Cumulus Linux 3.6 Release Notes

Follow

Overview

These release notes support Cumulus Linux 3.6.0, 3.6.1, and 3.6.2 and describe currently available features and known issues. 

Stay up to Date 

  • Please sign in and click Follow above so you can receive a notification when we update these release notes.
  • Subscribe to our product bulletin mailing list to receive important announcements and updates about issues that arise in our products.
  • Subscribe to our security announcement mailing list to receive alerts whenever we update our software for security issues.

{{table_of_contents}}

What's New in Cumulus Linux 3.6.2

Cumulus Linux 3.6.2 contains the following new features, platforms, and improvements:

What's New in Cumulus Linux 3.6.0

Cumulus Linux 3.6.0 contains the following new features, platforms, and improvements:

Licensing

Cumulus Linux is licensed on a per-instance basis. Each network system is fully operational, enabling any capability to be utilized on the switch with the exception of forwarding on switch panel ports. Only eth0 and console ports are activated on an un-licensed instance of Cumulus Linux. Enabling front panel ports requires a license.

You should have received a license key from Cumulus Networks or an authorized reseller. To install the license, read the Cumulus Linux Quick Start Guide.

Installing Version 3.6

If you are upgrading from version 3.0.0 or later, use apt-get to update the software.

Cumulus Networks recommends you use the -E option with sudo whenever you run any apt-get command. This option preserves your environment variables, such as HTTP proxies, before you install new packages or upgrade your distribution.

  1. Retrieve the new version packages: 
    cumulus@switch:~$ sudo -E apt-get update
  2. If you are using any early access features from an older release, remove them with:
    cumulus@switch:~$ sudo -E apt-get remove EA_PACKAGENAME
  3. Upgrade the release: 
    cumulus@switch:~$ sudo -E apt-get upgrade
  4. To include additional Cumulus Linux packages not present in your current version, run the command:
    cumulus@switch:~$ apt-get install nclu hostapd python-cumulus-restapi linuxptp
    If you already have the latest version of a package installed, you see messages similar to: nclu is already the newest version. You might also see additional packages being installed due to dependencies.
  5. Reboot the switch:
    cumulus@switch:~$ sudo reboot

Note: If you see errors for expired GPG keys that prevent you from upgrading packages when upgrading to Cumulus Linux 3.6 from 3.5.1 or earlier, follow the steps in Upgrading Expired GPG Keys.

Note: In Cumulus Linux 3.6.0, the upgrade process has changed. During an upgrade to 3.6.0 from 3.5 or earlier, certain services might be stopped. These services are not restarted until after the switch reboots, which results in some functionality being lost during the upgrade process.

During the upgrade, you will see messages similar to the following:

/usr/sbin/policy-rc.d returned 101, not running 'stop switchd.service'
/usr/sbin/policy-rc.d returned 101, not running 'start switchd.service'

At the end of the upgrade, if a reboot is required, you see the following message:

*** Caution: Service restart prior to reboot could cause unpredictable behavior
*** System reboot required ***

Do not restart services manually until after rebooting, or services will fail.

For upgrades post 3.6.0, if no reboot is required after the upgrade completes, the upgrade will stop and restart all upgraded services and will log messages in the /var/log/syslog file similar to the ones shown below. (In the examples below, only the frr package was upgraded.)

Policy: Service frr.service action stop postponed
Policy: Service frr.service action start postponed
Policy: Restarting services: frr.service
Policy: Finished restarting services
Policy: Removed /usr/sbin/policy-rc.d
Policy: Upgrade is finished

For additional information about upgrading, see Upgrading Cumulus Linux in the Cumulus Linux User Guide.

New Install or Upgrading from Versions Older than 3.0.0

If you are upgrading from a version older than 3.0.0, or installing Cumulus Linux for the first time, download the Cumulus Linux 3.6.0 installer for Broadcom or Mellanox switches from the Cumulus Networks website, then use ONIE to perform a complete install, following the instructions in the quick start guide.

Note: This method is destructive; any configuration files on the switch are not saved; copy them to a different server before upgrading via ONIE.

Important! After you install, run apt-get update, then apt-get upgrade on your switch to make sure you update Cumulus Linux to include any important or other package updates.

Updating a Deployment that Has MLAG Configured

If you are using MLAG to dual connect two switches in your environment, and those switches are still running Cumulus Linux 2.5 ESR or any other release earlier than 3.0.0, the switches will not be dual-connected after you upgrade the first switch. To ensure a smooth upgrade, follow these steps:

  1. Disable clagd in the /etc/network/interfaces file (set clagd-enable to no), then restart the switchd, networking, and FRR services.
    cumulus@switch:~$ sudo systemctl restart switchd.service
    cumulus@switch:~$ sudo systemctl restart networking.service
    cumulus@switch:~$ sudo systemctl restart frr.service
  2. If you are using BGP, notify the BGP neighbors that the switch is going down:
    cumulus@switch:~$ sudo vtysh -c "config t" -c "router bgp" -c "neighbor X.X.X.X shutdown"
  3. Stop the Quagga (if upgrading from a version earlier than 3.2.0) or FRR service (if upgrading from version 3.2.0 or later):
    cumulus@switch:~$ sudo systemctl stop [quagga|frr].service 
  4. Bring down all the front panel ports:
    cumulus@switch:~$ sudo ip link set swp<#> down
  5. Run cl-img-select -fr to boot the switch in the secondary role into ONIE, then reboot the switch.
  6. Install Cumulus Linux 3.6 onto the secondary switch using ONIE. At this time, all traffic is going to the switch in the primary role.
  7. After the install, copy the license file and all the configuration files you backed up, then restart the switchd, networking, and Quagga services. All traffic is still going to the primary switch.
    cumulus@switch:~$ sudo systemctl restart switchd.service
    cumulus@switch:~$ sudo systemctl restart networking.service
    cumulus@switch:~$ sudo systemctl restart quagga.service
  8. Run cl-img-select -fr to boot the switch in the primary role into ONIE, then reboot the switch. Now, all traffic is going to the switch in the secondary role that you just upgraded to version 3.6.
  9. Install Cumulus Linux 3.6 onto the primary switch using ONIE. 
  10. After the install, copy the license file and all the configuration files you backed up.
  11. Follow the steps for upgrading from Quagga to FRRouting.
  12. Enable clagd again in the /etc/network/interfaces file (set clagd-enable to yes), then run ifreload -a.
    cumulus@switch:~$ sudo ifreload -a
  13. Bring up all the front panel ports:
    cumulus@switch:~$ sudo ip link set swp<#> up
  14. Now the two switches are dual-connected again and traffic flows to both switches.

 Perl, Python and BDB Modules

Any Perl scripts that use the DB_File module or Python scripts that use the bsddb module won't run under Cumulus Linux 3.6.

Documentation

You can read the technical documentation here.

Issues Fixed in Cumulus Linux 3.6.2

The following is a list of issues fixed in Cumulus Linux 3.6.2 from earlier versions of Cumulus Linux. 

Release Note ID Summary Description

RN-763 (CM-16139)
OSPFv3 does not handle ECMP properly

IPv6 ECMP is not working as expected in OSPFv3.

This issue is fixed in Cumulus Linux 3.6.2.


RN-799 (CM-16493)
No way to configure IPv6 link-local addrgenmode using ifupdown2 or NCLU

You cannot use NCLU or ifupdown2 to enable or disable of the IPv6 link-local eui-64 format.

To work around this limitation, you can use the following iproute2 command:

cumulus@switch:~$ sudo ip link set swpX addrgenmode {eui-64|none}

Note: This command does not persist across a reboot of the switch.

This issue is fixed in Cumulus Linux 3.6.2.


RN-827 (CM-14300)
cl-acltool counters for implicit accept do not work for IPv4 on management (ethX) interfaces

The iptables are not counting against the default INPUT chain rule for packets ingressing ethX interfaces.

This issue is fixed in Cumulus Linux 3.6.2.


RN-875 (CM-20779)
On Mellanox switches, withdrawal of one ECMP next-hop results in the neighbor entry for that next hop to be missing from hardware

On a Mellanox switch, when you withdraw one ECMP next hop, the neighbor entry for that next hop is missing from the hardware.

To work around this issue, manually delete the ARP entry from kernel with the arp -d command to repopulate it in the hardware.

This issue is fixed in Cumulus Linux 3.6.2.


RN-880 (CM-20672)
In Mellanox buffer monitoring, packet statistics per priority ignore priority 7

The buffer monitoring tool on Mellanox switches only shows priority 0 thru 6 for the all_packet_pg statistics; priority 7 is not shown.

This issue is fixed in Cumulus Linux 3.6.2.


RN-882 (CM-20648)
When using VRF route leaking on a Mellanox switch, forwarded packets are copied to the CPU several times

When using VRF Route leaking on Mellanox switches in a VLAN-unaware bridge configuration, the packets for a locally attached leaked host are software forwarded.

To work around this issue, use a VLAN-aware bridge configuration.

This issue is fixed in Cumulus Linux 3.6.2.


RN-883 (CM-20644)
If the PTP services are running when switchd is restarted, the PTP services need to be restarted

When using PTP and switchd.service is restarted, the PTP services need to be restarted after switchd.service with the following commands:

systemctl reset-failed ptp4l.service phc2sys.service
systemctl restart  ptp4l.service phc2sys.service

This issue is fixed in Cumulus Linux 3.6.2.


RN-889 (CM-20450)
Issuing the 'net add routing import-table' command results in an FRR service crash

The FRR service crashes when you run the net add routing import-table command.

To work around this issue, do not use the NCLU.

This issue is fixed in Cumulus Linux 3.6.2.


RN-891 (CM-20684)
On Mellanox switches, attempts to configure a VRF with a nexthop from another VRF results in an sx_sdk daemon crash and loss of forwarding functionality

VRF Route Leaking is not supported on Mellanox platforms in CL 3.6.0. Attempts to configure a VRF with a nexthop from another VRF can result in an sx_sdk daemon crash and loss of forwarding functionality.

This issue is fixed in Cumulus Linux 3.6.2.


RN-902 (CM-19699)
BGP scaling not hashing southbound traffic from Infra switches

When routing traffic from Infra switches back through VXLAN, Infra switches are choosing one spine to send all flows through.

This issue is fixed in Cumulus Linux 3.6.2.


RN-947 (CM-20992)
RS FEC configuration cleared and not re-installed on switchd restart, leaving links down

During switchd restart, the RS FEC configuration is not re-installed to the interfaces to which it was previously applied.

This issue is fixed in Cumulus Linux 3.6.2.


RN-954 (CM-21062)
Redundant NCLU commands to configure the DHCP relay exits with return code 1

When using the NCLU command to add a redundant DHCP relay, the command exits with an error instead of displaying a message that the DHCP relay server configuration already contains the IP address.

This issue is fixed in Cumulus Linux 3.6.2.


RN-956 (CM-21055)
On Mellanox switches, the destination MAC of ERSPAN GRE packets is set to all zeros

On Mellanox switches, the destination MAC of ERSPAN GRE packets is set to all zeros; therefore, the packets are dropped by the first transient switch.

This issue is fixed in Cumulus Linux 3.6.2.


RN-964 (CM-21319)
When upgrading to Cumulus Linux 3.6, static routes in the default VRF are associated with other VRFs

When you upgrade to Cumulus Linux 3.6.x, static routes configured in the frr.conf file become associated with the VRF configured above them.

This issue is fixed in Cumulus Linux 3.6.2.


RN-970 (CM-21203)
VXLAN and tcam_resource_profile set to acl-heavy, causes the switch to crash

Changing tcam_resource_profile to acl-heavy on a switch with VXLAN enabled and attempting to apply the configuration with a switchd restart, causes switchd to fail to restart, netd to crash, the switch to become temporarily unresponsive, and a cl-support to be generated.

To work around this issue, remove the acl-heavy profile or the VXLAN configuration.

This issue is fixed in Cumulus Linux 3.6.2.


RN-972 (CM-21003)
Cumulus Linux does not forward PTP traffic by default

A switch running Cumulus Linux 3.6.0 or later does not forward transit precision time protocol (PTP) packets as PTP is not enabled by default in Cumulus Linux.

To work around this issue, downgrade the switch to Cumulus Linux 3.5.3.

This issue is fixed in Cumulus Linux 3.6.2.


RN-974 (CM-21383)
Mellanox does not install traps for multicast groups registered to the Kernel

Mellanox switches do not install traps in hardware to send multicast traffic to the kernel, even after registering the multicast group.

This issue is fixed in Cumulus Linux 3.6.2.


RN-976 (CM-21335)
EVPN route map with match VNI causes FRR core

Applying a route map using match evpn vni <xyz> to a neighbor or peer-group causes FRR to core.

This issue is fixed in Cumulus Linux 3.6.2.


RN-977 (CM-21508)
EVPN best path not reinstalled after EVPN type 2 MAC route is withdrawn

A remote VRR MAC that is normally learned through an EVPN Type-2 route is learned locally on a host-facing port. This is then propagated through a new Type-2 MAC route throughout the environment and remote access switch pairs install the erroneous route.

To work around this issue, re-send the EVPN update from the infra pair by changing the VRR MAC or clearing the session.

This issue is fixed in Cumulus Linux 3.6.2.


RN-986 (CM-21256)
ARP storm in VXLAN symmetric routing

With VXLAN symmetric routing, it is possible to generate an ARP packet storm when SVI addresses are common across different racks.

This issue is fixed in Cumulus Linux 3.6.2.


RN-987 (CM-20938)
Debian Security Advisory DSA-4196-1 CVE-2018-1087 CVE-2018-8897 for the linux kernel package

The following CVEs were announced in Debian Security Advisory DSA-4196-1 and affect the Linux kernel.

This issue is fixed in Cumulus Linux 3.6.2.

--------------------------------------------------------------------------

Debian Security Advisory DSA-4196-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

May 08, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package: linux

CVE ID: CVE-2018-1087 CVE-2018-8897

Debian Bug: 897427 897599 898067 898100

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation or denial of service.

CVE-2018-1087

Andy Lutomirski discovered that the KVM implementation did not properly handle #DB exceptions while deferred by MOV SS/POP SS, allowing an unprivileged KVM guest user to crash the guest or potentially escalate their privileges.

CVE-2018-8897

Nick Peterson of Everdox Tech LLC discovered that #DB exceptions that are deferred by MOV SS or POP SS are not properly handled, allowing an unprivileged user to crash the kernel and cause a denial of service.

For the oldstable distribution (jessie), these problems have been fixed in version 3.16.56-1+deb8u1. This update includes various fixes for regressions from 3.16.56-1 as released in DSA-4187-1 (Cf. #897427, #898067 and #898100).

For the stable distribution (stretch), these problems have been fixed in version 4.9.88-1+deb9u1. The fix for CVE-2018-1108 applied in DSA-4188-1 is temporarily reverted due to various regression, cf. #897599.

For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux


RN-988 (CM-20834)
Debian Security Advisory DSA 4187-1 for linux kernel

The following CVEs were announced in Debian Security Advisory DSA-4187-1 and affect the Linux kernel.

This issue is fixed in Cumulus Linux 3.6.2.

--------------------------------------------------------------------------

Debian Security Advisory DSA-4187-1 security@debian.org

https://www.debian.org/security/ Ben Hutchings

May 01, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package: linux

CVE ID: CVE-2015-9016 CVE-2017-0861 CVE-2017-5715 CVE-2017-5753 CVE-2017-13166 CVE-2017-13220 CVE-2017-16526 CVE-2017-16911 CVE-2017-16912 CVE-2017-16913 CVE-2017-16914 CVE-2017-18017 CVE-2017-18203 CVE-2017-18216 CVE-2017-18232 CVE-2017-18241 CVE-2018-1066 CVE-2018-1068 CVE-2018-1092 CVE-2018-5332 CVE-2018-5333 CVE-2018-5750 CVE-2018-5803 CVE-2018-6927 CVE-2018-7492 CVE-2018-7566 CVE-2018-7740 CVE-2018-7757 CVE-2018-7995 CVE-2018-8781 CVE-2018-8822 CVE-2018-1000004 CVE-2018-1000199

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2015-9016

Ming Lei reported a race condition in the multiqueue block layer (blk-mq). On a system with a driver using blk-mq (mtip32xx, null_blk, or virtio_blk), a local user might be able to use this for denial of service or possibly for privilege escalation.

CVE-2017-0861

Robb Glasser reported a potential use-after-free in the ALSA (sound) PCM core. We believe this was not possible in practice.

CVE-2017-5715

Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system.

