Cumulus RMP 3.6 Release Notes

Follow

Overview

These release notes support Cumulus RMP 3.6.0 and describe currently available features and known issues.

Cumulus RMP 3.6.0 supports these features and is available on the Penguin Computing Arctica 4804IP-RMP, and the Quanta QuantaMesh T1048-LY4R and CX RMP-T out-of-band switches.

Stay up to Date 

  • Please sign in and click Follow above so you can receive a notification when we update these release notes.
  • Subscribe to our product bulletin mailing list to receive important announcements and updates about issues that arise in our products.
  • Subscribe to our security announcement mailing list to receive alerts whenever we update our software for security issues.

{{table_of_contents}}

What's New in Cumulus RMP 3.6

Cumulus RMP 3.6 contains several bug fixes and the following new feature:

  • Support for combination of local-as and allowas-in command

Installing Version 3.6

If you are upgrading from version 3.0.0 or later, use apt-get to update the software.

Cumulus Networks recommends you use the -E option with sudo whenever you run any apt-get command. This option preserves your environment variables — such as HTTP proxies — before you install new packages or upgrade your distribution.

  1. Run -E apt-get update.
  2. Run -E apt-get upgrade.
  3. Reboot the switch.

Note: In Cumulus Linux 3.6.0, the upgrade process has changed. During an upgrade to 3.6.0 from 3.5 or earlier, certain services might be stopped. These services are not restarted until after the switch reboots, which results in some functionality being lost during the upgrade process.

During the upgrade process, you will see messages similar to the following:

/usr/sbin/policy-rc.d returned 101, not running 'stop switchd.service'
/usr/sbin/policy-rc.d returned 101, not running 'start switchd.service'

At the end of the upgrade, if a reboot is required, you see the following message:

*** Caution: Service restart prior to reboot could cause unpredictable behavior
*** System reboot required ***

Do not restart services manually until after rebooting, or services will fail.

For upgrades post 3.6.0, if no reboot is required after the upgrade completes, the upgrade will stop and restart all upgraded services and will log messages in the /var/log/syslog file similar to the ones shown below. (In the examples below, only the frr package was upgraded.)

Policy: Service frr.service action stop postponed
Policy: Service frr.service action start postponed
Policy: Restarting services: frr.service
Policy: Finished restarting services
Policy: Removed /usr/sbin/policy-rc.d
Policy: Upgrade is finished

For additional information about upgrading, see Upgrading Cumulus Linux in the Cumulus Linux User Guide.

New Install or Upgrading from Versions Older than 3.0.0

If you are upgrading from a version older than 3.0.0, or installing Cumulus RMP for the first time, download the Cumulus RMP 3.6.0 installer for Broadcom switches from the Cumulus Networks website, then use ONIE to perform a complete install, following the instructions in the user guide.

Note: This method is destructive; any configuration files on the switch will not be saved, so please copy them to a different server before upgrading via ONIE.

Important! After you install, run apt-get update, then apt-get upgrade on your switch to make sure you update Cumulus RMP to include any important or other package updates.

Documentation

You can read the technical documentation here.

Issues Fixed in Cumulus RMP 3.6.0

The following is a list of issues fixed in Cumulus RMP 3.6.0 from earlier versions of Cumulus RMP.

Release Note ID Summary Description

RN-704 (CM-18886, CM-20027)
ifreload causes MTU to drop on bridge SVIs 

When you run the ifreload command on a bridge SVI with an MTU higher than 1500, the MTU resets to 1500 after the initial ifreload -a, then resets to its original value when running ifreload -a for a second time.

This issue is fixed in Cumulus Linux 3.6.0.


RN-785 (CM-19422)
NCLU 'net show interface detail' command does not display detailed output

The net show interface swp# command returns the same output as net show interface swp# detail.

To view the additional information typically presented, use alternative commands. For example, to view the module information and statistics, use ethtool swp# and ethtool -S swp#.

This issue is fixed in Cumulus Linux 3.6.0.


RN-787 (CM-19418)
NCLU 'net add hostname' creates an inconsistency between /etc/hostname and /etc/hosts files

Running the net add hostname <hostname> command updates both the /etc/hostname file and the/etc/hosts file. However, NCLU modifies the hostname value passed to the /etc/hostname file, removing certain characters and converting the hostname to lowercase, whereas the hostname passed to the /etc/hosts file is passed through as is, creating an inconsistency between the two files.

