Cumulus RMP 3.6 Release Notes

Follow

Overview

These release notes support Cumulus RMP 3.6.0, 3.6.1, and 3.6.2 and describe currently available features and known issues.

Cumulus RMP 3.6 supports these features and is available on the Penguin Computing Arctica 4804IP-RMP, and the Quanta QuantaMesh T1048-LY4R and CX RMP-T out-of-band switches.

Stay up to Date 

  • Please sign in and click Follow above so you can receive a notification when we update these release notes.
  • Subscribe to our product bulletin mailing list to receive important announcements and updates about issues that arise in our products.
  • Subscribe to our security announcement mailing list to receive alerts whenever we update our software for security issues.

{{table_of_contents}}

What's New in Cumulus RMP 3.6.2

Cumulus RMP 3.6.2 contains several bug fixes and the following new feature:

What's New in Cumulus RMP 3.6.0

Cumulus RMP 3.6.0 contains several bug fixes and the following new feature:

  • Support for combination of local-as and allowas-in command

Installing Version 3.6

If you are upgrading from version 3.0.0 or later, use apt-get to update the software.

Cumulus Networks recommends you use the -E option with sudo whenever you run any apt-get command. This option preserves your environment variables — such as HTTP proxies — before you install new packages or upgrade your distribution.

  1. Run -E apt-get update.
  2. Run -E apt-get upgrade.
  3. Reboot the switch.

Note: In Cumulus Linux 3.6.0, the upgrade process has changed. During an upgrade to 3.6.0 from 3.5 or earlier, certain services might be stopped. These services are not restarted until after the switch reboots, which results in some functionality being lost during the upgrade process.

During the upgrade process, you will see messages similar to the following:

/usr/sbin/policy-rc.d returned 101, not running 'stop switchd.service'
/usr/sbin/policy-rc.d returned 101, not running 'start switchd.service'

At the end of the upgrade, if a reboot is required, you see the following message:

*** Caution: Service restart prior to reboot could cause unpredictable behavior
*** System reboot required ***

Do not restart services manually until after rebooting, or services will fail.

For upgrades post 3.6.0, if no reboot is required after the upgrade completes, the upgrade will stop and restart all upgraded services and will log messages in the /var/log/syslog file similar to the ones shown below. (In the examples below, only the frr package was upgraded.)

Policy: Service frr.service action stop postponed
Policy: Service frr.service action start postponed
Policy: Restarting services: frr.service
Policy: Finished restarting services
Policy: Removed /usr/sbin/policy-rc.d
Policy: Upgrade is finished

For additional information about upgrading, see Upgrading Cumulus Linux in the Cumulus Linux User Guide.

New Install or Upgrading from Versions Older than 3.0.0

If you are upgrading from a version older than 3.0.0, or installing Cumulus RMP for the first time, download the Cumulus RMP 3.6.0 installer for Broadcom switches from the Cumulus Networks website, then use ONIE to perform a complete install, following the instructions in the user guide.

Note: This method is destructive; any configuration files on the switch will not be saved, so please copy them to a different server before upgrading via ONIE.

Important! After you install, run apt-get update, then apt-get upgrade on your switch to make sure you update Cumulus RMP to include any important or other package updates.

Documentation

You can read the technical documentation here.

Issues Fixed in Cumulus RMP 3.6.2

The following is a list of issues fixed in Cumulus RMP 3.6.2 from earlier versions of Cumulus RMP. 

Release Note ID Summary Description

RN-799 (CM-16493)
No way to configure IPv6 link-local addrgenmode using ifupdown2 or NCLU

You cannot use NCLU or ifupdown2 to enable or disable of the IPv6 link-local eui-64 format.

To work around this limitation, you can use the following iproute2 command:

cumulus@switch:~$ sudo ip link set swpX addrgenmode {eui-64|none}

Note: This command does not persist across a reboot of the switch.

This issue is fixed in Cumulus Linux 3.6.2.


RN-827 (CM-14300)
cl-acltool counters for implicit accept do not work for IPv4 on management (ethX) interfaces

The iptables are not counting against the default INPUT chain rule for packets ingressing ethX interfaces.

This issue is fixed in Cumulus Linux 3.6.2.