This specific attack has been named Spectre variant 2 (branch target injection) and is mitigated for the x86 architecture (amd64 and i386) by using the "retpoline" compiler feature which allows indirect branches to be isolated from speculative execution.

CVE-2017-5753

Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system.

This specific attack has been named Spectre variant 1 (bounds-check bypass) and is mitigated by identifying vulnerable code sections (array bounds checking followed by array access) and replacing the array access with the speculation-safe array_index_nospec() function.

More use sites will be added over time.

CVE-2017-13166

A bug in the 32-bit compatibility layer of the v4l2 ioctl handling code has been found. Memory protections ensuring user-provided buffers always point to userland memory were disabled, allowing destination addresses to be in kernel space. On a 64-bit kernel a local user with access to a suitable video device can exploit this to overwrite kernel memory, leading to privilege escalation.

CVE-2017-13220

Al Viro reported that the Bluetooth HIDP implementation could dereference a pointer before performing the necessary type check. A local user could use this to cause a denial of service.

CVE-2017-16526

Andrey Konovalov reported that the UWB subsystem may dereference an invalid pointer in an error case. A local user might be able to use this for denial of service.

CVE-2017-16911

Secunia Research reported that the USB/IP vhci_hcd driver exposed kernel heap addresses to local users. This information could aid the exploitation of other vulnerabilities.

CVE-2017-16912

Secunia Research reported that the USB/IP stub driver failed to perform a range check on a received packet header field, leading to an out-of-bounds read. A remote user able to connect to the USB/IP server could use this for denial of service.

CVE-2017-16913

Secunia Research reported that the USB/IP stub driver failed to perform a range check on a received packet header field, leading to excessive memory allocation. A remote user able to connect to the USB/IP server could use this for denial of service.

CVE-2017-16914

Secunia Research reported that the USB/IP stub driver failed to check for an invalid combination of fields in a received packet, leading to a null pointer dereference. A remote user able to connect to the USB/IP server could use this for denial of service.

CVE-2017-18017

Denys Fedoryshchenko reported that the netfilter xt_TCPMSS module failed to validate TCP header lengths, potentially leading to a use-after-free. If this module is loaded, it could be used by a remote attacker for denial of service or possibly for code execution.

CVE-2017-18203

Hou Tao reported that there was a race condition in creation and deletion of device-mapper (DM) devices. A local user could potentially use this for denial of service.

CVE-2017-18216

Alex Chen reported that the OCFS2 filesystem failed to hold a necessary lock during nodemanager sysfs file operations, potentially leading to a null pointer dereference. A local user could use this for denial of service.

CVE-2017-18232

Jason Yan reported a race condition in the SAS (Serial-AttachedSCSI) subsystem, between probing and destroying a port. This could lead to a deadlock. A physically present attacker could use this to cause a denial of service.

CVE-2017-18241

Yunlei He reported that the f2fs implementation does not properly initialise its state if the "noflush_merge" mount option is used. A local user with access to a filesystem mounted with this option could use this to cause a denial of service.

CVE-2018-1066

Dan Aloni reported to Red Hat that the CIFS client implementation would dereference a null pointer if the server sent an invalid response during NTLMSSP setup negotiation. This could be used by a malicious server for denial of service.

CVE-2018-1068

The syzkaller tool found that the 32-bit compatibility layer of ebtables did not sufficiently validate offset values. On a 64-bit kernel, a local user with the CAP_NET_ADMIN capability (in any user namespace) could use this to overwrite kernel memory, possibly leading to privilege escalation. Debian disables unprivileged user namespaces by default.

CVE-2018-1092

Wen Xu reported that a crafted ext4 filesystem image would trigger a null dereference when mounted. A local user able to mount arbitrary filesystems could use this for denial of service.

CVE-2018-5332

Mohamed Ghannam reported that the RDS protocol did not sufficiently validate RDMA requests, leading to an out-of-bounds write. A local attacker on a system with the rds module loaded could use this for denial of service or possibly for privilege escalation.

CVE-2018-5333

Mohamed Ghannam reported that the RDS protocol did not properly handle an error case, leading to a null pointer dereference. A local attacker on a system with the rds module loaded could possibly use this for denial of service.

CVE-2018-5750

Wang Qize reported that the ACPI sbshc driver logged a kernel heap address. This information could aid the exploitation of other vulnerabilities.

CVE-2018-5803

Alexey Kodanev reported that the SCTP protocol did not range-check the length of chunks to be created. A local or remote user could use this to cause a denial of service.

CVE-2018-6927

Li Jinyue reported that the FUTEX_REQUEUE operation on futexes did not check for negative parameter values, which might lead to a denial of service or other security impact.

CVE-2018-7492

The syzkaller tool found that the RDS protocol was lacking a null pointer check. A local attacker on a system with the rds module loaded could use this for denial of service.

CVE-2018-7566

Fan LongFei reported a race condition in the ALSA (sound) sequencer core, between write and ioctl operations. This could lead to an out-of-bounds access or use-after-free. A local user with access to a sequencer device could use this for denial of service or possibly for privilege escalation.

CVE-2018-7740

Nic Losby reported that the hugetlbfs filesystem's mmap operation did not properly range-check the file offset. A local user with access to files on a hugetlbfs filesystem could use this to cause a denial of service.

CVE-2018-7757

Jason Yan reported a memory leak in the SAS (Serial-Attached SCSI) subsystem. A local user on a system with SAS devices could use this to cause a denial of service.

CVE-2018-7995

Seunghun Han reported a race condition in the x86 MCE (Machine Check Exception) driver. This is unlikely to have any security impact.

CVE-2018-8781

Eyal Itkin reported that the udl (DisplayLink) driver's mmap operation did not properly range-check the file offset. A local user with access to a udl framebuffer device could exploit this to overwrite kernel memory, leading to privilege escalation.

CVE-2018-8822

Dr Silvio Cesare of InfoSect reported that the ncpfs client implementation did not validate reply lengths from the server. An ncpfs server could use this to cause a denial of service or remote code execution in the client.

CVE-2018-1000004

Luo Quan reported a race condition in the ALSA (sound) sequencer core, between multiple ioctl operations. This could lead to a deadlock or use-after-free. A local user with access to a sequencer device could use this for denial of service or possibly for privilege escalation.

CVE-2018-1000199

Andy Lutomirski discovered that the ptrace subsystem did not sufficiently validate hardware breakpoint settings. Local users can use this to cause a denial of service, or possibly for privilege escalation, on x86 (amd64 and i386) and possibly other architectures.

For the oldstable distribution (jessie), these problems have been fixed in version 3.16.56-1.

For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux


RN-1005 (CM-21490)
On Mellanox switches, when a ERSPAN forwarding rule is defined and non-atomic update mode is enabled, traffic is blocked

When ERSPAN is enabled on a Mellanox switch and non_atomic_update_mode = TRUE, traffic through the switch is blocked.

This issue is fixed in Cumulus Linux 3.6.2.


RN-1007 (CM-21599)
With ECMP rebalance enabled for PIM, multicast stream loss might occur following a link failure

If you shut down the RPF nexthop switch after the last hop router builds the SPT, the switch might not failover to the alternate ECMP RPF nexthop.

This issue is fixed in Cumulus Linux 3.6.2.


RN-1008 (CM-21396)
The 'net del interface bridge vids' command removes the interface from the bridge ports list

If you run the net del interface <interface> bridge vids command, the interface is removed from the bridge ports list instead of inheriting the characteristics of the bridge.

To work around this issue, add the interface back to the bridge with the net add bridge bridge ports <interface> command.

This issue is fixed in Cumulus Linux 3.6.2.


RN-1009 (CM-21474)
Multiple sx_core: lag_id errors in syslog

On Mellanox swtiches, when the input port of a sampled packet is a bond interface, you see multiple sx_core: lag_id errors in syslog.

This issue is fixed in Cumulus Linux 3.6.2.


RN-1010 (CM-21352)
Debian Security Advisory DSA-4212-1 CVE-2018-11235 for the git package

The following CVE was announced in Debian Security Advisory DSA-4212-1 and affects the git package.

This issue is fixed in Cumulus Linux 3.6.2.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4212-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

May 29, 2018 https://www.debian.org/security/faq

--------------------------------------------------------------------------

Package : git

CVE ID : CVE-2018-11235

Etienne Stalmans discovered that git, a fast, scalable, distributed revision control system, is prone to an arbitrary code execution vulnerability exploitable via specially crafted submodule names in a .gitmodules file.

For the oldstable distribution (jessie), this problem has been fixed in version 1:2.1.4-2.1+deb8u6.

For the stable distribution (stretch), this problem has been fixed in version 1:2.11.0-3+deb9u3.

We recommend that you upgrade your git packages.

For the detailed security status of git please refer to its security tracker page at: https://security-tracker.debian.org/tracker/git


RN-1011 (CM-21350)
Debian Security Advisory DSA 4224-1 CVE-2018-12020 for the gnupg package

The following CVE was announced in Debian Security Advisory DSA-4224-1 and affects the gnupg package.

This issue is fixed in Cumulus Linux 3.6.2.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4224-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 08, 2018 https://www.debian.org/security/faq

--------------------------------------------------------------------------

Package : gnupg

CVE ID : CVE-2018-12020

Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.

Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

For the oldstable distribution (jessie), this problem has been fixed in version 1.4.18-7+deb8u5.

For the detailed security status of gnupg, refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnupg


RN-1012 (CM-21351)
Debian Security Advisory DSA 4222-1 CVE-2018-12020 for the gnupg2 package

The following CVE was announced in Debian Security Advisory DSA-4222-1 and affects the gnupg2 package.

This issue is fixed in Cumulus Linux 3.6.2.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4222-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 08, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : gnupg2

CVE ID : CVE-2018-12020

Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.

Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

For the oldstable distribution (jessie), this problem has been fixed in version 2.0.26-6+deb8u2.

For the stable distribution (stretch), this problem has been fixed in version 2.1.18-8~deb9u2.

For the detailed security status of gnupg2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnupg2


RN-1013 (CM-20926)
Debian Security Advisory DSA-4195-1 CVE-2018-0494 for the wget package

The following CVEs were announced in Debian Security Advisory DSA-4195-1 and affect the wget package.

This issue is fixed in Cumulus Linux 3.6.2.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4195-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

May 08, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : wget

CVE ID : CVE-2018-0494

Debian Bug : 898076

Harry Sintonen discovered that wget, a network utility to retrieve files from the web, does not properly handle '\r\n' from continuation lines while parsing the Set-Cookie HTTP header. A malicious web server could use this flaw to inject arbitrary cookies to the cookie jar file, adding new or replacing existing cookie values.

For the oldstable distribution (jessie), this problem has been fixedin version 1.16-1+deb8u5.

For the stable distribution (stretch), this problem has been fixed in version 1.18-5+deb9u2.

We recommend that you upgrade your wget packages.

For the detailed security status of wget please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wget


RN-1014 (CM-21349)
Debian Security Advisory DSA-4226-1 CVE-2018-12015 for the perl package

The following CVEs were announced in Debian Security Advisory DSA-4226-1 and affect the perl package.

This issue is fixed in Cumulus Linux 3.6.2.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4226-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 12, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : perl

CVE ID : CVE-2018-12015

Debian Bug : 900834

Jakub Wilk discovered a directory traversal flaw in the Archive::Tar module, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted tar archive.

For the oldstable distribution (jessie), this problem has been fixed in version 5.20.2-3+deb8u11.

For the stable distribution (stretch), this problem has been fixed in version 5.24.1-3+deb9u4.

We recommend that you upgrade your perl packages.

For the detailed security status of perl, refer to its security tracker page at: https://security-tracker.debian.org/tracker/perl


RN-1015 (CM-20865)
clagd memory growth during oversubscription test

During an oversubscription test where more than 100G of traffic is destined for an MLAG host bond, the host bond bounces and MLAG memory usage grows to over 1.2GB. After stopping Ixia traffic and protocols, the clagd service still holds more than 1GB of memory.

This issue is fixed in Cumulus Linux 3.6.2.


RN-1016 (CM-20803)
Debian Security Advisory DSA-4186-1 CVE-2018-1000164 for gunicorn package

The following CVEs were announced in Debian Security Advisory DSA-4186-1 and affect the gunicorn package.

This issue is fixed in Cumulus Linux 3.6.2.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4186-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

April 28, 2018 https://www.debian.org/security/faq

--------------------------------------------------------------------------

Package : gunicorn

CVE ID : CVE-2018-1000164

It was discovered that gunicorn, an event-based HTTP/WSGI server was susceptible to HTTP Response splitting.

For the oldstable distribution (jessie), this problem has been fixed in version 19.0-1+deb8u1.

We recommend that you upgrade your gunicorn packages.

For the detailed security status of gunicorn please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/gunicorn


RN-1017 (CM-21348)
Debian Security Advisory DSA-4217-1 CVE-2018-9273 CVE-2018-7320 CVE-2018-7334 CVE-2018-7335 CVE-2018-7419 CVE-2018-9261 CVE-2018-9264 CVE-2018-11358 CVE-2018-11360 CVE-2018-11362 for wireshark

The following CVEs were announced in Debian Security Advisory DSA-4217-1 and affect the wireshark package.

This issue is fixed in Cumulus Linux 3.6.2.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4217-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

June 03, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : wireshark

CVE ID : CVE-2018-9273 CVE-2018-7320 CVE-2018-7334 CVE-2018-7335 CVE-2018-7419 CVE-2018-9261 CVE-2018-9264 CVE-2018-11358 CVE-2018-11360 CVE-2018-11362

It was discovered that Wireshark, a network protocol analyzer, contained several vulnerabilities in the dissectors for PCP, ADB, NBAP, UMTS MAC,

IEEE 802.11, SIGCOMP, LDSS, GSM A DTAP and Q.931, which result in denial of service or the execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed in version 1.12.1+g01b65bf-4+deb8u14.

For the stable distribution (stretch), these problems have been fixed in version 2.2.6+g32dac6a-2+deb9u3.

For the detailed security status of wireshark, refer to its security tracker page at: https://security-tracker.debian.org/tracker/wireshark


RN-1018 (CM-20799)
Cannot use NCLU to add or delete RADIUS client IP addresses for 802.1X interfaces

This issue is fixed in Cumulus Linux 3.6.2.


RN-1019 (CM-21156)
Debian Security Advisory DSA-4211-1 CVE-2017-18266 for xdg-utils package

The following CVEs were announced in Debian Security Advisory DSA-4211-1 and affect the xdg-utils package.

This issue is fixed in Cumulus Linux 3.6.2.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4211-1 security@debian.org

https://www.debian.org/security/ Luciano Bello

May 25, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : xdg-utils

CVE ID : CVE-2017-18266

Debian Bug : 898317

Gabriel Corona discovered that xdg-utils, a set of tools for desktop environment integration, is vulnerable to argument injection attacks. If the environment variable BROWSER in the victim host has a "%s" and the victim opens a link crafted by an attacker with xdg-open, the malicious party could manipulate the parameters used by the browser when opened. This manipulation could set, for example, a proxy to which the network traffic could be intercepted for that particular execution.

For the oldstable distribution (jessie), this problem has been fixed in version 1.1.0~rc1+git20111210-7.4+deb8u1.

For the stable distribution (stretch), this problem has been fixed in version 1.1.1-1+deb9u1.

For the detailed security status of xdg-utils, refer to its security tracker page at: https://security-tracker.debian.org/tracker/xdg-utils


RN-1020 (CM-21098)
Debian Security Advisory DSA-4208-1 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 for procps top, ps command

The following CVEs were announced in Debian Security Advisory DSA-4208-1 and affect the procps package.

This issue is fixed in Cumulus Linux 3.6.2.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4208-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

May 22, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : procps

CVE ID : CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126

Debian Bug : 899170

The Qualys Research Labs discovered multiple vulnerabilities in procps, a set of command line and full screen utilities for browsing procfs. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2018-1122

top reads its configuration from the current working directory if no $HOME was configured. If top were started from a directory writable by the attacker (such as /tmp) this could result in local privilege escalation.

CVE-2018-1123

Denial of service against the ps invocation of another user.

CVE-2018-1124

An integer overflow in the file2strvec() function of libprocps couldresult in local privilege escalation.

CVE-2018-1125

A stack-based buffer overflow in pgrep could result in denial of service for a user using pgrep for inspecting a specially crafted process.

CVE-2018-1126

Incorrect integer size parameters used in wrappers for standard allocators could cause integer truncation and lead to integer overflow issues.

