups continue to return unreachable results erroneously:

cumulus@leaf01:~$ sudo vrf task exec NAME ping6 2001:DB8::5
connect: Network is unreachable

This issue is fixed in Cumulus RMP 3.5.0.


RN-767 (CM-17475)
Security: Linux kernel issues fixed in Cumulus RMP 3.5.0: DSA-3945-1 CVE-2017-7346 CVE-2017-7482 CVE-2017-7533 CVE-2017-7541 CVE-2017-7542 CVE-2017-9605 CVE-2017-10810 CVE-2017-10911 CVE-2017-11176 CVE-2017-1000365

The following CVEs that were announced in Debian Security Advisory DSA-3945-1 apply to packages maintained and built by Cumulus Networks. They have been fixed in Cumulus RMP 3.5.0 (package version 4.1.33-1+cl3u10):

--------------------------------------------------------------------------
Debian Security Advisory DSA-3945-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 17, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2017-7346 CVE-2017-7482 CVE-2017-7533 CVE-2017-7541
CVE-2017-7542 CVE-2017-9605 CVE-2017-10810 CVE-2017-10911
CVE-2017-11176 CVE-2017-1000365

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2017-7346
Li Qiang discovered that the DRM driver for VMware virtual GPUs does not properly check user-controlled values in the vmw_surface_define_ioctl() functions for upper limits. A local user can take advantage of this flaw to cause a denial of service.

CVE-2017-7482
Shi Lei discovered that RxRPC Kerberos 5 ticket handling code does not properly verify metadata, leading to information disclosure, denial of service or potentially execution of arbitrary code.

CVE-2017-7533
Fan Wu and Shixiong Zhao discovered a race condition between inotify events and VFS rename operations allowing an unprivileged local attacker to cause a denial of service or escalate privileges.

CVE-2017-7541
A buffer overflow flaw in the Broadcom IEEE802.11n PCIe SoftMAC WLAN driver could allow a local user to cause kernel memory corruption, leading to a denial of service or potentially privilege escalation.

CVE-2017-7542
An integer overflow vulnerability in the ip6_find_1stfragopt() function was found allowing a local attacker with privileges to open raw sockets to cause a denial of service.

CVE-2017-9605
Murray McAllister discovered that the DRM driver for VMware virtual GPUs does not properly initialize memory, potentially allowing a local attacker to obtain sensitive information from uninitialized kernel memory via a crafted ioctl call.

CVE-2017-10810
Li Qiang discovered a memory leak flaw within the VirtIO GPU driver resulting in denial of service (memory consumption).

CVE-2017-10911 / XSA-216
Anthony Perard of Citrix discovered an information leak flaw in Xen blkif response handling, allowing a malicious unprivileged guest to obtain sensitive information from the host or other guests.

CVE-2017-11176
It was discovered that the mq_notify() function does not set the sock pointer to NULL upon entry into the retry logic. An attacker can take advantage of this flaw during a user-space close of a Netlink socket to cause a denial of service or potentially cause other impact.

CVE-2017-1000365
It was discovered that argument and environment pointers are not taken properly into account to the imposed size restrictions on arguments and environmental strings passed through RLIMIT_STACK/RLIMIT_INFINITY. A local attacker can take advantage of this flaw in conjunction with other flaws to execute arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed in version 3.16.43-2+deb8u3.


RN-768 (CM-18121)
Security: Linux kernel issues fixed in Cumulus RMP 3.5.0: DSA-3981-1, CVE-2017-7518, 7558, 10661, 11600, 12134, 12146, 12153, 12154, 14106, 14140, 14156, 14340, 14489, 14497, 1000111, 1000112, 1000251, 1000252, 1000370, 1000371, 100038

The following CVEs that were announced in Debian Security Advisory DSA-3981-1 apply to packages maintained and built by Cumulus Networks. They have been fixed in Cumulus RMP 3.5.0 (package version 4.1.33-1+cl3u10):