To work around this issue, manually set the hostname in both the /etc/hostname file and the /etc/hosts file using a text editor such as vi or nano.

This issue is fixed in Cumulus Linux 3.6.0.


RN-806 (CM-19241)
FRR removes all static routes when the service is stopped, including those created by ifupdown2

Whenever FRR is restarted, it deletes all routes in the kernel with a protocol type of BGP, ISIS, OSPF, and static. When you upgrade FRR and the service is stopped, the static routes defined in the /etc/network/interfaces file and installed using ifupdown2 are also removed.

To work around this issue, configure static routes in the /etc/network/interfaces file as follows:

post-up ip route add  via  proto kernel

For example:

auto swp2
iface swp2
  post-up ip route add 0.0.0.0/0 via 192.0.2.249 proto kernel

This issue is fixed in Cumulus Linux 3.6.0.


RN-807 (CM-17159)
NCLU 'net show interface <bond>' command shows interface counters that are not populated

The output of the NCLU net show interface <bond> command shows misleading and incorrect interface counters.

This issue is fixed in Cumulus Linux 3.6.0.


RN-809 (CM-19120)
The 'netshow lldp' command displays an error

When running the netshow lldp command, the output displays the following error:

cumulus@switch:~# netshow lldp
ERROR: The lldpd service is running, but '/usr/sbin/lldpctl -f xml' failed.

However, the NCLU net show lldp command works correctly.

This issue is fixed in Cumulus Linux 3.6.0.


RN-815 (CM-19630)
Bridge MAC address clashing when eth0 is part of the same broadcast domain

Cumulus Linux uses the eth0 MAC address as the MAC address for bridges. If eth0 is part of the same broadcast domain, you experience outages when upgrading.

To work around this issue, manually change the bridge MAC address in the /etc/network/interfaces file.

This issue is fixed in Cumulus Linux 3.6.0.


RN-821 (CM-19898)
The 'net show interface' command output missing information

The net show interface command output is missing LACP, CLAG, VLAN, LLDP, and physical link failure information.

This issue is fixed in Cumulus Linux 3.6.0.


RN-828 (CM-19748)
Security: Debian Security Advisory DSA-4110-1 for exim4 issue CVE-2018-6789

The following CVE was announced in Debian Security Advisory DSA-4110-1, and affects the exim4 package. While this package is no longer in the Cumulus Linux installation image, it is still in the repo3 repository. Cumulus Linux is built on Debian Jessie.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4110-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 10, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : exim4
CVE ID : CVE-2018-6789
Debian Bug : 890000
Meh Chang discovered a buffer overflow flaw in a utility function used in the SMTP listener of Exim, a mail transport agent. A remote attacker can take advantage of this flaw to cause a denial of service, or potentially the execution of arbitrary code via a specially crafted message.
For the oldstable distribution (jessie), this problem has been fixed in version 4.84.2-2+deb8u5.
For the stable distribution (stretch), this problem has been fixed in version 4.89-2+deb9u3.


RN-829 (CM-19660)
Security: Debian Security Advisory DSA-4052-1 for Bazaar issue CVE-2017-14176

The following CVE was announced in Debian Security Advisory DSA-4052-1, and affects the Bazaar version control system.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4052-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 29, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : bzr
CVE ID : CVE-2017-14176
Debian Bug : 874429

Adam Collard discovered that Bazaar, an easy to use distributed version control system, did not correctly handle maliciously constructed bzr+ssh URLs, allowing a remote attackers to run an arbitrary shell command.

For the oldstable distribution (jessie), this problem has been fixed in version 2.6.0+bzr6595-6+deb8u1.

For the stable distribution (stretch), this problem has been fixed in version 2.7.0+bzr6619-7+deb9u1.


RN-830 (CM-19595)
Security: Debian Security Advisory DSA-4098-1 for curl issues CVE-2018-1000005 CVE-2018-1000007

The following CVEs were announced in Debian Security Advisory DSA-4098-1, and affect the curl package.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4098-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
January 26, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : curl
CVE ID : CVE-2018-1000005 CVE-2018-1000007
Two vulnerabilities were discovered in cURL, an URL transfer library.

CVE-2018-1000005
Zhouyihai Ding discovered an out-of-bounds read in the code handling HTTP/2 trailers. This issue doesn't affect the oldstable distribution (jessie).