For the oldstable distribution (jessie), these problems have been fixed in version 2:3.3.9-9+deb8u1.

For the stable distribution (stretch), these problems have been fixed in version 2:3.3.12-3+deb9u1.

For the detailed security status of procps, refer to its security tracker page at: https://security-tracker.debian.org/tracker/procps

A full readable description of the vulnerabilities is here: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt

They are all local issues only, Denial of Service, and a top privilege escalation.


RN-1022 (CM-20697)
Debian Security Advisory DSA-4176-1 CVE-2018-2755 CVE-2018-2761 CVE-2018-2771 CVE-2018-2773 CVE-2018-2781 CVE-2018-2813 CVE-2018-2817 CVE-2018-2818 CVE-2018-2819 for the mysql package

The following CVEs were announced in Debian Security Advisory DSA-4211-1 and affect the mysql library and common packages.

This issue is fixed in Cumulus Linux 3.6.2.

--------------------------------------------------------------------------

Debian Security Advisory DSA-4176-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 20, 2018 https://www.debian.org/security/faq

--------------------------------------------------------------------------

Package : mysql-5.5

CVE ID : CVE-2018-2755 CVE-2018-2761 CVE-2018-2771 CVE-2018-2773 CVE-2018-2781 CVE-2018-2813 CVE-2018-2817 CVE-2018-2818 CVE-2018-2819

Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.60, which includes additional changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-60.html

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

For the oldstable distribution (jessie), these problems have been fixed in version 5.5.60-0+deb8u1.

We recommend that you upgrade your mysql-5.5 packages.

For the detailed security status of mysql-5.5 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/mysql-5.5

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/


RN-1023 (CM-20138)
NCLU errors out on a breakout port when the port is already configured in a bridge

It's been reported that splitting a switch port removes it from the bridge.

This issue is fixed in Cumulus Linux 3.6.2.


RN-1024 (CM-21047)
cl-support takes a long time to complete when a large amount of space is allocated to /var/log/lastlog

When there is a lot of space allocated to /var/log/lastlog, cl-support takes a long time to run (sometimes more than an hour).

This issue is fixed in Cumulus Linux 3.6.2.


RN-1026 (CM-21012)
Debian Security Advisory DSA-4202-1 CVE-2018-1000301 for the curl package

The following CVEs were announced in Debian Security Advisory DSA-4202-1 and affect the curl package.

This issue is fixed in Cumulus Linux 3.6.2.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4202-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

May 16, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : curl

CVE ID : CVE-2018-1000301

Debian Bug : 898856

OSS-fuzz, assisted by Max Dymond, discovered that cURL, an URL transfer library, could be tricked into reading data beyond the end of a heap based buffer when parsing invalid headers in an RTSP response.

For the oldstable distribution (jessie), this problem has been fixed in version 7.38.0-4+deb8u11.

For the stable distribution (stretch), this problem has been fixed in version 7.52.1-5+deb9u6.

For the detailed security status of curl, refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl


RN-1028 (CM-20728)
Errors occur when installing TOS matched rules in ip6tables

The following error occurs when trying to install a TOS matched rule in ip6tables:

Installing acl policy
error: hw sync failed (Cannot process ip6tables,FORWARD,2,TOS match extension is supported only for iptables)
Rolling back ..
failed.

This issue is fixed in Cumulus Linux 3.6.2.


RN-1029 (CM-21564)
NCLU configuration fails to commit due to invalid value for ip-forward or ip6-forward

After upgrading to Cumulus Linux 3.6.1 on Facebook Backpack switches, NCLU configuration fails to commit because of the default ip-forward and ip6-forward configuration.

This issue is fixed in Cumulus Linux 3.6.2.

New Known Issues in Cumulus Linux 3.6.2

The following issues are new to Cumulus Linux and affect the current release.

Release Note ID Summary Description

RN-975 (CM-21658)
candidate EVPN best path not re-installed after EVPN type-2 MAC route is withdrawn

If hosts nodes reflect or bridge a frame received from access switch pairs back to the switches, a remote VRR virtual MAC that is normally learned through an EVPN type-2 MAC+IP (centralized advertise-default-gw) route is learned locally on a host-facing port. This is then propagated through a new type-2 MAC route throughout the environment and remote access switch pairs install the erroneous route.

To work around this issue, resend the EVPN update from the infra pair by changing the VRR MAC or clear the session.

This is a known issue that is currently being investigated.


RN-979 (CM-21691)
When removing a dot1x configured port from a traditional bridge, the net pending command does not show the changes

When removing a dot1x configured port from a traditional bridge, the net pending command does not show the pending changes; however, the port is removed from the bridge when you issue the net commit command.

This is a known issue and should be fixed in a future release of Cumulus Linux.


RN-980 (CM-21653)
Incorrect VLAN translation tags on double tagged bridge interfaces

A bridge with double tag translation configured on a member interface correctly maps the VLAN tags in the outgoing ARP request frame, but incorrectly maps the VLAN tags on the incoming ARP reply.

This is a known issue that is currently being investigated.


RN-982 (CM-21598)
IGMP configuration does not persist through a switch reboot

The order of the query interval and maximum response time parameters in an IGMP interface configuration together with an insufficient response time value causes the IGMP configuration to be lost during a switch reboot. The maximum response time cannot be greater than or equal to the query interval, and the maximum response time must be read before the interval.

To work around this issue temporarily, move the query interval parameter to follow the query-max-response-time parameter and set the query-max-response-time to a value less than the query interval. You must repeat this workaround each time FRR writes to the frr.conf file.

This issue is being investigated at this time.


RN-989 (CM-9695)
cl-resource-query: ACL metrics are displayed as 0 on a Mellanox switch

ACL-related metrics reported by cl-resource-query on a Mellanox MLX-2700 switch return all ACL metrics as 0. For example:

cumulus@mlx-2700-08:~$ sudo cl-resource-query 
Host entries:              34,   0% of maximum value   5120
IPv4 neighbors:             8
IPv6 neighbors:            13
IPv4 entries:           32768,  82% of maximum value  39936
IPv6 entries:               0,   0% of maximum value  15360
IPv4 Routes:            32768
IPv6 Routes:                0
Total Routes:           32768, 100% of maximum value  32768
ECMP nexthops:             64,   0% of maximum value 209664
MAC entries:                0,   0% of maximum value 409600
Ingress ACL entries:        0,   0% of maximum value      0
Ingress ACL counters:       0,   0% of maximum value      0
Ingress ACL meters:         0,   0% of maximum value      0
Ingress ACL slices:         0,   0% of maximum value      0
Egress ACL entries:         0,   0% of maximum value      0
Egress ACL counters:        0,   0% of maximum value      0
Egress ACL meters:          0,   0% of maximum value      0
Egress ACL slices:          0,   0% of maximum value      0

To work around this issue, run the Mellanox sx_api_resource_manager_dump_all.py debug utility:

cumulus@mlx-2700-08:~$ sudo sx_api_resource_manager_dump_all.py > tmp-cl-resq
cumulus@mlx-2700-08:~$ cat tmp-cl-resq
[+] opening sdk 
[0/1847] sx_api_open handle:0x14c3724 , rc 0 HW Table Utilization Utilization for HW resource TCAM is 42.9 Utilization for HW resource KVD Hash is 69.9 Utilization for HW resource KVD Linear is 49.9 Utilization for HW resource PGT is 0.0 Utilization for HW resource Flow Counter is 0.0 Utilization for HW resource ACL Regions is 1.0 Logical Free Entries Count ============================================================ | Resource| Free Entries| ============================================================ | UC MAC Table | 67181| | MC MAC Table | 67181| | FIB IPV4 UC Table | 132628| | FIB IPV6 UC Table | 95802| | FIB IPV4 MC Table | 2288| | ARP IPV4 Table | 32569| | ARP IPV6 Table | 12292| | Unicast Adjacency Table| 8197| | L2 MC VECTORS Table | 6999| | ACL Extended Actions Table | 8197| | ACL PBS Table| 8197| | eRIF List | 8197| | ILM Table| 67181| | VLAN Table| 1| | VPorts Table| 67181| | FID Table| 16362| | Policy Based MPLS ILM Table| 8197| | ACL Regions| 396| | ACL Rules 18B Key| 2254| | ACL Rules 32B Key| 1024| | ACL Rules 54B Key| 1022| | RIF Counter Basic| 3276| | RIF Counter Enhanced| 1092| | Flow Counter| 2048| | ACL GROUPS Table | 396| Logical Table Utilization ================================================================================================ | Resource| HW Table|Logical Entries | HW Entries| Utilization(%)| ================================================================================================ | UC MAC Table | KVD Hash| 43| 43| 0.0| | FIB IPV4 UC Table | KVD Hash| 89| 65790| 26.5| | FIB IPV6 UC Table | KVD Hash| 51| 28926| 11.6| | FIB IPV4 MC Table | TCAM | 0| 192| 1.1| | ARP IPV4 Table | KVD Hash| 199| 32768| 13.2| | ARP IPV6 Table | KVD Hash| 4092| 32768| 179.6| | Unicast Adjacency Table| KVD Linear| 8187| 8187| 49.9| | VPorts Table| KVD Hash| 0| 22| 0.0| | FID Table| KVD Hash| 22| 22| 0.0| | ACL Regions| ACL Regions| 4| 4| 1.0| | ACL Rules 18B Key| TCAM | 2| 64| 0.3| | ACL Rules 54B Key| TCAM | 2| 5760| 35.1| | ACL GROUPS Table |ACL Group Table| 4| 400| 100.0| cumulus@mlx-2700-08:~$

This is a known issue and should be fixed in a future release of Cumulus Linux.


RN-990 (CM-19647)
With EVPN symmetric routing on a Trident II+ or Maverick switch, forwarding with overlay ECMP routes does not work

Packets from a host to a destination that is reachable through a VXLAN overlay ECMP path might not get forwarded. The forwarding might work if the underlying ECMP members point to the CPU, because of software forwarding.

The issue is seen on a leaf switch connected to the host sending the traffic. The issue can also been seen on a leaf switch connecting towards the destination where that egress route is ECMP.

Depending upon your network topology, one way to work around this issue is to use an as-path prepend so that one of the type 5 routes sent has a longer as-path:

 address-family ipv4 unicast
   distance bgp 190 200 190
-  network 0.0.0.0/0 route-map apply_med
+  network 0.0.0.0/0 route-map apply_aspath_prepend

+route-map apply_aspath_prepend permit 10
+ match ip address prefix-list default_route
+ set as-path prepend last-as 1
+end

You can see that the AS "1" is added to the as-path:
cumulus@switch:~$ net show bgp vrf internal ipv4 unicast ================================== BGP table version is 16, local router ID is 172.18.5.12 Status codes: s suppressed, d damped, h history, * valid, > best, = multipath, i internal, r RIB-failure, S Stale, R Removed Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path * 0.0.0.0 172.16.3.4 0 65000 65021 0 i * 172.16.3.4 0 65000 65021 0 i * 172.16.3.4 0 65000 65020 0 i * 172.16.3.4 0 65000 65020 0 i * 172.16.3.3 0 65000 65019 i * 172.16.3.3 0 65000 65019 i * 172.16.3.3 0 65000 65018 i *> 172.16.3.3 0 65000 65018 i

This results in having just one route in the FIB:

===========================
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR,
       > - selected route, * - FIB route

VRF internal:
B>* 0.0.0.0/0 [20/0] via 172.16.3.4, vlan4000 onlink, 00:12:06

RN-991 (CM-20316)
arp_accept and arp_ignore do not work for SVIs if a bridge has VXLAN interfaces

On a Cumulus Linux switch, if a bridge has VXLAN interfaces, then the arp_accept and arp_ignore options do not work for any switch virtual interfaces (SVIs).

To work around this issue, disable ARP suppression on the VXLAN interfaces. For example, if the VXLAN is named vni100, disable ARP suppression on it with the following command:

cumulus@switch:~$ net add vxlan vni100 bridge arp-nd-suppress off
cumulus@switch:~$ net commit

This issue should be fixed in a future release of Cumulus Linux.


RN-992 (CM-20570)
Disabled services started after running `net del all` then `net commit`

After running the net del all command to remove the configuration, then committing the change with net commit, NCLU enables every service and restarts them. You must manually disable those services again.

This is a known issue and should be fixed in a future release of Cumulus Linux.


RN-993 (CM-20585)
Routes learned via EVPN clouds do not get summarized

Routes that are learned from an EVPN cloud don't get summarized. Only routes that reside on or are owned by a switch get summarized.

This is a known issue and should be fixed in a future release of Cumulus Linux.


RN-994 (CM-21332)
switchd doesn't assign a gport for a VLAN subinterface

When two VLAN subinterfaces are bridged to each other in a traditional mode bridge, switchd doesn't assign a gport to the subinterface, even though a gport is expected for each VLAN subinterface.

To work around this issue, you can do one of two things:

  • Add a VXLAN on the bridge so it doesn't require real tunnel IP address.
  • Separate the ingress and egress functions across two physical ports.

This issue should be fixed in a future release of Cumulus Linux.


RN-995 (CM-21373)
Debian Security advisory DSA-4231-1/CVE-2018-0495 for libgcrypt20 package

Debian issued the following security advisory, DSA-4231-1, which affects the libgcrypt20 package. This advisory applies only to the the Debian Stretch release.

Debian Jessie, upon which Cumulus Linux 3.0 - 3.6.2 is based, is vulnerable, but the vulnerability has not been fixed upstream in Debian yet.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4231-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 17, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : libgcrypt20

CVE ID : CVE-2018-0495

It was discovered that Libgcrypt is prone to a local side-channel attack allowing recovery of ECDSA private keys.

For the stable distribution (stretch), this problem has been fixed in version 1.7.6-2+deb9u3.

We recommend that you upgrade your libgcrypt20 packages.

For the detailed security status of libgcrypt20 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/libgcrypt20

This issue will be fixed in a future version of Cumulus Linux when a fix made available for Debian Jessie.


RN-996 (CM-21379)
Floating static route is not installed into the FIB when the primary route becomes unavailable

If a primary route becomes unavailable (for example, you run ifdown on the switch port), the backup route remains inactive and is not installed into FIB.

To work around this issue, configure routes as ECMP:

cumulus@switch:~$ net del routing route 4.1.1.0/24 1.1.1.1 10
cumulus@switch:~$ net add routing route 4.1.1.0/24 1.1.1.1
cumulus@switch:~$ net commit

This issue should be fixed in a future release of Cumulus Linux.


RN-997 (CM-21393)
A VXLAN implementation is using a UDP source port lower than 1024

Because VXLAN encapsulation uses a full range of source ports, it is possible for Cumulus Linux switches to generate packets with UDP source ports numbered lower than 1023. This might result in the traffic being mishandled in your network if you have rules in place to handle this traffic differently. For example, you might have DSCP setup for this port range.

To work around this issue, avoid using the well known port range for sourcing VXLAN traffic.

This issue should be fixed in a future release of Cumulus Linux.


RN-998 (CM-21398)
Creating a MGMT ACL via NCLU results in a FORWARD entry

If you use NCLU to configure an ACL for eth0, you cannot designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file.

This issue should be fixed in a future release of Cumulus Linux.


RN-999 (CM-21422)
The NCLU `net show config` command shows the configuration that is pending and not the one that was committed

If you have any pending changes in the NCLU buffer, when you run net show config command or net show config interface <interface>, the output displays the pending configuration, not the one that was previously committed.

This issue should be fixed in a future release of Cumulus Linux.


RN-1000 (CM-21454)
Creating a new traditional mode bridge causes temporary traffic loss

Sometimes when creating a new bridge in traditional mode, an outage of 20-30 seconds can occur when running ifreload. This issue is more noticeable if you add and remove traditional bridges multiple times a day. The outage is long enough to drop BGP and OSPF sessions running through the switch. However, ifreload debug logs show everything is normal, that no interfaces are going down.

This issue should be fixed in a future release of Cumulus Linux.


RN-1002 (CM-21556)
FRR next-hop resolution changes are not updated when applying a VRF to an interface after routes are configured in FRR

When adding new SVIs and static VRF routes in FRR, the appropriate VRF is applied to the interface in the kernel after the static routes are configured in FRR. When the kernel interface changes to the appropriate VRF, FRR next-hop resolution is not updated with the valid connected next-hop interface.

To work around this issue, remove and re-add the static routes.

This issue is being investigated at this time.


RN-1003 (CM-21511)
IGMP queries are not sent if a VXLAN is declared before the bridge in /etc/network/interfaces

If a VNI is configured before the bridge in /etc/network/interfaces, the switch does not send IGMP queries.