--------------------------------------------------------------------------
Debian Security Advisory DSA-3981-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 20, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2017-7518 CVE-2017-7558 CVE-2017-10661 CVE-2017-11600
CVE-2017-12134 CVE-2017-12146 CVE-2017-12153 CVE-2017-12154
CVE-2017-14106 CVE-2017-14140 CVE-2017-14156 CVE-2017-14340
CVE-2017-14489 CVE-2017-14497 CVE-2017-1000111 CVE-2017-1000112
CVE-2017-1000251 CVE-2017-1000252 CVE-2017-1000370 CVE-2017-1000371
CVE-2017-1000380

Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks.

CVE-2017-7518
Andy Lutomirski discovered that KVM is prone to an incorrect debug exception (#DB) error occurring while emulating a syscall instruction. A process inside a guest can take advantage of this flaw for privilege escalation inside a guest.

CVE-2017-10661 (jessie only)
Dmitry Vyukov of Google reported that the timerfd facility does not properly handle certain concurrent operations on a single file descriptor. This allows a local attacker to cause a denial of service or potentially execute arbitrary code.

CVE-2017-11600
Bo Zhang reported that the xfrm subsystem does not properly validate one of the parameters to a netlink message. Local users with the CAP_NET_ADMIN capability can use this to cause a denial of service or potentially to execute arbitrary code.

CVE-2017-12134 / #866511 / XSA-229
Jan H. Schoenherr of Amazon discovered that when Linux is running in a Xen PV domain on an x86 system, it may incorrectly merge block I/O requests. A buggy or malicious guest may trigger this bug in dom0 or a PV driver domain, causing a denial of service or potentially execution of arbitrary code.

This issue can be mitigated by disabling merges on the underlying back-end block devices, e.g.:
echo 2 > /sys/block/nvme0n1/queue/nomerges

CVE-2017-12153
Bo Zhang reported that the cfg80211 (wifi) subsystem does not properly validate the parameters to a netlink message. Local users with the CAP_NET_ADMIN capability (in any user namespace with a wifi device) can use this to cause a denial of service.

CVE-2017-12154
Jim Mattson of Google reported that the KVM implementation for Intel x86 processors did not correctly handle certain nested hypervisor configurations. A malicious guest (or nested guest in a suitable L1 hypervisor) could use this for denial of service.

CVE-2017-14106
Andrey Konovalov discovered that a user-triggerable division by zero in the tcp_disconnect() function could result in local denial of service.

CVE-2017-14140
Otto Ebeling reported that the move_pages() system call performed insufficient validation of the UIDs of the calling and target processes, resulting in a partial ASLR bypass. This made it easier for local users to exploit vulnerabilities in programs installed with the set-UID permission bit set.

CVE-2017-14156
"sohu0106" reported an information leak in the atyfb video driver. A local user with access to a framebuffer device handled by this driver could use this to obtain sensitive information.

CVE-2017-14340
Richard Wareing discovered that the XFS implementation allows the creation of files with the "realtime" flag on a filesystem with no realtime device, which can result in a crash (oops). A local user with access to an XFS filesystem that does not have a realtime device can use this for denial of service.

CVE-2017-14489
ChunYu Wang of Red Hat discovered that the iSCSI subsystem does not properly validate the length of a netlink message, leading to memory corruption. A local user with permission to manage iSCSI devices can use this for denial of service or possibly to execute arbitrary code.

CVE-2017-14497 (stretch only)
Benjamin Poirier of SUSE reported that vnet headers are not properly handled within the tpacket_rcv() function in the raw packet (af_packet) feature. A local user with the CAP_NET_RAW capability can take advantage of this flaw to cause a denial of service (buffer overflow, and disk and memory corruption) or have other impact.

Cumulus RMP is not vulnerable. The vulnerable code is not present in the Cumulus RMP kernel.