CVE-2018-1000007
Craig de Stigter discovered that authentication data might be leaked to third parties when following HTTP redirects.

For the oldstable distribution (jessie), these problems have been fixed in version 7.38.0-4+deb8u9.


RN-831 (CM-19507)
Security: Debian Security Advisory DSA-4091-1 for mysql issues CVE-2018-2562 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668

The following CVEs were announced in Debian Security Advisory DSA-4091-1, and affect all mysql packages, including mysql-* and libmysql-*.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4091-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 18, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : mysql-5.5
CVE ID : CVE-2018-2562 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668

Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.59, which includes additional changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-59.html
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

For the oldstable distribution (jessie), these problems have been fixed in version 5.5.59-0+deb8u1.


RN-832 (CM-19458)
Security: Debian Security Advisory DSA-4089-1 for bind9 issue CVE-2017-3145

The following CVE was announced in Debian Security Advisory DSA-4089-1, and affects the bind9 package.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4089-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 16, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : bind9

CVE ID : CVE-2017-3145
Jayachandran Palanisamy of Cygate AB reported that BIND, a DNS server implementation, was improperly sequencing cleanup operations, leading in some cases to a use-after-free error, triggering an assertion failure and crash in named.

For the oldstable distribution (jessie), this problem has been fixed in version 1:9.9.5.dfsg-9+deb8u15.

For the stable distribution (stretch), this problem has been fixed in version 1:9.10.3.dfsg.P4-12.3+deb9u4.

We recommend that you upgrade your bind9 packages.


RN-833 (CM-19446)
Security: Debian Security Advisory DSA-4086 for libxml2 issue CVE-2017-15412

The following CVE was announced in Debian Security Advisory DSA-4086-1, and affects the libxml2 package.

This issue is fixed in Cumulus Linux 3.6.0.

--------------------------------------------------------------------------
Debian Security Advisory DSA-4086-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 13, 2018 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : libxml2
CVE ID : CVE-2017-15412
Debian Bug : 883790

Nick Wellnhofer discovered that certain function calls inside XPath
predicates can lead to use-after-free and double-free errors when
executed by libxml2's XPath engine via an XSLT transformation.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.9.1+dfsg1-5+deb8u6.


RN-834 (CM-19385)
Security: Debian Security Advisories DSA-4082 for kernel issues CVE-2017-8824 CVE-2017-15868 CVE-2017-16538 CVE-2017-16939 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450 CVE-2017-17558 CVE-2017-17558 CVE-2017-17741 CVE-2017-17805 and more

The following CVEs were announced in Debian Security Advisory DSA-4086-1, and affect the Linux kernel.

This issue is fixed in Cumulus Linux 3.6.0.

--------------------------------------------------------------------------
Debian Security Advisory DSA-4082-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 09, 2018 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2017-8824 CVE-2017-15868 CVE-2017-16538
CVE-2017-16939 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450
CVE-2017-17558 CVE-2017-17741 CVE-2017-17805 CVE-2017-17806
CVE-2017-17807 CVE-2017-1000407 CVE-2017-1000410

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2017-8824

Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free. A local user could use this for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it:

echo >> /etc/modprobe.d/disable-dccp.conf install dccp false

CVE-2017-15868

Al Viro found that the Bluebooth Network Encapsulation Protocol (BNEP) implementation did not validate the type of the second socket passed to the BNEPCONNADD ioctl(), which could lead to memory corruption. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation.

CVE-2017-16538

Andrey Konovalov reported that the dvb-usb-lmedm04 media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash).

CVE-2017-16939

Mohamed Ghannam reported (through Beyond Security's SecuriTeam Secure Disclosure program) that the IPsec (xfrm) implementation did not correctly handle some failure cases when dumping policy information through netlink. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation.

CVE-2017-17448

Kevin Cernekee discovered that the netfilter subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace, not just the root namespace, to enable and disable connection tracking helpers. This could lead to denial of service, violation of network security policy, or have other impact.

CVE-2017-17449

Kevin Cernekee discovered that the netlink subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace to monitor netlink traffic in all net namespaces, not just those owned by that user namespace. This could lead to exposure of sensitive information.

CVE-2017-17450

Kevin Cernekee discovered that the xt_osf module allowed users with the CAP_NET_ADMIN capability in any user namespace to modify the global OS fingerprint list.