To work around this issue, edit the /etc/network/interfaces file to define the bridge before the VNI. For example:

# The primary network interface
auto eth0
iface eth0 inet dhcp

auto lo
iface lo inet loopback
    address 10.26.10.11/32

auto swp9
iface swp9
  bridge-access 100

auto swp10
iface swp10
    bridge-access 100 

auto bridge
iface bridge
   bridge-ports swp9 swp10 vni-10
   bridge-vids 100
   bridge-vlan-aware yes
   bridge-mcquerier 1

auto vni-10
iface vni-10
    vxlan-id 10
    vxlan-local-tunnelip 10.0.0.11
    bridge-access 100

auto bridge.100
vlan bridge.100
  bridge-igmp-querier-src 123.1.1.1

auto vlan100
iface vlan100
    address 10.26.100.2/24
    vlan-id 100
    vlan-raw-device bridge

This issue is being investigated at this time.


RN-1004 (CM-21496)
Scalability of redistribute neighbor limits the number of supported hosts

A Cumulus Linux switch cannot manage Docker containers running on 500 hosts. Entries in table 10 start to expire and are removed from the table.

To work around this issue, modify the ebtable rules for set-rate and set-burst, increasing their values until the issue is resolved. For example, configure set-rate=1200 and set-burst=300.

This issue is being investigated at this time.


RN-1006 (CM-20644)
The ptp4l and phc2sys services are enabled by default resulting in repeated syslog messages

In Cumulus Linux 3.6.1 and later, the ptp4l and phc2sys services are enabled by default. If you are not using PTP or PTP is not configured, the logs are repeatedly filled with messages similar to the following.

2018-06-20T15:38:44.490543+00:00 cumulus phc2sys: [1542.230] Waiting for ptp4l...
2018-06-20T15:38:44.491160+00:00 cumulus phc2sys: [1542.230] uds: sendto failed: No such file or directory
2018-06-20T15:38:45.491747+00:00 cumulus phc2sys: [1543.231] Waiting for ptp4l...
2018-06-20T15:38:45.492259+00:00 cumulus phc2sys: [1543.231] uds: sendto failed: No such file or directory
2018-06-20T15:38:46.492925+00:00 cumulus phc2sys: [1544.233] Waiting for ptp4l...
2018-06-20T15:38:46.493440+00:00 cumulus phc2sys: [1544.233] uds: sendto failed: No such file or directory

To work around this issue in Cumulus Linux 3.6.2, add StartLimitInterval to both the ptp4l and phc2sys services as shown below:

sudo mkdir -p /etc/systemd/system/ptp4l.service.d /etc/systemd/system/phc2sys.service.d
sudo sh -c '/bin/echo -e "[Service]\nStartLimitInterval=375" > /etc/systemd/system/phc2sys.service.d/startinterval.conf'
sudo sh -c '/bin/echo -e "[Service]\nStartLimitInterval=375" > /etc/systemd/system/ptp4l.service.d/startinterval.conf'
sudo systemctl daemon-reload

This issue should be fixed in a future release of Cumulus Linux.


RN-1027 (CM-21707)
On Maverick switches, enabling auto-negotiation on 10G (all) and 1G SFP RJ45 breaks the link

On a Maverick switch, if auto-negotiation is configured on a 10G interface and the installed module does not support auto-negotiation (for example, 10G DAC, 10G Optical, 1G RJ45 SFP), the link breaks.

To work around this issue, disable auto-negotiation on interfaces where it is not supported. See the Interface Configuration Recommendations for information about configuring auto-negotiation.

This issue is being investigated at this time.

Issues Fixed in Cumulus Linux 3.6.1

The following is a list of issues fixed in Cumulus Linux 3.6.1 from earlier versions of Cumulus Linux. 

Release Note ID Summary Description

RN-766 (CM-19006)
On the Broadcom Trident II+ and Maverick platform, in an external VXLAN routing environment, the switch does not rewrite MAC addresses and TTL, so packets are dropped by the next hop

On the Broadcom Trident II+ and Maverick based switch, in an external VXLAN routing environment, when a lookup is done on the external-facing switch (exit/border leaf) after VXLAN decapsulation, the switch does not rewrite the MAC addresses and TTL; for through traffic, packets are dropped by the next hop instead of correctly routing from a VXLAN overlay network into a non-VXLAN external network (for example, to the Internet).

This issue affects all traffic from VXLAN overlay hosts that need to be routed after VXLAN decapsulation on an exit/border leaf, including:

  • Traffic destined to external networks (through traffic)
  • Traffic destined to the exit leaf SVI address

To work around this issue, modify the external-facing interface for each VLAN sub-interface by creating a temporary VNI and associating it with the existing VLAN ID.

For example, if the expected interface configuration is:

auto swp3.2001
iface swp3.2001
    vrf vrf1
    address 45.0.0.2/24
# where swp3 is the external facing port and swp3.2001 is the VLAN sub-interface

auto bridge
iface bridge
    bridge-vlan-aware yes
    bridge ports vx-4001
    bridge-vids 4001

auto vx-4001
iface vx-4001
    vxlan-id 4001
    <... usual vxlan config ...>
    bridge-access 4001
# where vnid 4001 represents the L3 VNI

auto vlan4001
iface vlan4001
    vlan-id 4001
    vlan-raw-device bridge
    vrf vrf1

Modify the configuration as follows:

auto swp3
iface swp3
    bridge-access 2001
# associate the port (swp3) with bridge 2001

auto bridge
iface bridge
    bridge-vlan-aware yes
    bridge ports swp3 vx-4001 vx-16000000
    bridge-vids 4001 2001
# where vx-4001 is the existing VNI and vx-16000000 is a new temporary VNI
# this is now bridging the port (swp3), the VNI (vx-4001),
# and the new temporary VNI (vx-16000000)
# the bridge VLAN IDs are now 4001 and 2001

auto vlan2001
iface vlan2001
    vlan-id 2001
    vrf vrf1
    address 45.0.0.2/24
    vlan-raw-device bridge
# create a VLAN 2001 with the associated VRF and IP address

auto vx-16000000
iface vx-16000000
    vxlan-id 16000000
    bridge-access 2001
    <... usual vxlan config ...>
# associate the temporary VNI (vx-16000000) with bridge 2001

auto vx-4001
iface vx-4001
    vxlan-id 4001
    <... usual vxlan config ...>
    bridge-access 4001
# where vnid 4001 represents the L3 VNI

auto vlan4001
iface vlan4001
    vlan-id 4001
    vlan-raw-device bridge
    vrf vrf1

RN-860 (CM-20695)
Tab completion with 'net add vxlan' command produces traceback in the log

When using tab completion with the net add vxlan command, the following traceback appears in the log:

ERROR: 'name'
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/nclu/__init__.py", line 789, in get_lldp
lldp[value['name']] = value['chassis'][0]['name'][0]['value']
KeyError: 'name'

This issue is fixed in Cumulus Linux 3.6.1.


RN-876 (CM-20776)
EVPN symmetric IRB with numbered neighbors omits the NEXTHOP attribute when advertising to an external router

With EVPN symmetric routing (including type-5 routes) you can only advertise host routes or prefix routes learned through EVPN to a VRF peer if EVPN peering uses BGP unnumbered. If the BGP peering is numbered, the NEXTHOP of MP_REACH attribute is not included, which causes the neighbor to reply with a BGP notification.

This issue is fixed in Cumulus Linux 3.6.1.


RN-887 (CM-20474)
VXLAN Encapsulation drops ARP QinQ tunneled packets

When an ARP request or response (or IPv6 NS/NA) packet with double VLAN tags (such as 802.1Q over 802.1Q), is sent to a VXLAN overlay, the outer VLAN tag is stripped during VXLAN encapsulation. If the receiving VTEP is a Broadcom Trident II + platform, the post VXLAN decapsulated packet is incorrectly directed to the control plane. As the packet traverses the linux kernel VXLAN interface into the VLAN-aware bridge device, the exposed inner VLAN tag is incorrectly used for VLAN filtering against the outer VLAN set, causing the packet to be discarded.

This issue is fixed in Cumulus Linux 3.6.1.


RN-890 (CM-20415)
On Maverick QCT LY7, Tomahawk+ AS7312 and DNI AG5648 switches, sysfs tree differences cause portwd startup failure 

Inserting a 1000 BASE-T RJ-45 SFP adapter into a Maverick QCT LY7, Tomahawk + AS7312 or DNI AG5648 switch causes portwd to fail to start, resulting in the switch being unusable.

To work around this issue, do not use 1000BASE-T RJ-45 modules on the impacted switches.

This issue is fixed in Cumulus Linux 3.6.1.


RN-897 (CM-20086)
FRR doesn't support hostnames starting with a digit

NCLU reports an error attempting to configure FRR when the configured hostname begins with a digit:

unknown: buffer_flush_available: write error on fd -1: Bad file descriptor

To work around this issue, change the hostname of the switch to begin with an alphabetic character; not a digit.

This issue is fixed in Cumulus Linux 3.6.1.


RN-904 (CM-20800)
NCLU net add and net del commands missing for EVPN type-5 default originate

The NCLU net add and net del commands are missing for the default originate EVPN type-five route feature.

This issue is fixed in Cumulus Linux 3.6.1.


RN-907 (CM-20829)
netd fails on start after apt upgrade to 3.6.0 with "ImportError: No module named time"

When you use the apt-get upgrade command to upgrade to Cumulus Linux 3.6.0 and you select to keep the currently-installed version of netd.conf (by typing N at the prompt), netd fails to start after reboot and you see errors in the logs when you try to restart netd.

This issue is fixed in Cumulus Linux 3.6.1.


RN-933 (CM-20781)
NCLU 'net add bgp neighbor' command with swp1, swp2, or swp1-2 causes TB NameError

Issuing the net add bgp neighbor command with swp1, swp2 or swp1-2 causes the following error:

TB NameError: global name 'ifname_expand_glob' is not defined.

This issue is fixed in Cumulus Linux 3.6.1.


RN-935 (CM-20772)
ACL rule unable to match interface eth0 when belonging to VRF

ACL rules do not block incoming packets when interface eth0 belongs to a VRF.

This issue is fixed in Cumulus Linux 3.6.1.


RN-936 (CM-20418)
ACL to only allow ARP prevents ARP on SVIs

ACL rules that only allow ARP packets prevent ARP packets from reaching SVIs.

This issue is fixed in Cumulus Linux 3.6.1.


RN-937 (CM-19301)
Increase maximum sflow sampling ratio

The maximum sflow sampling ratio is too low and might overload the switch CPU.

This is fixed in Cumulus Linux 3.6.1. The ratio is increased to 1:100000 in hsflowd.


RN-944 (CM-20841)
netd fails to start for apt-upgrade from 3.3.2 to 3.6.0

When upgrading from Cumulus Linux 3.3.2 to 3.6.0 using the netd.conf file from version 3.3.2, netd fails to start and displays the error ImportError: No module named frr-reload.

This issue is fixed in Cumulus Linux 3.6.1.


RN-945 (CM-20311)
Security: DSA-4157-1 for openssl issues CVE-2017-3738 CVE-2018-0739

The following CVEs were announced in Debian Security Advisory DSA-4157-1, and affect the openssl package.

This issue is fixed in Cumulus Linux 3.6.1.

--------------------------------------------------------------------------

Debian Security Advisory DSA-4157-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 29, 2018 https://www.debian.org/security/faq

--------------------------------------------------------------------------

Package : openssl

CVE ID : CVE-2017-3738 CVE-2018-0739

Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues:

CVE-2017-3738

David Benjamin of Google reported an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli.

CVE-2018-0739

It was discovered that constructed ASN.1 types with a recursive definition could exceed the stack, potentially leading to a denial of service.

Details can be found in the upstream advisory:

https://www.openssl.org/news/secadv/20180327.txt

For the oldstable distribution (jessie), these problems have been fixed in version 1.0.1t-1+deb8u8. The oldstable distribution is not affected by CVE-2017-3738.

For the stable distribution (stretch), these problems have been fixed in version 1.1.0f-3+deb9u2.

We recommend that you upgrade your openssl packages.

For the detailed security status of openssl please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/openssl


RN-946 (CM-20603)
Security: DSA-4172-1 for perl issues CVE-2018-6797 CVE-2018-6798 CVE-2018-6913

The following CVEs were announced in Debian Security Advisory DSA-4172-1 and affect the perl package.

This issue is fixed in Cumulus Linux 3.6.1.

--------------------------------------------------------------------------

Debian Security Advisory DSA-4172-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 14, 2018 https://www.debian.org/security/faq

--------------------------------------------------------------------------

Package : perl

CVE ID : CVE-2018-6797 CVE-2018-6798 CVE-2018-6913

Multiple vulnerabilities were discovered in the implementation of the Perl programming language. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2018-6797

Brian Carpenter reported that a crafted regular expression could cause a heap buffer write overflow, with control over the bytes written.

CVE-2018-6798

Nguyen Duc Manh reported that matching a crafted locale dependent regular expression could cause a heap buffer read overflow and potentially information disclosure.

CVE-2018-6913

GwanYeong Kim reported that 'pack()' could cause a heap buffer write overflow with a large item count.

For the oldstable distribution (jessie), these problems have been fixed in version 5.20.2-3+deb8u10. The oldstable distribution (jessie) update contains only a fix for CVE-2018-6913.

For the stable distribution (stretch), these problems have been fixed in version 5.24.1-3+deb9u3.

We recommend that you upgrade your perl packages.

For the detailed security status of perl please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/perl


RN-949 (CM-21038)
VRF stops working when /etc/resolv.conf does not exist

When upgrading to Cumulus Linux 3.6.0, if the /etc/resolv.conf file does not exist and eth0 is configured with a static IP address, the switch fails to start VRFs after reboot.

This issue is fixed in Cumulus Linux 3.6.1.


RN-958 (CM-21095)
NCLU 'net add bgp neighbor ' command does not create or enable the interface if it is not previously defined

When you run the net add bgp neighbor <interface> command, the interface is only added if previously defined.

This issue is fixed in Cumulus Linux 3.6.1.


RN-962 (CM-21026)
DHCP request packets in VXLAN decapsulation do not go to CPU

On Broadcom platforms configured with a VXLAN centralized routing gateway, DHCP discover packets are not correctly processed for DHCP relay.

This issue is fixed in Cumulus Linux 3.6.1.

New Known Issues in Cumulus Linux 3.6.1

The following issues are new to Cumulus Linux and affect the current release.

Release Note ID Summary Description

RN-875 (CM-20779)
On Mellanox switches, withdrawal of one ECMP next-hop results in the neighbor entry for that next hop to be missing from hardware

On a Mellanox switch, when you withdraw one ECMP next hop, the neighbor entry for that next hop is missing from the hardware.

To work around this issue, manually delete the ARP entry from kernel with the arp -d command to repopulate it in the hardware.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-938 (CM-20979)
Removing a VLAN from a bridge configured with VXLAN results in an outage

Removing a VLAN from a bridge configured with VXLAN causes a network service outage until the configuration change is reverted with the net rollback last command.

To work around this issue, remove the VNI interface first, then remove the unused VLAN from the bridge.

This issue is being investigated at this time.


RN-939 (CM-20944)
On Maverick switches, random links might not come up on boot when enabling RS FEC with 100G AOC cables

On Maverick 100G switches, after enabling FEC on links with 100G AOC cables, random links do not come up after a reboot.

To work around this issue, disable FEC on 100G AOC links.

This issue is being investigated at this time.


RN-940 (CM-20813)
On Mellanox switches, packets are not mirrored on matching '-out-interface bond0' SPAN rules

Span rules that match the out-interface as a bond do not mirror packets.

This is a regression of an earlier issue and is being investigated at this time.


RN-941 (CM-20806)
When configuring layer 2 VPN EVPN in vtysh, if the route-target matches the VNI and AS number, the configuration does not display the route target

When configuring layer 2 VPN EVPN in vtysh, if a route-target matches both the AS number and the VNI number, the route target does not display in the configuration. This is currently the default behavior.

This issue is being investigated at this time.


RN-942 (CM-20693)
In NCLU, you can only set the community number in a route map

In NCLU, you can only set the community number in a route map. You cannot set other community options such as no-export, no-advertise, or additive.

This issue is being investigated at this time.


RN-943 (CM-20639)
The neighbor table and EVPN routes are not updated on receiving GARP from an IP address that moved to a new MAC address

After moving an IP address to a new host, the neighbor table and EVPN routes do not update properly after receiving a GARP from the new MAC address to which the previously-active IP address has been moved.