CVE-2017-1000111
Andrey Konovalov of Google reported a race condition in the raw packet (af_packet) feature. Local users with the CAP_NET_RAW capability can use this for denial of service or possibly to execute arbitrary code.

CVE-2017-1000112
Andrey Konovalov of Google reported a race condition flaw in the UDP Fragmentation Offload (UFO) code. A local user can use this flaw for denial of service or possibly to execute arbitrary code.

CVE-2017-1000251 / #875881
Armis Labs discovered that the Bluetooth subsystem does not properly validate L2CAP configuration responses, leading to a stack buffer overflow. This is one of several vulnerabilities dubbed "Blueborne". A nearby attacker can use this to cause a denial of service or possibly to execute arbitrary code on a system with Bluetooth enabled.

CVE-2017-1000252 (stretch only)
Jan H. Schoenherr of Amazon reported that the KVM implementation for Intel x86 processors did not correctly validate interrupt injection requests. A local user with permission to use KVM could use this for denial of service.

Cumulus RMP does not enable KVM functionality, and therefore is not vulnerable.

CVE-2017-1000370
The Qualys Research Labs reported that a large argument or environment list can result in ASLR bypass for 32-bit PIE binaries.

CVE-2017-1000371
The Qualys Research Labs reported that a large argument or environment list can result in a stack/heap clash for 32-bit PIE binaries.

CVE-2017-1000380
Alexander Potapenko of Google reported a race condition in the ALSA (sound) timer driver, leading to an information leak. A local user with permission to access sound devices could use this to obtain sensitive information.

Debian disables unprivileged user namespaces by default, but if they are enabled (via the kernel.unprivileged_userns_clone sysctl) then CVE-2017-11600, CVE-2017-14497 and CVE-2017-1000111 can be exploited by any local user.

For the oldstable distribution (jessie), these problems have been fixed in version 3.16.43-2+deb8u5.


RN-770 (CM-18462)
Security: mysql issues fixed in Cumulus RMP 3.5.0: DSA-4002-1 CVE-2017-10268 CVE-2017-10378 CVE-2017-10379 CVE-2017-10384

The following security issues announced in DSA-4002-1 apply to Debian packages distributed as part of Cumulus RMP. They have been fixed in the Cumulus RMP 3.5.0 release (version 5.5.58-0+deb8u1 of the mysql package):

-------------------------------------------------------------------------
Debian Security Advisory DSA-4002-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 19, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : mysql-5.5
CVE ID : CVE-2017-10379 CVE-2017-10378 CVE-2017-10268 CVE-2017-10384
Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.58, which includes additional changes, such as performance improvements, bug fixes, new features, and possibly incompatible changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-58.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

For the oldstable distribution (jessie), these problems have been fixed in version 5.5.58-0+deb8u1.


RN-771 (CM-18606)
Security: curl issue fixed in Cumulus RMP 3.5.0: DSA-4007-1 CVE-2017-1000257

The following security issues announced in DSA-4007-1 apply to Debian packages distributed as part of Cumulus RMP. They have been fixed in the Cumulus RMP 3.5.0 release (version 7.38.0-4+deb8u8 of the curl package).

--------------------------------------------------------------------------
Debian Security Advisory DSA-4007-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
October 27, 2017 https://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : curl
CVE ID : CVE-2017-1000257

Brian Carpenter, Geeknik Labs and 0xd34db347 discovered that cURL, an URL transfer library, incorrectly parsed an IMAP FETCH response with size 0, leading to an out-of-bounds read.

For the oldstable distribution (jessie), this problem has been fixed in version 7.38.0-4+deb8u7.


RN-772 (CM-19011)
Security: libcurl issue fixed in Cumulus RMP 3.5.0: DSA-4051 CVE-2017-8816 CVE-2017-8817

The following security issues announced in DSA-4051-1 apply to Debian packages distributed as part of Cumulus RMP. They have been fixed in the Cumulus RMP 3.5.0 release (version 7.38.0-4+deb8u8 of the curl and libcurl3 packages).