CVE-2017-17558

Andrey Konovalov reported that that USB core did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation.

CVE-2017-17741

Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash).

CVE-2017-17805

Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash).

CVE-2017-17806

It was discovered that the HMAC implementation could be used with an underlying hash algorithm that requires a key, which was not intended. A local user could use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation.

CVE-2017-17807

Eric Biggers discovered that the KEYS subsystem lacked a check for write permission when adding keys to a process's default keyring. A local user could use this to cause a denial of service or to obtain sensitive information.

CVE-2017-1000407

Andrew Honig reported that the KVM implementation for Intel processors allowed direct access to host I/O port 0x80, which is not generally safe. On some systems this allows a guest VM to cause a denial of service (crash) of the host.

CVE-2017-1000410

Ben Seri reported that the Bluetooth subsystem did not correctly handle short EFS information elements in L2CAP messages. An attacker able to communicate over Bluetooth could use this to obtain sensitive information from the kernel.

For the oldstable distribution (jessie), these problems have been fixed in version 3.16.51-3+deb8u1.


RN-836 (CM-19353)
NCLU 'net del' and 'net add bridge' commands do not work in the same 'net commit'

If a bridge is previously configured and you run the net del all and the net add bridge commands in the same net commit, all bridge and VLAN commands fail and no bridge or VLAN configuration is added to the switch.

This issue is fixed in Cumulus Linux 3.6.0.


RN-861 (CM-20694)
NCLU 'net show lldp' command traceback on 'descr'

When you run the net show lldp command, the netd process crashes and does not recover. This occurs because the LLDP peer does not send the description field in the TLV (which is optional), so NCLU cannot parse the information.

To work around the issue, make sure that the LLDP peer device is configured to send the LLDP description in the TLV.

This issue is fixed in Cumulus Linux 3.6.0.


RN-862 (CM-20416)
The error message 'snmpd[xxx]: truncating integer value > 32 bits' repeating in syslog

When the switch or snmpd is running for more than 497 days, the following error message repeats in syslog:

snmpd[xxxx]: truncating integer value > 32 bits

This issue is resolved by limiting the number of log messages to 10 occurrences.


RN-864 (CM-20272)

Security: Debian Security Advisory DSA-4154-1 for net-snmp issue 
CVE-2015-5621 
CVE-2018-1000116

The following CVE was announced in Debian Security Advisory DSA-4154-1, and affects the net-snmp package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4154-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 28, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : net-snmp
CVE ID : CVE-2015-5621 CVE-2018-1000116
Debian Bug : 788964 894110

A heap corruption vulnerability was discovered in net-snmp, a suite of
Simple Network Management Protocol applications, triggered when parsing
the PDU prior to the authentication process. A remote, unauthenticated
attacker can take advantage of this flaw to crash the snmpd process
(causing a denial of service) or, potentially, execute arbitrary code
with the privileges of the user running snmpd.

For the oldstable distribution (jessie), these problems have been fixed
in version 5.7.2.1+dfsg-1+deb8u1.

For the stable distribution (stretch), these problems have been fixed
before the initial release.

We recommend that you upgrade your net-snmp packages.

For the detailed security status of net-snmp please refer to its
https://security-tracker.debian.org/tracker/net-snmp

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


RN-868 (CM-20069)
Link-down does not work on SVIs configured in a VRF

The link-down yes configuration in the /etc/network/interfaces file has no effect on shutting down SVI interfaces configured in a VRF. SVIs configured without a VRF are not affected.

This issue is fixed in Cumulus Linux 3.6.0.


RN-869 (CM-20002)
Kernel route uses the bridge VRR interface instead of the bridge interface

In the kernel routing table, the bridge VRR interface is used instead of the bridge interface. This causes ARP packets to be sourced from the VRR interface instead of the physical interface.

This issue is fixed in Cumulus Linux 3.6.0.


RN-871 (CM-19906)
Security: Debian Security Advisory DSA-4120-1 for Linux kernel issues CVE-2018-5750

The following CVEs were announced in Debian Security Advisory DSA-4120-1, and affect the Linux kernel.

The issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4120-1 security@debian.org
https://www.debian.org/security/
January 19, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : linux
CVE ID : CVE-2018-5750 

It was found that the acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.

See https://patchwork.kernel.org/patch/10174835/ for further details.