This issue is being investigated at this time.


RN-947 (CM-20992)
RS FEC configuration cleared and not re-installed on switchd restart, leaving links down

During switchd restart, the RS FEC configuration is not re-installed to the interfaces to which it was previously applied.

This issue is being investigated at this time.


RN-948 (CM-17494)
The default arp_ignore mode does not prevent reachable neighbor entries for hosts not on the connected subnet

In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet.

To work around this issue, change the value of arp_ignore to 2. See Default ARP Settings in Cumulus Linux for more information.


RN-951 (CM-21048)
NCLU command fails to delete the VRF static route

The NCLU command net del routing route does not delete a static route within a VRF.

To work around this issue, delete the VRF static route using vtysh, either directly in configuration mode or with vtysh -c.

This issue is being investigated at this time.


RN-952 (CM-21090)
NCLU 'net show bridge macs' command improperly displays the 'never' keyword

When you use the net show bridge macs command and a MAC address has just been updated, the never keyword improperly displays in the command output.

This issue is being investigated at this time.


RN-953 (CM-21082)
Virtual device counters not working as expected

Virtual device counters are not working as expected. The TX counter increments but the RX counter does not.

This issue is being investigated at this time.


RN-954 (CM-21062)
Redundant NCLU commands to configure the DHCP relay exits with return code 1

When using the NCLU command to add a redundant DHCP relay, the command exits with an error instead of displaying a message that the DHCP relay server configuration already contains the IP address.

This issue is being investigated at this time.


RN-955 (CM-21060)
NCLU 'net show configuration' output is out of order

When you run the net show configuration command after upgrading to Cumulus Linux 3.6, the interfaces display are out of order in the command output.

This issue is being investigated at this time.


RN-956 (CM-21055)
On Mellanox switches, the destination MAC of ERSPAN GRE packets is set to all zeros

On Mellanox switches, the destination MAC of ERSPAN GRE packets is set to all zeros; therefore, the packets are dropped by the first transient switch.

This issue is being investigated at this time.


RN-959 (CM-21167)
BGP aggregate created but left inactive in the routing table

If you use BGP to generate an aggregate, the aggregate shows up in the BGP table but is listed in zebra as inactive.

This issue is being investigated at this time.


RN-960 (CM-21154)
Deleting an interface with the NCLU command does not remove the interface in frr.conf

When you use NCLU to delete an interface, the associated configuration is not removed from the frr.conf file.

This issue is being investigated at this time.


RN-963 (CM-21362)
Bringing down a bridge member interface sets the interface MTU to 1500 and the bridge MTU to 1500

When you bring down an interface for a bridge member, the MTU for the interface and the MTU for the bridge are both set to 1500.

To work around this issue, run ifdown on the interface, then run the sudo ip link set dev <interface> mtu <mtu> command.

For example:

sudo ifdown swp3
sudo ip link set dev swp3 mtu 9192

As an alternative, in the /etc/network/interfaces file, add a post-down command to reset the MTU of the interface. For example:

auto swp3
iface swp3
    alias BNBYLAB-PD01HV-01_Port3
    bridge-vids 106 109 119 141 150-151
    mtu 9192
    post-down /sbin/ip link set dev swp3 mtu 9192

RN-964 (CM-21319)
When upgrading to Cumulus Linux 3.6, static routes in the default VRF are associated with other VRFs

When you upgrade to Cumulus Linux 3.6.x, static routes configured in the frr.conf file become associated with the VRF configured above them.

This issue is currently being investigated.


RN-965 (CM-21313, CM-15657)
Errors occur if comma-separated globs exist in the /etc/network/interfaces file

If you edit the /etc/network/interfaces file manually and add bridge VIDs to an interface using the NCLU syntax (comma separated globs), you see an error similar to the following:

ERROR: numbers_to_glob() could not extract any IDs from ['1,4,1000,1002,1006']

To work around this issue, separate globs with spaces when manually editing the /etc/network/interfaces file.

This issue is currently being investigated.


RN-966 (CM-21297)
TACACS authenticated users in 'netshow' or 'netedit' groups cannot issue 'net' commands after upgrade to Cumulus Linux 3.6

When upgrading from a previous release to Cumulus Linux 3.6, TACACS-authenticated users mapped to tacacs0 thru tacacs15 users with the netshow or netedit user groups cannot run net commands and they see the following error:

ERROR: You do not have permission to execute that command

This behavior is seen when upgrading with simple authentication only and occurs without a restricted shell for command authorization being enabled.

This problem is not present on a binary install of 3.6.0 or 3.6.1 and only happens when upgrading from previous releases.

To work around this issue, edit the /etc/netd.conf file, add the tacacs user group to the groups_with_show list, and add the tacacs15 user to the users_with_edit list as below:

# Control which users/groups are allowed to run "add", "del",
# "clear", "abort", and "commit" commands.
users_with_edit = root, cumulus, vagrant, tacacs15
groups_with_edit = netedit

# Control which users/groups are allowed to run "show" commands.
users_with_show = root, cumulus, vagrant
groups_with_show = netshow, netedit, tacacs

After making this change, restart netd with the sudo systemctl restart netd command.


RN-969 (CM-21278)
NCLU 'net show lldp' output has PortDescr as Remote Port

When you run the net show lldp command, the command output incorrectly displays the remote port as the port description.

To work around this issue, run the net show interface command when connected to Cisco equipment.

This issue is currently being investigated.


RN-970 (CM-21203)
VXLAN and tcam_resource_profile set to acl-heavy, causes the switch to crash

Changing tcam_resource_profile to acl-heavy on a switch with VXLAN enabled and attempting to apply the configuration with a switchd restart, causes switchd to fail to restart, netd to crash, the switch to become temporarily unresponsive, and a cl-support to be generated.

To work around this issue, remove the acl-heavy profile or the VXLAN configuration.

This issue is currently being investigated.


RN-971 (CM-20501)
cl-ecmpcalc is not supported on Maverick (Broadcom 5676x) ASICs

The cl-ecmpcalc tool is not supported on platforms based on ASICs in the Broadcom 5676x (Maverick) family.

This issue should be fixed in an upcoming release of Cumulus Linux.

Issues Fixed in Cumulus Linux 3.6.0

The following is a list of issues fixed in Cumulus Linux 3.6.0 from earlier versions of Cumulus Linux. 

Release Note ID Summary Description

RN-406 (CM-9895)
Mellanox SN2700 power off issues

The Mellanox SN2700 or SN2700B switch appears to be unresponsive for at least three minutes after a PDU power cycle is issued, if any of the following occur:

  • A shutdown or poweroff command is executed
  • A temperature sensor hits a critical value and shuts down the box

To fix this, update the system CPLD to version CPLD000085. Contact Mellanox support for assistance.


RN-545 (CM-13800)
OSPFv3 redistribute connected with route-map broken at reboot (or ospf6d start)

This issue only affects OSPFv3 (IPv6).

This issue is fixed in Cumulus Linux 3.6.0.


RN-608 (CM-16145)
Buffer monitoring default port group discards_pg only accepts packet collection type

The default port group discards_pg does not accept packet_extended or packet_all collection types.

This issue is fixed in Cumulus Linux 3.6.0.


RN-704 (CM-18886, CM-20027)
ifreload causes MTU to drop on bridge SVIs 

When you run the ifreload command on a bridge SVI with an MTU higher than 1500, the MTU resets to 1500 after the initial ifreload -a, then resets to its original value when running ifreload -a for the second time.

This issue is fixed in Cumulus Linux 3.6.0.


RN-738 (CM-18709)
On Dell S4148T-ON switches with Maverick ASICs, configuring 1G or 100M speeds on 10G fixed copper ports requires a ports.conf workaround

1G and 100M speeds on SFP ports are not working on the Dell S4148T-ON.

To enable a speed lower than 10G on a port on the S4148T platform, you must dedicate an entire port group (four interfaces) to a lower speed setting. Within a port group, you can mix 1G and 100M speeds, if needed. You cannot mix 10G and lower speeds.

To work around this issue:

  1. In the /etc/cumulus/ports.conf file, add each of the four ports in the port group as 1G interfaces. You must set each of the ports in the port group to be 1G. Port groups are swp1-4, swp5-8, swp9-12, and so on, and starting with swp31-35 on the right half of the switch. For example, to enable ports swp5-swp8 to autonegotiate to 100M or 1G speeds, add the following to the ports.conf file:
    5=1G
    6=1G
    7=1G
    8=1G
  2. Restart switchd:
    cumulus@switch:~$ sudo systemctl reset-failed switchd; sudo systemctl restart switchd

    After this is done ports swp5-8 will be enabled to autonegotiate with the neighbor devices to 1G or 100M speeds.

As of 3.5.1, 1G interfaces are supported when using the ports.conf file workaround as described above. As of 3.6.0, editing the ports.conf file is no longer required.


RN-743 (CM-18612)
Routes learned through BGP unnumbered become unusable

In certain scenarios, the routes learned through BGP unnumbered become unusable. The BGP neighbor relationships remain but the routes cannot be forwarded due to a failure in layer 2 and layer 3 next hop/MAC address resolution.

To work around this issue, restart FRR.

This issue is fixed in Cumulus Linux 3.6.0.


RN-766 (CM-19006)
On the Broadcom Trident II+ and Maverick platform, in an external VXLAN routing environment, the switch does not rewrite MAC addresses and TTL, so packets are dropped by the next hop

On the Broadcom Trident II+ and Maverick based switch, in an external VXLAN routing environment, when a lookup is done on the external-facing switch (exit/border leaf) after VXLAN decapsulation, the switch does not rewrite the MAC addresses and TTL; for through traffic, packets are dropped by the next hop instead of correctly routing from a VXLAN overlay network into a non-VXLAN external network (for example, to the Internet).

This issue affects all traffic from VXLAN overlay hosts that need to be routed after VXLAN decapsulation on an exit/border leaf, including:

  • Traffic destined to external networks (through traffic)
  • Traffic destined to the exit leaf SVI address

This issue should be fixed in the Trident 3 ASIC.

To work around this issue, modify the external-facing interface for each VLAN sub-interface by creating a temporary VNI and associating it with the existing VLAN ID.

For example, if the expected interface configuration is:

auto swp3.2001
iface swp3.2001
    vrf vrf1
    address 45.0.0.2/24
# where swp3 is the external facing port and swp3.2001 is the VLAN sub-interface

auto bridge
iface bridge
    bridge-vlan-aware yes
    bridge ports vx-4001
    bridge-vids 4001

auto vx-4001
iface vx-4001
    vxlan-id 4001
    <... usual vxlan config ...>
    bridge-access 4001
# where vnid 4001 represents the L3 VNI

auto vlan4001
iface vlan4001
    vlan-id 4001
    vlan-raw-device bridge
    vrf vrf1

Modify the configuration as follows:

auto swp3
iface swp3
    bridge-access 2001
# associate the port (swp3) with bridge 2001

auto bridge
iface bridge
    bridge-vlan-aware yes
    bridge ports swp3 vx-4001 vx-16000000
    bridge-vids 4001 2001
# where vx-4001 is the existing VNI and vx-16000000 is a new temporary VNI
# this is now bridging the port (swp3), the VNI (vx-4001),
# and the new temporary VNI (vx-16000000)
# the bridge VLAN IDs are now 4001 and 2001

auto vlan2001
iface vlan2001
    vlan-id 2001
    vrf vrf1
    address 45.0.0.2/24
    vlan-raw-device bridge
# create a VLAN 2001 with the associated VRF and IP address

auto vx-16000000
iface vx-16000000
    vxlan-id 16000000
    bridge-access 2001
    <... usual vxlan config ...>
# associate the temporary VNI (vx-16000000) with bridge 2001

auto vx-4001
iface vx-4001
    vxlan-id 4001
    <... usual vxlan config ...>
    bridge-access 4001
# where vnid 4001 represents the L3 VNI

auto vlan4001
iface vlan4001
    vlan-id 4001
    vlan-raw-device bridge
    vrf vrf1

RN-778 (CM-19203)
On Dell 4148F-ON and 4128F-ON switches with Maverick ASICs, configuring 1G or 100M speeds requires a ports.conf workaround

1G and 100M speeds on SFP ports do not work automatically on Dell S4148F-ON and S4128F-ON switches.

To enable a speed lower than 10G on a port on the S4148F and S4128F platforms, you must dedicate an entire port group (four interfaces) to a lower speed setting. Within a port group, you can mix 1G and 100M speeds, if needed. You cannot mix 10G and lower speeds.

This issue is fixed in Cumulus Linux 3.6.0.


RN-785 (CM-19422)
NCLU 'net show interface detail' command does not display detailed output

The net show interface swp# command returns the same output as net show interface swp# detail.

To view the additional information typically presented, use alternative commands. For example, to view the module information and statistics, use ethtool swp# and ethtool -S swp#.

This issue is fixed in Cumulus Linux 3.6.0.


RN-787 (CM-19418)
NCLU 'net add hostname' creates an inconsistency between /etc/hostname and /etc/hosts files

Running the net add hostname <hostname> command updates both the /etc/hostname file and the/etc/hosts file. However, NCLU modifies the hostname value passed to the /etc/hostname file, removing certain characters and converting the hostname to lowercase, whereas the hostname passed to the /etc/hosts file is passed through as is, creating an inconsistency between the two files.

To work around this issue, manually set the hostname in both the /etc/hostname file and the /etc/hosts file using a text editor such as vi or nano.

This issue is fixed in Cumulus Linux 3.6.0.


RN-793 (CM-19321)
FRR does not detect the bandwidth for 100G interfaces correctly

FRR correctly detects the bandwidth for both 10G interfaces and 40G interfaces. However, it does not do so for 100G interfaces. Setting link speed manually does not fix this issue.

To work around this issue, restart the FRR service:

cumulus@switch:~$ sudo systemctl restart frr.service

This issue is fixed in Cumulus Linux 3.6.0.


RN-801 (CM-19195)
In VXLAN routing, border leafs in MLAG use anycast IP address after FRR restart

For type-5 routes, when an MLAG pair is used as border leaf nodes, the MLAG primary and secondary nodes use their respective loopback IP addresses as the originator IP address to start, but switch to using the MLAG anycast IP address after an FRR restart.

This issue is fixed in Cumulus Linux 3.6.0.


RN-803 (CM-19456)
EVPN and IPv4 routes change origin after redistribution

EVPN routes are re-injected into EVPN as type-5 routes when a type-5 advertisement is enabled. This issue occurs when advertising different subnets from different VTEPs into a type-5 EVPN symmetric mode environment.

This issue is fixed in Cumulus Linux 3.6.0.


RN-806 (CM-19241)
FRR removes all static routes when the service is stopped, including those created by ifupdown2

Whenever FRR is restarted, it deletes all routes in the kernel with a protocol type of BGP, ISIS, OSPF, and static. When you upgrade FRR and the service is stopped, the static routes defined in the /etc/network/interfaces file and installed using ifupdown2 are also removed.

To work around this issue, configure static routes in the /etc/network/interfaces file as follows:

post-up ip route add  via  proto kernel

For example:

auto swp2
iface swp2
  post-up ip route add 0.0.0.0/0 via 192.0.2.249 proto kernel

This issue is fixed in Cumulus Linux 3.6.0.


RN-807 (CM-17159)
NCLU 'net show interface <bond>' command shows interface counters that are not populated

The output of the NCLU net show interface <bond> command shows misleading and incorrect interface counters.

This issue is fixed in Cumulus Linux 3.6.0.


RN-809 (CM-19120)
The 'netshow lldp' command displays an error

When running the netshow lldp command, the output displays the following error:

cumulus@switch:~# netshow lldp
ERROR: The lldpd service is running, but '/usr/sbin/lldpctl -f xml' failed.

However, the NCLU net show lldp command works correctly.

This issue is fixed in Cumulus Linux 3.6.0.


RN-815 (CM-19630)
Bridge MAC address clashing when eth0 is part of the same broadcast domain

Cumulus Linux uses the eth0 MAC address as the MAC address for bridges. If eth0 is part of the same broadcast domain, you experience outages when upgrading.

To work around this issue, manually change the bridge MAC address in the /etc/network/interfaces file.

This issue is fixed in Cumulus Linux 3.6.0.


RN-821 (CM-19898)
The 'net show interface' command output missing information

The net show interface command output is missing LACP, CLAG, VLAN, LLDP, and physical link failure information.

This issue is fixed in Cumulus Linux 3.6.0.