--------------------------------------------------------------------------
Debian Security Advisory DSA-4051-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
November 29, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : curl
CVE ID : CVE-2017-8816 CVE-2017-8817

Two vulnerabilities were discovered in cURL, an URL transfer library.

CVE-2017-8816
Alex Nichols discovered a buffer overrun flaw in the NTLM authentication code which can be triggered on 32bit systems where an integer overflow might occur when calculating the size of a memory allocation.

CVE-2017-8817
Fuzzing by the OSS-Fuzz project led to the discovery of a read out of bounds flaw in the FTP wildcard function in libcurl. A malicious server could redirect a libcurl-based client to an URL using a wildcard pattern, triggering the out-of-bound read.

For the oldstable distribution (jessie), these problems have been fixed in version 7.38.0-4+deb8u8.


RN-773 (CM-18609)
Security: wget issue fixed in Cumulus RMP 3.5.0: DSA-4008-1 CVE-2017-13089 CVE-2017-13090

The following security issues announced in DSA-4008-1 apply to Debian packages distributed as part of Cumulus RMP. They have been fixed in the Cumulus RMP 3.5.0 release (version 1.16-1+deb8u4 of the wget package).

--------------------------------------------------------------------------
Debian Security Advisory DSA-4008-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 28, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : wget
CVE ID : CVE-2017-13089 CVE-2017-13090

Antti Levomaeki, Christian Jalio, Joonas Pihlaja and Juhani Eronen discovered two buffer overflows in the HTTP protocol handler of the Wget download tool, which could result in the execution of arbitrary code
when connecting to a malicious HTTP server.

For the oldstable distribution (jessie), these problems have been fixed in version 1.16-1+deb8u4.


RN-774 (CM-18676)
Security: openssl issue fixed in Cumulus RMP 3.5.0: DSA-4017-1 CVE-2017-3735 CVE-2017-3736

The following security issues announced in DSA-4017-1 apply to Debian packages distributed as part of Cumulus RMP. They have been fixed in the Cumulus RMP 3.5.0 release (version 1.0.1t-1+deb8u7 of the openssl package).

--------------------------------------------------------------------------
Debian Security Advisory DSA-4017-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 03, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : openssl1.0
CVE ID : CVE-2017-3735 CVE-2017-3736

Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues:

CVE-2017-3735
It was discovered that OpenSSL is prone to a one-byte buffer overread while parsing a malformed IPAddressFamily extension in an X.509 certificate.

Details can be found in the upstream advisory: https://www.openssl.org/news/secadv/20170828.txt

CVE-2017-3736
It was discovered that OpenSSL contains a carry propagation bug in the x86_64 Montgomery squaring procedure.

Details can be found in the upstream advisory: https://www.openssl.org/news/secadv/20171102.txt


RN-775 (CM-18752)
Security: postgresql-common issue fixed in Cumulus RMP 3.5.0: DSA-4029-1 CVE-2017-8806

The following security issues announced in DSA-4029-1 apply to Debian packages distributed as part of Cumulus RMP. They have been fixed in the Cumulus RMP 3.5.0 release (version 165+deb8u3 of the postgresql-common package).

--------------------------------------------------------------------------
Debian Security Advisory DSA-4029-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 09, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : postgresql-common
CVE ID : CVE-2017-8806

It was discovered that the pg_ctlcluster, pg_createcluster and pg_upgradecluster commands handled symbolic links insecurely which could result in local denial of service by overwriting arbitrary files.

For the oldstable distribution (jessie), this problem has been fixed in version 165+deb8u3.


RN-776 (CM-18763)
Security: postgresql issue fixed in Cumulus RMP 3.5.0: DSA-4027-1 CVE-2017-15098

The following security issues announced in DSA-4027-1 apply to Debian packages distributed as part of Cumulus RMP. They have been fixed in the Cumulus RMP 3.5.0 release (version 9.4.15-0+deb8u1 of the postgresql-9.4 package).