RN-874 (CM-16293)
NCLU 'net show interface' output should be fewer than 80 characters

The output for the net show interface command can be more than 130 characters wide without line wrapping, which can be difficult to read on a 80 character wide terminal.

This issue is fixed in Cumulus Linux 3.6.0. The net show interface output is now fewer than 80 characters long for 80 character wide terminals.


RN-906 (CM-19405)
Status LED color does not match ledmgrd reported status

On RMP, the color of the status LED reported by ledmgrd does not match the actual color of the LED on the front of the switch.

This issue is fixed in Cumulus Linux 3.6.0.


RN-912 (CM-19801)
QinQ not working without a restart in traditional mode bridge

When changing the inner and outer VLANs of a double-tagged bridge interface using ifreload, the port's VLAN translation key is not updated correctly, causing an incorrect VLAN translation.

This issue is fixed in Cumulus Linux 3.6.0.


RN-913 (CM-19728)
NCLU 'ip forward' command has incorrect syntax and does not show in configuration

When you disable IP forwarding on an interface with the NCLU ip forward off command and commit the change, the command shows as unsupported when you run net show configuration commands.

This issue is fixed in Cumulus Linux 3.6.0.


RN-915 (CM-19689)
The default syslog level for DHCP Relay results in too many messages

The default syslog severity level for DHCP Relay is 6, which causes too many syslog messages.

This issue is fixed in Cumulus Linux 3.6.0.


RN-916 (CM-19666)
netd crashes when you add unicode characters in SNMP commands

Unicode characters in SNMP commands cause netd to crash.

This issue is fixed in Cumulus Linux 3.6.0.


RN-919 (CM-19452)
NCLU 'net show lldp' command causes netd to crash

The netd process crashes when you run the net show lldp command and does not recover.

This issue is fixed in Cumulus Linux 3.6.0.


RN-922 (CM-20237)
Security: Debian Security Advisory DSA-4151-1 for librelp issue CVE-2018-1000140 

The following CVEs were announced in Debian Security Advisory DSA-4151-1, and affect the librelp package.

This issue is fixed in Cumulus Linux 3.6.0

Debian Security Advisory DSA-4151-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 26, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : librelp
CVE ID : CVE-2018-1000140

Bas van Schaik and Kevin Backhouse discovered a stack-based buffer
overflow vulnerability in librelp, a library providing reliable event
logging over the network, triggered while checking x509 certificates
from a peer. A remote attacker able to connect to rsyslog can take
advantage of this flaw for remote code execution by sending a specially
crafted x509 certificate.

Details can be found in the upstream advisory:
http://www.rsyslog.com/cve-2018-1000140/

For the oldstable distribution (jessie), this problem has been fixed
in version 1.2.7-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.2.12-1+deb9u1.

We recommend that you upgrade your librelp packages.

For the detailed security status of librelp, please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/librelp


RN-923 (CM-20093)
Security: Debian Security Advisory DSA-4140-1 for libvorbis issue CVE-2018-5146 

The following CVEs were announced in Debian Security Advisory DSA-4140-1, and affect the libvorbis package.

This issue is fixed in Cumulus Linux 3.6.0

--------------------------------------------------------------------------
Debian Security Advisory DSA-4140-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 16, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : libvorbis
CVE ID : CVE-2018-5146
Debian Bug : 893130

Richard Zhu discovered that an out-of-bounds memory write in the
codeboook parsing code of the Libvorbis multimedia library could result
in the execution of arbitrary code.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.3.4-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.3.5-4+deb9u2.


RN-924 (CM-20066)
Security: Debian Security Advisory DSA-4136-1 for curl issues CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 

The following CVEs were announced in Debian Security Advisory DSA-4136-1, and affect the curl package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4136-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
March 14, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : curl
CVE ID : CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122

Multiple vulnerabilities were discovered in cURL, an URL transfer library.

CVE-2018-1000120

Duy Phan Thanh discovered that curl could be fooled into writing a
zero byte out of bounds when curl is told to work on an FTP URL with
the setting to only issue a single CWD command, if the directory part
of the URL contains a "%00" sequence.

CVE-2018-1000121
Dario Weisser discovered that curl might dereference a near-NULL
address when getting an LDAP URL due to the ldap_get_attribute_ber()
fuction returning LDAP_SUCCESS and a NULL pointer. A malicious server
might cause libcurl-using applications that allow LDAP URLs, or that
allow redirects to LDAP URLs to crash.