RN-824 (CM-19667)
The show ipv6 route ospf command results in an unknown route type

When you run the vtysh -c 'show ipv6 route ospf json' command to show IPv6 routes through OSPF, you see the error Unknown route type. To work around this issue, you must specify ospf6 in the command:

cumulus@switch:~$  vtysh -c 'show ipv6 route ospf6 json'

This issue is fixed in Cumulus Linux 3.6.0.


RN-826 (CM-16865)
The compute unique hash seed default value is the same for each switch

The algorithm that calculates hashing is the same on every switch instead of being unique.

This issue is fixed in Cumulus Linux 3.6.0.


RN-828 (CM-19748)
Security: Debian Security Advisory DSA-4110-1 for exim4 issue CVE-2018-6789

The following CVE was announced in Debian Security Advisory DSA-4110-1, and affects the exim4 package. While this package is no longer in the Cumulus Linux installation image, it is still in the repo3 repository. Cumulus Linux is built on Debian Jessie.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4110-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 10, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : exim4
CVE ID : CVE-2018-6789
Debian Bug : 890000
Meh Chang discovered a buffer overflow flaw in a utility function used in the SMTP listener of Exim, a mail transport agent. A remote attacker can take advantage of this flaw to cause a denial of service, or potentially the execution of arbitrary code via a specially crafted message.
For the oldstable distribution (jessie), this problem has been fixed in version 4.84.2-2+deb8u5.
For the stable distribution (stretch), this problem has been fixed in version 4.89-2+deb9u3.


RN-829 (CM-19660)
Security: Debian Security Advisory DSA-4052-1 for Bazaar issue CVE-2017-14176

The following CVE was announced in Debian Security Advisory DSA-4052-1, and affects the Bazaar version control system.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4052-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 29, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : bzr
CVE ID : CVE-2017-14176
Debian Bug : 874429

Adam Collard discovered that Bazaar, an easy to use distributed version control system, did not correctly handle maliciously constructed bzr+ssh URLs, allowing a remote attackers to run an arbitrary shell command.

For the oldstable distribution (jessie), this problem has been fixed in version 2.6.0+bzr6595-6+deb8u1.

For the stable distribution (stretch), this problem has been fixed in version 2.7.0+bzr6619-7+deb9u1.


RN-830 (CM-19595)
Security: Debian Security Advisory DSA-4098-1 for curl issues CVE-2018-1000005 CVE-2018-1000007

The following CVEs were announced in Debian Security Advisory DSA-4098-1, and affect the curl package.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4098-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
January 26, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : curl
CVE ID : CVE-2018-1000005 CVE-2018-1000007
Two vulnerabilities were discovered in cURL, an URL transfer library.

CVE-2018-1000005
Zhouyihai Ding discovered an out-of-bounds read in the code handling HTTP/2 trailers. This issue doesn't affect the oldstable distribution (jessie).

CVE-2018-1000007
Craig de Stigter discovered that authentication data might be leaked to third parties when following HTTP redirects.

For the oldstable distribution (jessie), these problems have been fixed in version 7.38.0-4+deb8u9.


RN-831 (CM-19507)
Security: Debian Security Advisory DSA-4091-1 for mysql issues CVE-2018-2562 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668

The following CVEs were announced in Debian Security Advisory DSA-4091-1, and affect all mysql packages, including mysql-* and libmysql-*.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4091-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 18, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : mysql-5.5
CVE ID : CVE-2018-2562 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668

Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.59, which includes additional changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-59.html
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

For the oldstable distribution (jessie), these problems have been fixed in version 5.5.59-0+deb8u1.


RN-832 (CM-19458)
Security: Debian Security Advisory DSA-4089-1 for bind9 issue CVE-2017-3145

The following CVE was announced in Debian Security Advisory DSA-4089-1, and affects the bind9 package.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4089-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 16, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : bind9

CVE ID : CVE-2017-3145
Jayachandran Palanisamy of Cygate AB reported that BIND, a DNS server implementation, was improperly sequencing cleanup operations, leading in some cases to a use-after-free error, triggering an assertion failure and crash in named.

For the oldstable distribution (jessie), this problem has been fixed in version 1:9.9.5.dfsg-9+deb8u15.

For the stable distribution (stretch), this problem has been fixed in version 1:9.10.3.dfsg.P4-12.3+deb9u4.

We recommend that you upgrade your bind9 packages.


RN-833 (CM-19446)
Security: Debian Security Advisory DSA-4086 for libxml2 issue CVE-2017-15412

The following CVE was announced in Debian Security Advisory DSA-4086-1, and affects the libxml2 package.

This issue is fixed in Cumulus Linux 3.6.0.

--------------------------------------------------------------------------
Debian Security Advisory DSA-4086-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 13, 2018 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : libxml2
CVE ID : CVE-2017-15412
Debian Bug : 883790

Nick Wellnhofer discovered that certain function calls inside XPath
predicates can lead to use-after-free and double-free errors when
executed by libxml2's XPath engine via an XSLT transformation.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.9.1+dfsg1-5+deb8u6.


RN-834 (CM-19385)
Security: Debian Security Advisories DSA-4082 for kernel issues CVE-2017-8824 CVE-2017-15868 CVE-2017-16538 CVE-2017-16939 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450 CVE-2017-17558 CVE-2017-17558 CVE-2017-17741 CVE-2017-17805 and more

The following CVEs were announced in Debian Security Advisory DSA-4086-1, and affect the Linux kernel.

This issue is fixed in Cumulus Linux 3.6.0.

--------------------------------------------------------------------------
Debian Security Advisory DSA-4082-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 09, 2018 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2017-8824 CVE-2017-15868 CVE-2017-16538
CVE-2017-16939 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450
CVE-2017-17558 CVE-2017-17741 CVE-2017-17805 CVE-2017-17806
CVE-2017-17807 CVE-2017-1000407 CVE-2017-1000410

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2017-8824

Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free. A local user could use this for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it:

echo >> /etc/modprobe.d/disable-dccp.conf install dccp false

CVE-2017-15868

Al Viro found that the Bluebooth Network Encapsulation Protocol (BNEP) implementation did not validate the type of the second socket passed to the BNEPCONNADD ioctl(), which could lead to memory corruption. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation.

CVE-2017-16538

Andrey Konovalov reported that the dvb-usb-lmedm04 media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash).

CVE-2017-16939

Mohamed Ghannam reported (through Beyond Security's SecuriTeam Secure Disclosure program) that the IPsec (xfrm) implementation did not correctly handle some failure cases when dumping policy information through netlink. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation.

CVE-2017-17448

Kevin Cernekee discovered that the netfilter subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace, not just the root namespace, to enable and disable connection tracking helpers. This could lead to denial of service, violation of network security policy, or have other impact.

CVE-2017-17449

Kevin Cernekee discovered that the netlink subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace to monitor netlink traffic in all net namespaces, not just those owned by that user namespace. This could lead to exposure of sensitive information.

CVE-2017-17450

Kevin Cernekee discovered that the xt_osf module allowed users with the CAP_NET_ADMIN capability in any user namespace to modify the global OS fingerprint list.

CVE-2017-17558

Andrey Konovalov reported that that USB core did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation.

CVE-2017-17741

Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash).

CVE-2017-17805

Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash).

CVE-2017-17806

It was discovered that the HMAC implementation could be used with an underlying hash algorithm that requires a key, which was not intended. A local user could use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation.

CVE-2017-17807

Eric Biggers discovered that the KEYS subsystem lacked a check for write permission when adding keys to a process's default keyring. A local user could use this to cause a denial of service or to obtain sensitive information.

CVE-2017-1000407

Andrew Honig reported that the KVM implementation for Intel processors allowed direct access to host I/O port 0x80, which is not generally safe. On some systems this allows a guest VM to cause a denial of service (crash) of the host.

CVE-2017-1000410

Ben Seri reported that the Bluetooth subsystem did not correctly handle short EFS information elements in L2CAP messages. An attacker able to communicate over Bluetooth could use this to obtain sensitive information from the kernel.

For the oldstable distribution (jessie), these problems have been fixed in version 3.16.51-3+deb8u1.


RN-836 (CM-19353)
NCLU 'net del' and 'net add bridge' commands do not work in the same 'net commit'

If a bridge is previously configured and you run the net del all and the net add bridge commands in the same net commit, all bridge and VLAN commands fail and no bridge or VLAN configuration is added to the switch.

This issue is fixed in Cumulus Linux 3.6.0.


RN-837 (CM-19919)
PCIe bus error (Malformed TLP) on the Dell Z9100 switch

Certain Dell Z9100 switches running Cumulus Linux have a different string coded in the Manufacturer field of the SMBIOS/DMI information. This discrepancy sometimes causes a problem with timing during the boot sequence that leaves switchd in a failed state.

To work around this issue, perform either a single cold reboot (power cycle the switch) or two warm reboots (run the reboot command twice).

This issue is fixed in Cumulus Linux 3.6.0.


RN-861 (CM-20694)
NCLU 'net show lldp' command traceback on 'descr'

When you run the net show lldp command, the netd process crashes and does not recover. This occurs because the LLDP peer does not send the description field in the TLV (which is optional), so NCLU cannot parse the information.

To work around the issue, make sure that the LLDP peer device is configured to send the LLDP description in the TLV.

This issue is fixed in Cumulus Linux 3.6.0.


RN-862 (CM-20416)
The error message 'snmpd[xxx]: truncating integer value > 32 bits' repeating in syslog

When the switch or snmpd is running for more than 497 days, the following error message repeats in syslog:

snmpd[xxxx]: truncating integer value > 32 bits

This issue is resolved by limiting the number of log messages to 10 occurrences.


RN-863 (CM-20372)
The IPv6 default gateway GUA is not reachable through ICMP in a VXLAN configuration

When a server tries to reach the IPv6 default gateway global unique address (GUA) over a VXLAN enabled fabric, the communication fails if the gateway resides on a platform with the Broadcom Trident II + ASIC, as incorrect hardware programming fails to forward the packet to the control plane for termination.

This issue is fixed in Cumulus Linux 3.6.0.


RN-864 (CM-20272)

Security: Debian Security Advisory DSA-4154-1 for net-snmp issue 
CVE-2015-5621 
CVE-2018-1000116

The following CVE was announced in Debian Security Advisory DSA-4154-1, and affects the net-snmp package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4154-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 28, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : net-snmp
CVE ID : CVE-2015-5621 CVE-2018-1000116
Debian Bug : 788964 894110

A heap corruption vulnerability was discovered in net-snmp, a suite of
Simple Network Management Protocol applications, triggered when parsing
the PDU prior to the authentication process. A remote, unauthenticated
attacker can take advantage of this flaw to crash the snmpd process
(causing a denial of service) or, potentially, execute arbitrary code
with the privileges of the user running snmpd.

For the oldstable distribution (jessie), these problems have been fixed
in version 5.7.2.1+dfsg-1+deb8u1.

For the stable distribution (stretch), these problems have been fixed
before the initial release.

We recommend that you upgrade your net-snmp packages.

For the detailed security status of net-snmp please refer to its
https://security-tracker.debian.org/tracker/net-snmp

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


RN-865 (CM-20344)
On the Broadcom Trident II + ASIC, traceroute to an external host skips the anycast gateway address

When using traceroute from a server over a routed VXLAN overlay, the overlay router is not correctly accounted for in the path list. You might see the overlay router as an unknown hop or a repetition of the preceding hop. This applies for both IPv4 and IPv6.

This issue is fixed in Cumulus Linux 3.6.0.


RN-866 (CM-20182)
On Mellanox switches, ACL rules that match a TCP port do not work for encapsulated VXLAN packets

For an incoming VXLAN encapsulated packet, the inner packet does not match on the TCP port successfully after decapsulation.

This issue is fixed in Cumulus Linux 3.6.0.


RN-867 (CM-20126)
Implement forwarding table profiles for Maverick

Maverick switches should have layer 2 and layer 3 table sizes when using cl-resource-query.

This issue is fixed in Cumulus Linux 3.6.0.


RN-868 (CM-20069)
Link-down does not work on SVIs configured in a VRF

The link-down yes configuration in the /etc/network/interfaces file has no effect on shutting down SVI interfaces configured in a VRF. SVIs configured without a VRF are not affected.

This issue is fixed in Cumulus Linux 3.6.0.


RN-869 (CM-20002)
Kernel route uses the bridge VRR interface instead of the bridge interface

In the kernel routing table, the bridge VRR interface is used instead of the bridge interface. This causes ARP packets to be sourced from the VRR interface instead of the physical interface.

This issue is fixed in Cumulus Linux 3.6.0.


RN-870 (CM-19959)
Internal loopback ports on Tomahawk switches set to 40G cause traffic to throttle

The internal loopback ports on a Tomahawk switch should be set to the highest speed of which the port is capable. However, due to a software defect, the ports can be set to 40G, which throttles traffic. When configuring Tomahawk internal loopback ports, make sure the port is not configured to a speed other than 100G. If it is, first remove the configuration on that port, reboot the system, then reconfigure the loopback port in the /etc/cumulus/ports.conf file.

This issue is fixed in Cumulus Linux 3.6.0.


RN-871 (CM-19906)
Security: Debian Security Advisory DSA-4120-1 for Linux kernel issues CVE-2018-5750

The following CVEs were announced in Debian Security Advisory DSA-4120-1, and affect the Linux kernel.

The issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4120-1 security@debian.org
https://www.debian.org/security/
January 19, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : linux
CVE ID : CVE-2018-5750 

It was found that the acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.

See https://patchwork.kernel.org/patch/10174835/ for further details.


RN-872 (CM-19753)
On Mellanox Spectum platforms configured with BGP unnumbered and multipath, cl-ecmpcalc fails on two links

On Mellanox Spectrum platforms, cl-ecmpcalc reports that the nexthop does not have multiple paths. For example:

Error: traffic to IP Address:31.0.0.31 will not ECMP

This issue is fixed in Cumulus Linux 3.6.0.


RN-873 (CM-18076)
Platform-aware validation checker for ports.conf

Cumulus Linux provides a new /etc/cumulus/ports.conf file validator that finds both syntax and platform-specific errors, and provides a reason for each invalid line. Errors are shown when you run the net commit command or the validate-ports script. Previously, the net commit command failed silently, with no error message.

The following example shows a ports.conf file snippet that has a problem with split ports:

...
# QSFP28 ports
#
# <port label> = [40G|50G|100G]
#   or when split = [2x50G|4x10G|4x25G|disabled
1=4x10G
2=100G
3=4x10G
4=disabled
...

The above snippet in the ports.conf file produces in the following error message when you run the net commit command:

cumulus@switch:~# net commit 
Error: 1 invalid lines found in /etc/cumulus/ports.conf:
[Line 57]:'2=100G'
  Invalid because: 2 is blocked by port 1 but is marked '100G' rather than disable[d]

This issue is fixed in Cumulus Linux 3.6.0.


RN-874 (CM-16293)
NCLU 'net show interface' output should be fewer than 80 characters

The output for the net show interface command can be more than 130 characters wide without line wrapping, which can be difficult to read on a 80 character wide terminal.

This issue is fixed in Cumulus Linux 3.6.0. The net show interface output is now fewer than 80 characters long for 80 character wide terminals.


RN-905 (CM-19649)
LLDP-MED network policy not working after port flaps

LLDP-MED includes voice VLAN and DSCP values. When you configure LLDP, the service works when the port is first brought up, but the switch stops sending LLDP-MED TLVs after a link state transition.

This issue is fixed in Cumulus Linux 3.6.0.


RN-909 (CM-20543)
NCLU 'net del time ntp server *' command crashes netd

Removing all NTP servers from the configuration with the net del ntp server * command (using * as a wildcard to match all servers) causes netd to crash.

This issue is fixed in Cumulus Linux 3.6.0.


RN-910 (CM-20483)
On the Dell 4148F-ON switch, portwd tries to make 10G ports into 40G

On the Dell 4148F-ON switch, ports swp53 and swp54 do not link up with installed 10G DACs.

This issue is fixed in Cumulus Linux 3.6.0.


RN-911 (CM-20411)
OSPF is up after BFD fails in a point-to-point network

When a BFD session fails in a point-to-point network, the OSPF adjacency with the neighbor is not brought down.

This issue is fixed in Cumulus Linux 3.6.0.


RN-912 (CM-19801)
QinQ not working without a restart in traditional mode bridge

When changing the inner and outer VLANs of a double-tagged bridge interface using ifreload, the port's VLAN translation key is not updated correctly, causing an incorrect VLAN translation.