--------------------------------------------------------------------------
Debian Security Advisory DSA-4027-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 09, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : postgresql-9.4
CVE ID : CVE-2017-15098

A vulnerabilitiy has been found in the PostgreSQL database system: Denial of service and potential memory disclosure in the json_populate_recordset() and jsonb_populate_recordset() functions.

For the oldstable distribution (jessie), this problem has been fixed in version 9.4.15-0+deb8u1.


RN-777 (CM-18907)
Security: libxml-libxml-perl issue fixed in Cumulus RMP 3.5.0: DSA-4042 CVE-2017-10672 

The following security issues announced in DSA-4042-1 apply to Debian packages distributed as part of Cumulus RMP. They have been fixed in the Cumulus RMP 3.5.0 release (version 2.0116+dfsg-1+deb8u2 of the libxml-libxml-perl package).

--------------------------------------------------------------------------
Debian Security Advisory DSA-4042-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 19, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : libxml-libxml-perl
CVE ID : CVE-2017-10672

A use-after-free vulnerability was discovered in XML::LibXML, a Perl interface to the libxml2 library, allowing an attacker to execute arbitrary code by controlling the arguments to a replaceChild() call.

For the oldstable distribution (jessie), this problem has been fixed in version 2.0116+dfsg-1+deb8u2.


RN-779 (CM-19181)
Active cables (10G fiber, 1G fiber, sometimes 1G RJ45) not working on Dell S4148F-ON S4128F-ON

On Dell S4148F-ON S4128F-ON switches, the following cables do not work on SFP ports:

  • 10G optical modules (10G SR, LR, AOC)
  • 1G optical modules (1G SX, LX, AOC)

1G copper RJ45 modules might fail, depending on how the tx_enable signal is used.

To work around this issue:

  1. In the /etc/cumulus/ports.conf file, set each of the four ports in the port group to 1G. You must set each of the ports in the port group to be 1G or slower, otherwise the auto-negotiation off setting is not accepted.
  2. On RJ45 (1G-BaseT) SFPs, set the link speed to 1000 for 1G or 100 for 100M for each of the four ports in the port group, as shown in the example commands below:
    cumulus@switch:~$ net add interface swpXX
    cumulus@switch:~$ net add interface swpXX link speed 1000
    cumulus@switch:~$ net add interface swpXX link autoneg off
    cumulus@switch:~$ net commit
    These commands create the following configuration in the /etc/network/interfaces file:
    auto swpXX
    iface swpXX
     link-speed 1000
     link-duplex full
     link-autoneg off
  3. To detect unidirectional links for 1G on fiber SFPs (1G-BaseSX, 1G-BaseLX), turn on auto-negotiation for each of the four ports in the port group, as shown in the example commands below. Auto-negotiation is not required but allows unidirectional fiber link detection. 
    cumulus@switch:~$ net add interface swpXX
    cumulus@switch:~$ net add interface swpXX link autoneg on
    cumulus@switch:~$ net commit

    These commands create the following configuration in the /etc/network/interfaces file:

    auto swpXX
    iface swpXX
      link-autoneg on

New Known Issues in Cumulus RMP 3.5.1

The following issues are new to Cumulus RMP and affect the current release.

Release Note ID Summary Description

RN-785 (CM-19422)
NCLU `net show interface detail` command does not display detailed output

The net show interface swp# command returns the same output as net show interface swp# detail.

To view the additional information typically presented, use alternative commands. For example, to view the module information and statistics use ethtool swp# and ethtool -S swp#.

This issue is currently being investigated.


RN-787 (CM-19418)
NCLU: `net add hostname` creates an inconsistency between /etc/hostname and /etc/hosts files

Running net add hostname <hostname> updates both /etc/hostname and /etc/hosts. However, NCLU modifies the hostname value passed to /etc/hostname, removing certain characters and converting the hostname to lowercase, whereas the hostname passed to /etc/hosts is passed through as is, creating an inconsistency between the two files.