CVE-2018-1000122

OSS-fuzz, assisted by Max Dymond, discovered that curl could be
tricked into copying data beyond the end of its heap based buffer
when asked to transfer an RTSP URL.

For the oldstable distribution (jessie), these problems have been fixed
in version 7.38.0-4+deb8u10.

For the stable distribution (stretch), these problems have been fixed in
version 7.52.1-5+deb9u5.

We recommend that you upgrade your curl packages.

For the detailed security status of curl, please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl


RN-925 (CM-20030)
Security: Debian Security Advisory DSA-4100-1 for tiff (libtiff) issues CVE-2017-9935 CVE-2017-11335 CVE-2017-12944 CVE-2017-13726 CVE-2017-13727 CVE-2017-18013 

The following CVEs were announced in Debian Security Advisory DSA-4100-1, and affect the tiff package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4100-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 27, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : tiff
CVE ID : CVE-2017-9935 CVE-2017-11335 CVE-2017-12944 CVE-2017-13726
CVE-2017-13727 CVE-2017-18013

Multiple vulnerabilities have been discovered in the libtiff library and
the included tools, which may result in denial of service or the
execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed
in version 4.0.3-12.3+deb8u5.

For the stable distribution (stretch), these problems have been fixed in
version 4.0.8-2+deb9u2.
We recommend that you upgrade your tiff packages.

For the detailed security status of tiff, please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tiff


RN-926 (CM-19996)
Security: Debian Security Advisory DSA-4133-1 debian isc-dhcp issues CVE-2017-3144 CVE-2018-5732 CVE-2018-5733 

The following CVEs were announced in Debian Security Advisory DSA-4133-1, and affect the isc-dhcp package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4133-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 07, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : isc-dhcp
CVE ID : CVE-2017-3144 CVE-2018-5732 CVE-2018-5733
Debian Bug : 887413 891785 891786

Several vulnerabilities have been discovered in the ISC DHCP client,
relay and server. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2017-3144

It was discovered that the DHCP server does not properly clean up
closed OMAPI connections, which can lead to exhaustion of the pool
of socket descriptors available to the DHCP server, resulting in
denial of service.

CVE-2018-5732

Felix Wilhelm of the Google Security Team discovered that the DHCP
client is prone to an out-of-bound memory access vulnerability when
processing specially constructed DHCP options responses, resulting
in potential execution of arbitrary code by a malicious DHCP server.

CVE-2018-5733

Felix Wilhelm of the Google Security Team discovered that the DHCP
server does not properly handle reference counting when processing
client requests. A malicious client can take advantage of this flaw
to cause a denial of service (dhcpd crash) by sending large amounts
of traffic.

For the oldstable distribution (jessie), these problems have been fixed
in version 4.3.1-6+deb8u3.

For the stable distribution (stretch), these problems have been fixed in
version 4.3.5-3+deb9u1.

We recommend that you upgrade your isc-dhcp packages.

For the detailed security status of isc-dhcp, please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/isc-dhcp


RN-927 (CM-19961)
Security: Debian Security Advisory DSA-4132 for libvpx issue CVE-2017-13194 

The following CVEs were announced in Debian Security Advisory DSA-4132-1, and affect the libvpx package.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4132-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 04, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : libvpx
CVE ID : CVE-2017-13194

It was discovered that incorrect validation of frame widths in the libvpx
multimedia library may result in denial of service and potentially the
execution of arbitrary code.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.3.0-3+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.6.1-3+deb9u1.

We recommend that you upgrade your libvpx packages.

For the detailed security status of libvpx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libvpx


RN-928 (CM-19253)
Security: Debian Security Advisory DSA-4068-1 for rsync issues CVE-2017-16548 CVE-2017-17433 CVE-2017-17434 

The following CVEs were announced in Debian Security Advisory DSA-4068-1, and affect the rsync package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4068-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 17, 2017 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : rsync
CVE ID: CVE-2017-16548  CVE-2017-17433 CVE-2017-17434
Debian Bug : 880954 883665 883667

Several vulnerabilities were discovered in rsync, a fast, versatile,
remote (and local) file-copying tool, allowing a remote attacker to
bypass intended access restrictions or cause a denial of service.

For the oldstable distribution (jessie), these problems have been fixed
in version 3.1.1-3+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 3.1.2-1+deb9u1.