This issue is fixed in Cumulus Linux 3.6.0.


RN-913 (CM-19728)
NCLU 'ip forward' command has incorrect syntax and does not show in configuration

When you disable IP forwarding on an interface with the NCLU ip forward off command and commit the change, the command shows as unsupported when you run net show configuration commands.

This issue is fixed in Cumulus Linux 3.6.0.


RN-914 (CM-19727)
VRF not generated when used in BGP configuration

When you run the NCLU net add bgp vrf command, the VRF is not created in the /etc/network/interfaces file.

This issue is fixed in Cumulus Linux 3.6.0.


RN-915 (CM-19689)
The default syslog level for DHCP Relay results in too many messages

The default syslog severity level for DHCP Relay is 6, which causes too many syslog messages.

This issue is fixed in Cumulus Linux 3.6.0.


RN-916 (CM-19666)
netd crashes when you add unicode characters in SNMP commands

Unicode characters in SNMP commands cause netd to crash.

This issue is fixed in Cumulus Linux 3.6.0.


RN-917 (CM-19629)
FRR package code dependency causes FRR reload failure

Reloading a running FRR instance without a restart fails and generates errors in the log due to code failing dependencies.

This issue is fixed in Cumulus Linux 3.6.0.


RN-918 (CM-19615)
On the Tomahawk ASIC, the nexthop of a route in a VRF points to an incorrect interface

The nexthop of a route common to two VRFs points to an incorrect interface.

This issue is fixed in Cumulus Linux 3.6.0.


RN-919 (CM-19452)
NCLU 'net show lldp' command causes netd to crash

The netd process crashes when you run the net show lldp command and does not recover.

This issue is fixed in Cumulus Linux 3.6.0.


RN-920 (CM-19374)
sFlow sampling causes RX-DRP in kernel

sFlow sampling is causing the RX-DRP counter in the net show counters command output to increment.

This issue is fixed in Cumulus Linux 3.6.0.


RN-921 (CM-19370)
Link Local IPv6 address is not associated with a VRF

Link Local IPv6 addresses cannot be used to source SSH traffic inside a VRF such as the management VRF.

This issue is fixed in Cumulus Linux 3.6.0.


RN-922 (CM-20237)
Security: Debian Security Advisory DSA-4151-1 for librelp issue CVE-2018-1000140 

The following CVEs were announced in Debian Security Advisory DSA-4151-1, and affect the librelp package.

This issue is fixed in Cumulus Linux 3.6.0

Debian Security Advisory DSA-4151-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 26, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : librelp
CVE ID : CVE-2018-1000140

Bas van Schaik and Kevin Backhouse discovered a stack-based buffer
overflow vulnerability in librelp, a library providing reliable event
logging over the network, triggered while checking x509 certificates
from a peer. A remote attacker able to connect to rsyslog can take
advantage of this flaw for remote code execution by sending a specially
crafted x509 certificate.

Details can be found in the upstream advisory:
http://www.rsyslog.com/cve-2018-1000140/

For the oldstable distribution (jessie), this problem has been fixed
in version 1.2.7-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.2.12-1+deb9u1.

We recommend that you upgrade your librelp packages.

For the detailed security status of librelp, please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/librelp


RN-923 (CM-20093)
Security: Debian Security Advisory DSA-4140-1 for libvorbis issue CVE-2018-5146 

The following CVEs were announced in Debian Security Advisory DSA-4140-1, and affect the libvorbis package.

This issue is fixed in Cumulus Linux 3.6.0

--------------------------------------------------------------------------
Debian Security Advisory DSA-4140-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 16, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : libvorbis
CVE ID : CVE-2018-5146
Debian Bug : 893130

Richard Zhu discovered that an out-of-bounds memory write in the
codeboook parsing code of the Libvorbis multimedia library could result
in the execution of arbitrary code.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.3.4-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.3.5-4+deb9u2.


RN-924 (CM-20066)
Security: Debian Security Advisory DSA-4136-1 for curl issues CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 

The following CVEs were announced in Debian Security Advisory DSA-4136-1, and affect the curl package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4136-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
March 14, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : curl
CVE ID : CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122

Multiple vulnerabilities were discovered in cURL, an URL transfer library.

CVE-2018-1000120

Duy Phan Thanh discovered that curl could be fooled into writing a
zero byte out of bounds when curl is told to work on an FTP URL with
the setting to only issue a single CWD command, if the directory part
of the URL contains a "%00" sequence.

CVE-2018-1000121
Dario Weisser discovered that curl might dereference a near-NULL
address when getting an LDAP URL due to the ldap_get_attribute_ber()
fuction returning LDAP_SUCCESS and a NULL pointer. A malicious server
might cause libcurl-using applications that allow LDAP URLs, or that
allow redirects to LDAP URLs to crash.

CVE-2018-1000122

OSS-fuzz, assisted by Max Dymond, discovered that curl could be
tricked into copying data beyond the end of its heap based buffer
when asked to transfer an RTSP URL.

For the oldstable distribution (jessie), these problems have been fixed
in version 7.38.0-4+deb8u10.

For the stable distribution (stretch), these problems have been fixed in
version 7.52.1-5+deb9u5.

We recommend that you upgrade your curl packages.

For the detailed security status of curl, please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl


RN-925 (CM-20030)
Security: Debian Security Advisory DSA-4100-1 for tiff (libtiff) issues CVE-2017-9935 CVE-2017-11335 CVE-2017-12944 CVE-2017-13726 CVE-2017-13727 CVE-2017-18013 

The following CVEs were announced in Debian Security Advisory DSA-4100-1, and affect the tiff package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4100-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 27, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : tiff
CVE ID : CVE-2017-9935 CVE-2017-11335 CVE-2017-12944 CVE-2017-13726
CVE-2017-13727 CVE-2017-18013

Multiple vulnerabilities have been discovered in the libtiff library and
the included tools, which may result in denial of service or the
execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed
in version 4.0.3-12.3+deb8u5.

For the stable distribution (stretch), these problems have been fixed in
version 4.0.8-2+deb9u2.
We recommend that you upgrade your tiff packages.

For the detailed security status of tiff, please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tiff


RN-926 (CM-19996)
Security: Debian Security Advisory DSA-4133-1 for isc-dhcp issues CVE-2017-3144 CVE-2018-5732 CVE-2018-5733 

The following CVEs were announced in Debian Security Advisory DSA-4133-1, and affect the isc-dhcp package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4133-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 07, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : isc-dhcp
CVE ID : CVE-2017-3144 CVE-2018-5732 CVE-2018-5733
Debian Bug : 887413 891785 891786

Several vulnerabilities have been discovered in the ISC DHCP client,
relay and server. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2017-3144

It was discovered that the DHCP server does not properly clean up
closed OMAPI connections, which can lead to exhaustion of the pool
of socket descriptors available to the DHCP server, resulting in
denial of service.

CVE-2018-5732

Felix Wilhelm of the Google Security Team discovered that the DHCP
client is prone to an out-of-bound memory access vulnerability when
processing specially constructed DHCP options responses, resulting
in potential execution of arbitrary code by a malicious DHCP server.

CVE-2018-5733

Felix Wilhelm of the Google Security Team discovered that the DHCP
server does not properly handle reference counting when processing
client requests. A malicious client can take advantage of this flaw
to cause a denial of service (dhcpd crash) by sending large amounts
of traffic.

For the oldstable distribution (jessie), these problems have been fixed
in version 4.3.1-6+deb8u3.

For the stable distribution (stretch), these problems have been fixed in
version 4.3.5-3+deb9u1.

We recommend that you upgrade your isc-dhcp packages.

For the detailed security status of isc-dhcp, please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/isc-dhcp


RN-927 (CM-19961)
Security: Debian Security Advisory DSA-4132 for libvpx issue CVE-2017-13194 

The following CVEs were announced in Debian Security Advisory DSA-4132-1, and affect the libvpx package.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4132-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 04, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : libvpx
CVE ID : CVE-2017-13194

It was discovered that incorrect validation of frame widths in the libvpx
multimedia library may result in denial of service and potentially the
execution of arbitrary code.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.3.0-3+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.6.1-3+deb9u1.

We recommend that you upgrade your libvpx packages.

For the detailed security status of libvpx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libvpx


RN-928 (CM-19253)
Security: Debian Security Advisory DSA-4068-1 for rsync issues CVE-2017-16548 CVE-2017-17433 CVE-2017-17434 

The following CVEs were announced in Debian Security Advisory DSA-4068-1, and affect the rsync package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4068-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 17, 2017 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : rsync
CVE ID: CVE-2017-16548  CVE-2017-17433 CVE-2017-17434
Debian Bug : 880954 883665 883667

Several vulnerabilities were discovered in rsync, a fast, versatile,
remote (and local) file-copying tool, allowing a remote attacker to
bypass intended access restrictions or cause a denial of service.

For the oldstable distribution (jessie), these problems have been fixed
in version 3.1.1-3+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 3.1.2-1+deb9u1.


RN-929 (CM-19303)
Security: Debian Security Advisory DSA-4073-1 for linux kernel issues CVE-2017-8824 CVE-2017-16995 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450 CVE-2017-17558 CVE-2017-17712 CVE-2017-17741 CVE-2017-17805 CVE-2017(17806,17807,1000407,1000410) 

The following CVEs were announced in Debian Security Advisory DSA-4073-1, and affect the linux package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4073-1 security@debian.org
https://www.debian.org/security/ 
December 23, 2017 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2017-8824 CVE-2017-16995 CVE-2017-17448
CVE-2017-17449 CVE-2017-17450 CVE-2017-17558
CVE-2017-17712 CVE-2017-17741 CVE-2017-17805 CVE-2017-17806
CVE-2017-17807 CVE-2017-1000407 CVE-2017-1000410

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2017-8824

Mohamed Ghannam discovered that the DCCP implementation did not
correctly manage resources when a socket is disconnected and
reconnected, potentially leading to a use-after-free. A local
user could use this for denial of service (crash or data
corruption) or possibly for privilege escalation. On systems that
do not already have the dccp module loaded, this can be mitigated
by disabling it:
echo >> /etc/modprobe.d/disable-dccp.conf install dccp false

CVE-2017-16995

Jann Horn discovered that the Extended BPF verifier did not
correctly model the behaviour of 32-bit load instructions. A
local user can use this for privilege escalation.

CVE-2017-17448

Kevin Cernekee discovered that the netfilter subsystem allowed
users with the CAP_NET_ADMIN capability in any user namespace, not
just the root namespace, to enable and disable connection tracking
helpers. This could lead to denial of service, violation of
network security policy, or have other impact.

CVE-2017-17449

Kevin Cernekee discovered that the netlink subsystem allowed
users with the CAP_NET_ADMIN capability in any user namespace
to monitor netlink traffic in all net namespaces, not just
those owned by that user namespace. This could lead to
exposure of sensitive information.

CVE-2017-17450

Kevin Cernekee discovered that the xt_osf module allowed users
with the CAP_NET_ADMIN capability in any user namespace to modify
the global OS fingerprint list.

CVE-2017-17558

Andrey Konovalov reported that that USB core did not correctly
handle some error conditions during initialisation. A physically
present user with a specially designed USB device can use this to
cause a denial of service (crash or memory corruption), or
possibly for privilege escalation.

CVE-2017-17712

Mohamed Ghannam discovered a race condition in the IPv4 raw socket
implementation. A local user could use this to obtain sensitive
information from the kernel.

CVE-2017-17741

Dmitry Vyukov reported that the KVM implementation for x86 would
over-read data from memory when emulating an MMIO write if the
kvm_mmio tracepoint was enabled. A guest virtual machine might be
able to use this to cause a denial of service (crash).

CVE-2017-17805

It was discovered that some implementations of the Salsa20 block
cipher did not correctly handle zero-length input. A local user
could use this to cause a denial of service (crash) or possibly
have other security impact.

CVE-2017-17806

It was discovered that the HMAC implementation could be used with
an underlying hash algorithm that requires a key, which was not
intended. A local user could use this to cause a denial of
service (crash or memory corruption), or possibly for privilege
escalation.

CVE-2017-17807

Eric Biggers discovered that the KEYS subsystem lacked a check for
write permission when adding keys to a process's default keyring.
A local user could use this to cause a denial of service or to
obtain sensitive information.

CVE-2017-1000407

Andrew Honig reported that the KVM implementation for Intel
processors allowed direct access to host I/O port 0x80, which
is not generally safe. On some systems this allows a guest
VM to cause a denial of service (crash) of the host.

CVE-2017-1000410

Ben Seri reported that the Bluetooth subsystem did not correctly
handle short EFS information elements in L2CAP messages. An
attacker able to communicate over Bluetooth could use this to
obtain sensitive information from the kernel.

Debian disables unprivileged user namespaces by default, but if they
are enabled (via the kernel.unprivileged_userns_clone sysctl) then
CVE-2017-17448 can be exploited by any local user.


RN-930 (CM-19367)
Adding MTU to bonded interfaces creates an incorrect interface

When adding the MTU to bonded interfaces, NCLU creates an incorrect interface in the /etc/network/interfaces file.

This issue is fixed in Cumulus Linux 3.6.0.


RN-931 (CM-19675)
Static route remains inactive following link flap

When a static route is removed from the zebra routing table because an interface is transitioning to down state, the static route remains inactive when the interface comes back up if an alternate route still exists.

This issue is fixed in Cumulus Linux 3.6.0.


RN-934 (CM-19605)
The kernel reports incorrect link state for 10G BASE-LR on Broadcom switches

On Broadcom switches, the link status for the 10G BASE-LR and 10G BASE-SR might incorrectly display as up after you disconnect the cable.

This issue is fixed in Cumulus Linux 3.6.0.

Known Issues in Cumulus Linux 3.6.0

The following issues are new to Cumulus Linux and affect the current release.

Release Note ID Summary Description

RN-382 (CM-6692)
FRR: Removing a bridge using  ifupdown2 does not remove it from the configuration files

Removing a bridge using ifupdown2 does not remove it from the FRR configuration files. However, restarting FRR successfully removes the bridge.

This issue is being investigated at this time.


RN-389 (CM-8410)
switchd supports only port 4789 as the UDP port for VXLAN packets

switchd currently allows only the standard port 4789 as the UDP port for VXLAN packets. If a hypervisor uses a non-standard UDP port, VXLAN exchanges with the hardware VTEP do not work; packets are not terminated and encapsulated packets are sent out on UDP port 4789.

This issue is being investigated at this time.


RN-537 (CM-12967)
Pause frames sent by a Tomahawk switch are not honored by the upstream switch

When link pause or priority flow control (PFC) is enabled on a Broadcom Tomahawk-based switch and there is over-subscription on a link, where the ASIC sends pause frames aggressively, the upstream switch does not throttle enough.

If you need link pause or PFC functionality, use a switch that does not use the Tomahawk ASIC.


RN-602 (CM-15094)
sFlow interface speed incorrect in counter samples

Counter samples exported from the switch show an incorrect interface speed.

This issue is being investigated at this time.


RN-604 (CM-15959)
ARP suppression does not work well with VXLAN active-active mode

In some instances, ARP requests are not suppressed in a VXLAN active-active scenario, but instead get flooded over VXLAN tunnels. This issue is caused because there is no control plane syncing the snooped local neighbor entries between the MLAG pair; MLAG does not perform this sync, and neither does EVPN.

This issue is being investigated at this time.


RN-640 (CM-16461)
Cumulus VX OVA image for VMware reboots due to critical readings from sensors

After booting a Cumulus VX virtual machine running the VMware OVA image, sometimes messages from sensors appear, indicating that the "Avg state" is critical, with all values displayed as 100.0. A cl-support is generated.

This issue is being investigated at this time.


RN-656 (CM-17617)
The switchd heartbeat fails on Tomahawk switches with VXLAN scale configuration (512 VXLAN interfaces)

When a Tomahawk switch has 512 VXLAN interfaces configured, the switchd heartbeat fails. This can cause switchd to dump core.

To work around this issue, disable VXLAN statistics in switchd. Edit /etc/cumulus/switchd.conf and comment out the following line:

cumulus@switch:~$ sudo nano /etc/cumulus/switchd.conf

...

#stats.vxlan.member = BRIEF

...

Then restart switchd for the change to take effect. This causes all network ports to reset in addition to resetting the switch hardware configuration.

cumulus@switch:~$ sudo systemctl restart switchd.service
 

RN-744 (CM-18986)
Unable to modify BGP ASN for a VRF associated with layer 3 VNI

After editing the frr.conf file to modify the the BGP ASN for a VRF associated with a layer 3 VNI, the change is not applied.