To work around this issue, manually set the hostname in both /etc/hostname and /etc/hosts using a text editor such as vi or nano.

This issue is currently being investigated.


RN-788 (CM-19381)
dhcrelay does not bind to interfaces that have names longer than 14 characters

The dhcrelay command does not bind to an interface if the interface's name is longer than 14 characters.

To work around this issue, change the interface name to be 14 or fewer characters if dhcrelay is required to bind to it.

This issue is currently being investigated.


RN-798 (CM-19257)
NCLU `net show config commands` doesn't parse the multiple forms for agentaddress in snmpd.conf

If you manually edit the snmpd.conf to specify the agentaddress, net show config commands outputs the command in a way that cannot be pasted back into the file.

For example, you can specify the agentaddress in any of the following ways:

agentaddress udp:1.1.1.1:161,2.2.2.2:171,3.3.3.3
agentaddress 4.4.4.4,5.5.5.5:171,6.6.6.6:161
agentaddress tcp:7.7.7.7

This issue is currently being investigated.


RN-799 (CM-16493)
 

You cannot use NCLU or ifupdown2 to enable or disable of the IPv6 link-local eui-64 format.

To work around this limitation, you can use the following iproute2 command:

cumulus@switch:~$ sudo ip link set swp# addrgenmode {eui-64|none}

Note that this command does not persist across a reboot of the switch.

This issue is currently being investigated.

New Known Issues in Cumulus RMP 3.5.0

The following issues are new to Cumulus RMP and affect version 3.5.0.

Release Note ID Summary Description

RN-748 (CM-19202)
The `link autoneg off` setting not applied to the last set of interfaces in a list if OFF already set on one of the interfaces

Using NCLU to assign the link autoneg off setting to a list of interfaces fails to complete the list if one of the interfaces in the list already has the link autoneg off setting.

Cumulus Networks is currently working to fix this issue.

Previously Known Issues in Cumulus RMP 3.5.0

The following issues also affect the current release.

Release Note ID Summary Description

RN-56 (CM-343)
IPv4/IPv6 forwarding disabled mode not recognized

If either of the following is configured:

net.ipv4.ip_forward == 0 

or:

net.ipv6.conf.all.forwarding == 0 

The hardware still forwards packets if there is a neighbor table entry pointing to the destination.


RN-120 (CM-477)
ethtool LED blinking does not work with switch ports Linux uses ethtool -p to identify the physical port backing an interface, or to identify the switch itself. Usually this identification is by blinking the port LED until ethtool -p is stopped.

This feature does not apply to switch ports (swpX) in Cumulus RMP.

RN-121 (CM-2123)
ptmd: When a physical interface is in a PTM FAIL state, its subinterface still exchanges information Issue:
When ptmd is incorrectly in a failure state and the Zebra interface is enabled, PIF BGP sessions are not establishing the route, but the subinterface on top of it does establish routes.

If the subinterface is configured on the physical interface and the physical interface is incorrectly marked as being in a PTM FAIL state, routes on the physical interface are not processed in Quagga, but the subinterface is working.