RN-929 (CM-19303)
Security: Debian Security Advisory DSA-4073-1 for linux kernel issues CVE-2017-8824 CVE-2017-16995 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450 CVE-2017-17558 CVE-2017-17712 CVE-2017-17741 CVE-2017-17805 CVE-2017(17806,17807,1000407,1000410) 

The following CVEs were announced in Debian Security Advisory DSA-4073-1, and affect the linux package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4073-1 security@debian.org
https://www.debian.org/security/ 
December 23, 2017 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2017-8824 CVE-2017-16995 CVE-2017-17448
CVE-2017-17449 CVE-2017-17450 CVE-2017-17558
CVE-2017-17712 CVE-2017-17741 CVE-2017-17805 CVE-2017-17806
CVE-2017-17807 CVE-2017-1000407 CVE-2017-1000410

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2017-8824

Mohamed Ghannam discovered that the DCCP implementation did not
correctly manage resources when a socket is disconnected and
reconnected, potentially leading to a use-after-free. A local
user could use this for denial of service (crash or data
corruption) or possibly for privilege escalation. On systems that
do not already have the dccp module loaded, this can be mitigated
by disabling it:
echo >> /etc/modprobe.d/disable-dccp.conf install dccp false

CVE-2017-16995

Jann Horn discovered that the Extended BPF verifier did not
correctly model the behaviour of 32-bit load instructions. A
local user can use this for privilege escalation.

CVE-2017-17448

Kevin Cernekee discovered that the netfilter subsystem allowed
users with the CAP_NET_ADMIN capability in any user namespace, not
just the root namespace, to enable and disable connection tracking
helpers. This could lead to denial of service, violation of
network security policy, or have other impact.

CVE-2017-17449

Kevin Cernekee discovered that the netlink subsystem allowed
users with the CAP_NET_ADMIN capability in any user namespace
to monitor netlink traffic in all net namespaces, not just
those owned by that user namespace. This could lead to
exposure of sensitive information.

CVE-2017-17450

Kevin Cernekee discovered that the xt_osf module allowed users
with the CAP_NET_ADMIN capability in any user namespace to modify
the global OS fingerprint list.

CVE-2017-17558

Andrey Konovalov reported that that USB core did not correctly
handle some error conditions during initialisation. A physically
present user with a specially designed USB device can use this to
cause a denial of service (crash or memory corruption), or
possibly for privilege escalation.

CVE-2017-17712

Mohamed Ghannam discovered a race condition in the IPv4 raw socket
implementation. A local user could use this to obtain sensitive
information from the kernel.

CVE-2017-17741

Dmitry Vyukov reported that the KVM implementation for x86 would
over-read data from memory when emulating an MMIO write if the
kvm_mmio tracepoint was enabled. A guest virtual machine might be
able to use this to cause a denial of service (crash).

CVE-2017-17805

It was discovered that some implementations of the Salsa20 block
cipher did not correctly handle zero-length input. A local user
could use this to cause a denial of service (crash) or possibly
have other security impact.

CVE-2017-17806

It was discovered that the HMAC implementation could be used with
an underlying hash algorithm that requires a key, which was not
intended. A local user could use this to cause a denial of
service (crash or memory corruption), or possibly for privilege
escalation.

CVE-2017-17807

Eric Biggers discovered that the KEYS subsystem lacked a check for
write permission when adding keys to a process's default keyring.
A local user could use this to cause a denial of service or to
obtain sensitive information.

CVE-2017-1000407

Andrew Honig reported that the KVM implementation for Intel
processors allowed direct access to host I/O port 0x80, which
is not generally safe. On some systems this allows a guest
VM to cause a denial of service (crash) of the host.

CVE-2017-1000410

Ben Seri reported that the Bluetooth subsystem did not correctly
handle short EFS information elements in L2CAP messages. An
attacker able to communicate over Bluetooth could use this to
obtain sensitive information from the kernel.

Debian disables unprivileged user namespaces by default, but if they
are enabled (via the kernel.unprivileged_userns_clone sysctl) then
CVE-2017-17448 can be exploited by any local user.


RN-930 (CM-19367)
Adding MTU to bonded interfaces creates an incorrect interface

When adding the MTU to bonded interfaces, NCLU creates an incorrect interface in the /etc/network/interfaces file.