To work around this issue, first delete the layer 3 VNI, then try to modify the BGP VRF instance.


RN-750 (CM-17457)
On Maverick switches, multicast traffic limited by lowest speed port in the group

The Maverick switch limits multicast traffic by the lowest speed port that has joined a particular group.

This issue is being investigated at this time.


RN-751 (CM-17157)
Pull source-node replication schema patch from upstream

The upstream OVSDB VTEP schema has been updated multiple times and now contains a patch to support source-node replication. This patch is not included with the latest version of Cumulus Linux.

Cumulus Networks is currently working to fix this issue.


RN-753 (CM-18170)
MLAG neighbor entries deleted on link down, but ARP table out of sync when bond comes back up and system MAC address changed

The MLAG neighbor entries are deleted when the switch goes down; however, the ARP table is out of sync when the bond comes back up and the system MAC address is changed.

To work around this issue, ping the SVI address of the MLAG switch or issue an arping command to the host from the broken switch.


RN-754 (CM-15812)
Multicast forwarding fails for IP addresses whose DMAC overlaps with reserved DIPs

Multicast forwarding fails for IP addresses whose DMAC overlaps with reserved DIPs.

This issue is being investigated at this time.


RN-755 (CM-16855)
Auto-negotiation ON sometimes results in NO-CARRIER

If a two nodes on both sides of a link change from auto-negotiation off to auto-negotiation on for both sides during a short interval (around one second), the link might start flapping or stay down.

To work around this issue and stop the flapping, turn the link down on the switch with the command ifdown swpX, wait a few seconds, then bring the link back up with the command ifup swpX. Repeat this on the other side if necessary.


RN-757 (CM-18537)
On Mellanox switches, congestion drops not counted

On the Mellanox switch, packet drops due to congestion are not counted.

To work around this issue, run the command sudo ethtool -S swp1 to collect interface traffic statistics.


RN-758 (CM-17557)
If sFlow is enabled, some sampled packets (such as multicast) are forwarded twice

When sFlow is enabled, some sampled packets, such as IPMC, are forwarded twice (in the ASIC and then again through the kernel networking stack).

This issue is being investigated at this time.


RN-760 (CM-18682)
smonctl utility JSON parsing error

There is a parsing error with the smonctl utility. In some cases when JSON output is chosen, the smonctl utility crashes. The JSON output is necessary to make the information available through SNMP.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-762 (CM-15677)
SBUS error warnings on Tomahawk switches

SBUS error warnings display on Tomahawk switches.

This issue is being investigated at this time.


RN-763 (CM-16139)
OSPFv3 does not handle ECMP properly

IPv6 ECMP is not working as expected in OSPFv3.

This issue is being investigated at this time.


RN-764 (CM-17434)
On Broadcom switches, all IP multicast traffic uses only queue 0 

On Broadcom switches, IPv4 and IPv6 multicast traffic always maps into queue 0.

This issue is being investigated at this time.


RN-788 (CM-19381)
dhcrelay does not bind to interfaces that have names longer than 14 characters

The dhcrelay command does not bind to an interface if the interface's name is longer than 14 characters.

To work around this issue, change the interface name to be 14 or fewer characters if dhcrelay is required to bind to it.

This issue is currently being investigated.


RN-790 (CM-19014)
Configuring DHCP relay with VRR breaks ifreload

When you configure DHCP relay with VRR, the ifreload command does not work as expected; for example, the IP address might be removed from an SVI.

This issue is currently being investigated. 


RN-799 (CM-16493)
No way to configure IPv6 link-local addrgenmode using ifupdown2 or NCLU

You cannot use NCLU or ifupdown2 to enable or disable of the IPv6 link-local eui-64 format.

To work around this limitation, you can use the following iproute2 command:

cumulus@switch:~$ sudo ip link set swp# addrgenmode {eui-64|none}

Note that this command does not persist across a reboot of the switch.

This issue is currently being investigated.


RN-808 (CM-15902)
In EVPN, sticky MAC addresses move from one bridge port to another

In EVPN environments, sticky MAC addresses move from one bridge port to another on soft nodes.

This issue is currently being investigated.


RN-822 (CM-19788)
Using the same VLAN ID on a subinterface and bridge VIDs for a given port is not easily corrected

If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict. To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-823 (CM-19724)
Multicast control protocols are classified to the bulk queue by default

PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-825 (CM-19633)
cl-netstat counters count twice for VXLAN traffic in TX direction

This is expected behavior that stems from the chipset itself. When the decision is made in the ASIC not to flood BUM (Broadcast, Unknown Unicast, and Multicast) traffic back out the same interface it came in on (known as a split-horizon correction), these hardware counters get incremented.

This behavior is not seen on a bridge filled with typical switch port interfaces. However, when VNIs are configured as bridge-ports, switch ports in that bridge are no longer treated as regular ports in this regard. These switch ports are susceptible to this behavior, and the hardware counters increment as split-horizon decisions occur.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-827 (CM-14300)
cl-acltool counters for implicit accept do not work for IPv4 on management (ethX) interfaces

The iptables are not counting against the default INPUT chain rule for packets ingressing ethernet interfaces.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-860 (CM-20695)
Tab completion with the  'net add vxlan' command produces a traceback in the log

When using tab completion with the net add vxlan command, the following traceback appears in the log:

ERROR: 'name' 
Traceback (most recent call last): 
File "/usr/lib/python2.7/dist-packages/nclu/__init__.py", line 789, in get_lldp 
lldp[value['name']] = value['chassis'][0]['name'][0]['value'] 
KeyError: 'name'

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-875 (CM-20779)
On Mellanox switches, withdrawal of one ECMP next-hop results in the neighbor entry for that next hop missing from hardware

On a Mellanox switch, when you withdraw one ECMP next hop, the neighbor entry for that next hop is missing from the hardware.

To work around this issue, manually delete the ARP entry from kernel with the arp -d command to repopulate it in the hardware.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-876 (CM-20776)
EVPN symmetric IRB with numbered neighbors omits the NEXTHOP attribute when advertising to an external router

With EVPN symmetric routing (including type-5 routes) you can only advertise host routes or prefix routes learned through EVPN to a VRF peer if EVPN peering uses BGP unnumbered. If the BGP peering is numbered, the NEXTHOP of MP_REACH attribute is not included, which causes the neighbor to reply with a BGP notification.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-877 (CM-20745, CM-20678)
NCLU 'net show interface' commands report wrong mode in output for trunk ports

The net show interface command output displays the mode as Access/L2 instead of Trunk/L2, or vice versa (Trunk/L2 mode is displayed instead of Access/L2).

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-878 (CM-20741)
NCLU 'net pending' command does not show 'net add vxlan vni bridge access '

When you issue the net pending command, the resulting output is missing the VXLAN VNI and bridge access additions.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-879 (CM-20724)
NCLU treats interface names with a hyphen as a range

If you create an interface name that includes a hyphen (-), Cumulus Linux treats the interface as a range of interfaces.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-881 (CM-20665)
On Tomahawk+ switches, 100G DAC cables don’t link up on 3 out of the 6 ports when auto-negotiation is on

100G Copper Direct Attach Cables (DAC) might not link up on ports 49, 51, and 52 when auto-negotiation is set to on.

To work around this issue, disable auto-negotiation on both sides of the cables plugged into these ports or move the 100G DACs to ports 50, 53, or 54.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-882 (CM-20648)
When using VRF route leaking on a Mellanox switch, forwarded packets are copied to the CPU several times

When using VRF Route leaking on Mellanox switches in a VLAN-unaware bridge configuration, the packets for a locally attached leaked host are software forwarded.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-883 (CM-20644)
If the PTP services are running when switchd is restarted, the PTP services need to be restarted

When using PTP and switchd.service is restarted, the PTP services need to be restarted after switchd.service with the following commands:

systemctl reset-failed ptp4l.service phc2sys.service
systemctl restart ptp4l.service phc2sys.service

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-884 (CM-20534)
Dynamic leaking of routes between VRFs occurs through the default BGP instance

The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs.

This issue is currently being investigated.


RN-885 (CM-20530)
NCLU 'net show interface' command shows 'NotConfigured' for unnumbered interfaces

When an interface is configured for OSPF/BGP unnumbered, the net show interface command shows NotConfigured instead of showing that it is unnumbered.

This issue is currently being investigated.


RN-886 (CM-20508)
On Mellanox and Broadcom switches, the Cumulus-Resource-Query-MIB defines buffer utilization objects but returns nothing

The Cumulus-Resource-Query-MIB defines the ability to gather buffer utilization status but when these objects are polled, they return nothing.

This issue is currently being investigated.


RN-887 (CM-20474)
VXLAN Encapsulation drops ARP QinQ tunneled packets

When an ARP request or response (or IPv6 NS/NA) packet with double VLAN tags (such as 802.1Q over 802.1Q), is sent to a VXLAN overlay, the outer VLAN tag is stripped during VXLAN encapsulation. If the receiving VTEP is a Broadcom Trident II + platform, the post VXLAN decapsulated packet is incorrectly directed to the control plane. As the packet traverses the linux kernel VXLAN interface into the VLAN-aware bridge device, the exposed inner VLAN tag is incorrectly used for VLAN filtering against the outer VLAN set, causing the packet to be discarded.

To work around this issue, disable VXLAN routing on the Trident II + switch by editing the /usr/lib/python2.7/dist-packages/cumulus/__chip_config/bcm/datapath.conf file, then restart switchd.

vxlan_routing_overlay.profile = disable
sudo systemctl restart switchd.service

This issue is currently being investigated.


RN-888 (CM-20468, CM-20357)
Routes in a VRF learned through iBGP or multi-hop eBGP get leaked even if their next hops are unresolved

Routes in a VRF learned through iBGP or multi-hop eBGP are marked as installed even when they are not installed in the source VRF.

This issue is currently being investigated.


RN-889 (CM-20415)
NCLU 'net add routing import-table' command results in an FRR service crash

The FRR service crashes when you run the net add routing import-table command. To work around this issue, do not use the NCLU command.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-891 (CM-20684)
On Mellanox switches, attempts to configure a VRF with a nexthop from another VRF results in an sx_sdk daemon crash and loss of forwarding functionality

VRF Route Leaking is not supported on Mellanox platforms in 3.6.0. Attempts to configure a VRF with a nexthop from another VRF can result in an sx_sdk daemon crash and loss of forwarding functionality. Do not configure VRF import to leak routes between VRFs.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-892 (CM-20370)
In VXLAN active-active mode, the IPv6 default gateway LLA is not reachable through ICMP

In a VXLAN active-active mode configuration, a ping from a host within the VXLAN fabric towards the gateway (LLA) fails.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-893 (CM-20363)
IPv6 RA should include all on-link prefixes as prefix information

IPv6 RAs from a router can be used to do some host auto-configuration. The main aspects that can be auto-configured are the prefixes which are on-link (which can be used by the host to autoconfigure its addresses) and the default router. Some other information can also be indicated. FRR does have support to "advertise" some of these parameters. To work around this issue, configure the prefixes explicitly for announcement through RA using the IPv6 nd prefix command.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-894 (CM-20177)
Inter-subnet routing intermittently stops working in a central VXLAN routing configuration

In a VXLAN centralized routing configuration, IPv6 hosts (auto-configured using SLAAC) might experience intermittent connectivity loss between VXLAN segments (inter-subnet routing) within the data center fabric (EVPN type-5 external routes are not affected). The NA message has the wrong flag set (the router flag is not set, which is incorrect behavior based on RFC 4861, Section 4.4).

To work around this issue, configure bridge-arp-nd-suppress off under VNI interfaces for all VTEP devices.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-895 (CM-20160)
I2C bus hangs after setting speed to 40G on 100G/40G DAC on a Maverick 4148T switch

On Maverick 4148T switches, the l2C bus can hang, causing the fans and temperature sensors to be unreadable and the log file to fill with the error message:

ismt_smbus 0000:00:13.0 completion wait timed out

To work around this issue, reboot the switch.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-896 (CM-20139)
On Mellanox switches, egress ACL (destination port matching) on bonds is not allowed

An ACL rule that matches on an outbound bond interface fails to install. For example, a rule like this fails.

[iptables]
-A FORWARD --out-interface  -j DROP

To work around this issue, duplicate the ACL rule on each physical port of the bond. For example:

[iptables]
-A FORWARD --out-interface  -j DROP
-A FORWARD --out-interface  -j DROP

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-897 (CM-20086)
 

NCLU reports an error when attempting to configure FRR when the configured hostname begins with a digit:

unknown: buffer_flush_available: write error on fd -1: Bad file descriptor

To work around this issue, change the hostname of the switch to begin with an alphabetic character; not a digit.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-898 (CM-20034)
Fiberstore SFP1G-LX-31 optic causes i2c bus to hang and switch to reboot

Using the Fiberstore SFP1G-LX-31 SFP module can cause the system to reboot.

This issue is currently being investigated.


RN-899 (CM-20028)
On the Dell-S4148 switch, you can't configure ports on the second pipeline into a gang

On the Dell S4148 switch, when you try to configure any of the ports on the second pipeline (port 31-54) into a gang (40G/4) through the ports.conf file, switchd fails.

This issue is currently being investigated.


RN-900 (CM-20026)
OSPF default-information originate stops working if removed and added in quick succession

When OSPF is originating a default route, and the command is removed from the process, then re-added, the router stops advertising the default route. Configuring the default-information originate command a second time causes it to start working.

This issue is currently being investigated.


RN-901 (CM-19936)
'rdnbrd' should not be enabled with EVPN

If you start rdnbrd in an EVPN configuration, local and remote neighbor entries are deleted. Enabling rdnbrd in an EVPN configuration is not supported.


RN-902 (CM-19699)
BGP scaling not hashing southbound traffic from Infra switches

When routing traffic from Infra switches back through VXLAN, the switches choose one spine through which to send all flows.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-903 (CM-19643)
Disabling 'bgp bestpath as-path multipath relax' still leaves multipath across AS for EVPN

When BGP multipath is enabled, EVPN prefix (type-5) routes imported into a VRF always form multipath across paths that originate even from a different neighbor AS. This happens even if the as-path-relax configuration is disabled or not applied.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-904 (CM-20800)
NCLU 'net add' and 'net del' commands missing for EVPN type-5 default originate

The NCLU net add and net del commands are missing for the default originate EVPN type-5 route feature.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-907 (CM-20829)
'netd' fails on a reboot after upgrade to 3.6.0 with the error ImportError: No module named time

When you use the apt-get upgrade command to upgrade to Cumulus Linux 3.6.0 and you select to keep the currently-installed version of netd.conf (by typing N at the prompt), netd fails to start after reboot and you see errors in the logs when you try to restart it.

This issue is being investigated at this time.


RN-908 (CM-20789)
In symmetric VXLAN/EVPN, FRR crashes when flapping the peer link

In a symmetric VXLAN/EVPN environment, flapping the peer link causes FRR to crash on the peer switch. The issue is not seen if the clagd-vxlan-anycast-ip is not configured.

This issue is being investigated at this time.


RN-932 (CM-20869)
Bridge loop causes BGP EVPN to install remote MAC as a local MAC and does not recover automatically

A bridge loop causes frames that arrive through EVPN to be forwarded back to the EVPN bridge. After resolving the forwarding loop, the bridge FDB table recovers, but BGP does not recover automatically. Because the MAC appears to move rapidly, BGP installs the remote MAC as a local entry and advertises it out. Even though the bridge FDB table appears to be correct, bridged traffic destined to the misprogrammed MAC fails.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-933 (CM-20781)
NCLU 'net add bgp neighbor' command with swp1, swp2, or swp1-2 causes TB NameError

Issuing the net add bgp neighbor command with swp1, swp2 or swp1-2 causes the following error:

TB NameError: global name 'ifname_expand_glob' is not defined.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-972 (CM-21003)
Cumulus Linux does not forward PTP traffic by default

Cumulus Linux 3.6.0 or later does not forward transit precision time protocol (PTP) packets as PTP is not enabled by default in Cumulus Linux.

To work around this issue, do one of the following:

  • Downgrade the switch to Cumulus Linux 3.5.3.
  • Enable PTP on the Cumulus Linux switch. Edit /etc/cumulus/switchd.conf and set ptp.timestamping to TRUE.

This issue should be fixed in an upcoming release of Cumulus Linux.

 

Have more questions? Submit a request

Comments

Powered by Zendesk