Steps to reproduce:
cumulus@switch:$ sudo vtysh -c 'show int swp8' 
Interface swp8 is up, line protocol is up 
PTM status: fail
index 10 metric 1 mtu 1500 
 flags: <UP,BROADCAST,RUNNING,MULTICAST>
 HWaddr: 44:38:39:00:03:88 
 inet 12.0.0.225/30 broadcast 12.0.0.227 
 inet6 2001:cafe:0:38::1/64 
 inet6 fe80::4638:39ff:fe00:388/64 
cumulus@switch:$ ip addr show | grep swp8 
 10: swp8: <BROADCAST,MULTICAST,UP,LOWER_UP> 
  mtu 1500 qdisc pfifo_fast state UP qlen 500 
  inet 12.0.0.225/30 brd 12.0.0.227 scope global swp8 
 104: swp8.2049@swp8: <BROADCAST,MULTICAST,UP,LOWER_UP> 
  mtu 1500 qdisc noqueue state UP 
  inet 12.0.0.229/30 brd 12.0.0.231 scope global swp8.2049 
 105: swp8.2050@swp8: <BROADCAST,MULTICAST,UP,LOWER_UP> 
  mtu 1500 qdisc noqueue state UP 
  inet 12.0.0.233/30 brd 12.0.0.235 scope global swp8.2050 
 106: swp8.2051@swp8: <BROADCAST,MULTICAST,UP,LOWER_UP> 
  mtu 1500 qdisc noqueue state UP 
  inet 12.0.0.237/30 brd 12.0.0.239 scope global swp8.2051 
 107: swp8.2052@swp8: <BROADCAST,MULTICAST,UP,LOWER_UP> 
  mtu 1500 qdisc noqueue state UP 
  inet 12.0.0.241/30 brd 12.0.0.243 scope global swp8.2052 
 108: swp8.2053@swp8: <BROADCAST,MULTICAST,UP,LOWER_UP>
  mtu 1500 qdisc noqueue state UP 
  inet 12.0.0.245/30 brd 12.0.0.247 scope global swp8.2053 
 109: swp8.2054@swp8: <BROADCAST,MULTICAST,UP,LOWER_UP> 
  mtu 1500 qdisc noqueue state UP 
  inet 12.0.0.249/30 brd 12.0.0.251 scope global swp8.2054
 110: swp8.2055@swp8: <BROADCAST,MULTICAST,UP,LOWER_UP>
  mtu 1500 qdisc noqueue state UP 
  inet 12.0.0.253/30 brd 12.0.0.255 scope global swp8.2055
cumulus@switch:$ bgp sessions: 
 12.0.0.226 ,4 ,64057 , 958 , 1036 , 0 , 0 , 0 ,15:55:42, 0, 10472 
 12.0.0.230 ,4 ,64058 , 958 , 1016 , 0 , 0 , 0 ,15:55:46, 187, 10285
 12.0.0.234 ,4 ,64059 , 958 , 1049 , 0 , 0 , 0 ,15:55:40, 187, 10285 
 12.0.0.238 ,4 ,64060 , 958 , 1039 , 0 , 0 , 0 ,15:55:45, 187, 10285 
 12.0.0.242 ,4 ,64061 , 958 , 1014 , 0 , 0 , 0 ,15:55:46, 187, 10285 
 12.0.0.246 ,4 ,64062 , 958 , 1016 , 0 , 0 , 0 ,15:55:46, 187, 10285 
 12.0.0.250 ,4 ,64063 , 958 , 1029 , 0 , 0 , 0 ,15:55:43, 187, 10285 
 12.0.0.254 ,4 ,64064 , 958 , 1036 , 0 , 0 , 0 ,15:55:44, 187, 10285 

RN-398 (CM-10379)
While upgrading Cumulus RMP, a prompt to configure grub-pc appears

While upgrading to the latest version of Cumulus RMP from version 2.5.5 or earlier, a prompt appears, asking you to choose onto which partitions to install the GRUB boot loader. 

... 

  1. /dev/mmcblk0 (3783 MB; ???)       3. /dev/dm-2 (1610 MB; CUMULUS-SYSROOT1)
  2. - /dev/mmcblk0p3 (268 MB; /boot)  4. none of the above

(Enter the items you want to select, separated by spaces.)

GRUB install devices:

...

This prompt should not appear, and the issue will be fixed in a future release.

In the meantime, to work around this issue, choose option 1, /dev/mmcblk0 and continue the upgrade.


RN-602 (CM-)
sFlow ifSpeed incorrect in counter samples

Counter samples for an 80G bond (2 x 40G) exported from the switch show an interface speed (ifSpeed) of 14.464Gbps.

This issue is currently being investigated.

Have more questions? Submit a request

Comments

Powered by Zendesk