This issue is fixed in Cumulus Linux 3.6.0.

New Known Issues in Cumulus RMP 3.6.0

The following issues are new to Cumulus RMP and affect the current release.

Release Note ID Summary Description

RN-382 (CM-6692)
FRR: Removing a bridge using  ifupdown2 does not remove it from the configuration files

Removing a bridge using ifupdown2 does not remove it from the FRR configuration files. However, restarting FRR successfully removes the bridge.

This issue is being investigated.


RN-754 (CM-15812)
Multicast forwarding fails for IP addresses whose DMAC overlaps with reserved DIPs

Multicast forwarding fails for IP addresses whose DMAC overlaps with reserved DIPs.

This issue is being investigated at this time.


RN-755 (CM-16855)
Auto-negotiation ON sometimes results in NO-CARRIER

If a two nodes on both sides of a link change from auto-negotiation off to auto-negotiation on for both sides during a short interval (around one second), the link might start flapping or stay down.

To work around this issue and stop the flapping, turn the link down on the switch with the command ifdown swpX, wait a few seconds, then bring the link back up with the command ifup swpX. Repeat this on the other side if necessary.


RN-760 (CM-18682)
smonctl utility JSON parsing error

There is a parsing error with the smonctl utility. In some cases when JSON output is chosen, the smonctl utility crashes. The JSON output is necessary to make the information available through SNMP.

This issue is being investigated.


RN-788 (CM-19381)
dhcrelay does not bind to interfaces that have names longer than 14 characters

The dhcrelay command does not bind to an interface if the interface's name is longer than 14 characters.

To work around this issue, change the interface name to be 14 or fewer characters if dhcrelay is required to bind to it.

This issue is currently being investigated.


RN-790 (CM-19014)
Configuring DHCP relay with VRR breaks ifreload

When you configure DHCP relay with VRR, the ifreload command does not work as expected; for example, the IP address might be removed from an SVI.

This issue is currently being investigated. 


RN-799 (CM-16493)
 

You cannot use NCLU or ifupdown2 to enable or disable of the IPv6 link-local eui-64 format.

To work around this limitation, you can use the following iproute2 command:

cumulus@switch:~$ sudo ip link set swp# addrgenmode {eui-64|none}

Note that this command does not persist across a reboot of the switch.

This issue is currently being investigated.


RN-822 (CM-19788)
Using the same VLAN ID on a subinterface and bridge VIDs for a given port is not easily corrected

If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict. To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-823 (CM-19724)
Multicast control protocols are classified to the bulk queue by default

PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-877 (CM-20745, CM-20678)
NCLU 'net show interface' commands report wrong mode in output for trunk ports

The net show interface command output displays the mode as Access/L2 instead of Trunk/L2.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-879 (CM-20724)
NCLU treats interface names with a hyphen as a range

If you create an interface name that includes a hyphen (-), Cumulus Linux treats the interface as a range of interfaces.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-885 (CM-20530)
NCLU 'net show interface' command shows 'NotConfigured' for unnumbered interfaces

When an interface is configured for OSPF/BGP unnumbered, the net show interface command shows NotConfigured instead of showing that it is unnumbered.

This issue is currently being investigated.


RN-893 (CM-20363)
IPv6 RA should include all on-link prefixes as prefix information

IPv6 RAs from a router can be used to do some host auto-configuration. The main aspects that can be auto-configured are the prefixes which are on-link (which can be used by the host to autoconfigure its addresses) and the default router. Some other information can also be indicated. FRR does have support to "advertise" some of these parameters. To work around this issue, configure the prefixes explicitly for announcement through RA using the IPv6 nd prefix command.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-897 (CM-20086)
 

NCLU reports an error when attempting to configure FRR when the configured hostname begins with a digit:

unknown: buffer_flush_available: write error on fd -1: Bad file descriptor

To work around this issue, change the hostname of the switch to begin with an alphabetic character; not a digit.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-907 (CM-20829)
'netd' fails on a reboot after upgrade to 3.6.0 with the error "ImportError: No module named time"

When you use the apt-get upgrade command to upgrade to Cumulus Linux 3.6.0 and you select to keep the currently-installed version of netd.conf (by typing N at the prompt), netd fails to start after reboot and you see errors in the logs when you try to restart it.

This issue is being investigated at this time.

Have more questions? Submit a request

Comments

Powered by Zendesk