RN-947 (CM-20992)
RS FEC configuration cleared and not re-installed on switchd restart, leaving links down

During switchd restart, the RS FEC configuration is not re-installed to the interfaces to which it was previously applied.

This issue is fixed in Cumulus Linux 3.6.2.


RN-954 (CM-21062)
Redundant NCLU commands to configure the DHCP relay exits with return code 1

When using the NCLU command to add a redundant DHCP relay, the command exits with an error instead of displaying a message that the DHCP relay server configuration already contains the IP address.

This issue is fixed in Cumulus Linux 3.6.2.


RN-987 (CM-20938)
Debian Security Advisory DSA-4196-1 CVE-2018-1087 CVE-2018-8897 for the linux kernel package

The following CVEs were announced in Debian Security Advisory DSA-4196-1 and affect the Linux kernel.

This issue is fixed in Cumulus Linux 3.6.2.

--------------------------------------------------------------------------

Debian Security Advisory DSA-4196-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

May 08, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package: linux

CVE ID: CVE-2018-1087 CVE-2018-8897

Debian Bug: 897427 897599 898067 898100

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation or denial of service.

CVE-2018-1087

Andy Lutomirski discovered that the KVM implementation did not properly handle #DB exceptions while deferred by MOV SS/POP SS, allowing an unprivileged KVM guest user to crash the guest or potentially escalate their privileges.

CVE-2018-8897

Nick Peterson of Everdox Tech LLC discovered that #DB exceptions that are deferred by MOV SS or POP SS are not properly handled, allowing an unprivileged user to crash the kernel and cause a denial of service.

For the oldstable distribution (jessie), these problems have been fixed in version 3.16.56-1+deb8u1. This update includes various fixes for regressions from 3.16.56-1 as released in DSA-4187-1 (Cf. #897427, #898067 and #898100).

For the stable distribution (stretch), these problems have been fixed in version 4.9.88-1+deb9u1. The fix for CVE-2018-1108 applied in DSA-4188-1 is temporarily reverted due to various regression, cf. #897599.

For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux


RN-988 (CM-20834)
Debian Security Advisory DSA 4187-1 for linux kernel

The following CVEs were announced in Debian Security Advisory DSA-4187-1 and affect the Linux kernel.

This issue is fixed in Cumulus Linux 3.6.2.

--------------------------------------------------------------------------

Debian Security Advisory DSA-4187-1 security@debian.org

https://www.debian.org/security/ Ben Hutchings

May 01, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package: linux

CVE ID: CVE-2015-9016 CVE-2017-0861 CVE-2017-5715 CVE-2017-5753 CVE-2017-13166 CVE-2017-13220
CVE-2017-16526 CVE-2017-16911 CVE-2017-16912 CVE-2017-16913 CVE-2017-16914 CVE-2017-18017
CVE-2017-18203 CVE-2017-18216 CVE-2017-18232 CVE-2017-18241 CVE-2018-1066 CVE-2018-1068
CVE-2018-1092 CVE-2018-5332 CVE-2018-5333 CVE-2018-5750 CVE-2018-5803 CVE-2018-6927
CVE-2018-7492 CVE-2018-7566 CVE-2018-7740 CVE-2018-7757 CVE-2018-7995 CVE-2018-8781
CVE-2018-8822 CVE-2018-1000004 CVE-2018-1000199

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2015-9016

Ming Lei reported a race condition in the multiqueue block layer (blk-mq). On a system with a driver using blk-mq (mtip32xx, null_blk, or virtio_blk), a local user might be able to use this for denial of service or possibly for privilege escalation.

CVE-2017-0861

Robb Glasser reported a potential use-after-free in the ALSA (sound) PCM core. We believe this was not possible in practice.

CVE-2017-5715

Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system.

This specific attack has been named Spectre variant 2 (branch target injection) and is mitigated for the x86 architecture (amd64 and i386) by using the "retpoline" compiler feature which allows indirect branches to be isolated from speculative execution.

CVE-2017-5753

Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system.

This specific attack has been named Spectre variant 1 (bounds-check bypass) and is mitigated by identifying vulnerable code sections (array bounds checking followed by array access) and replacing the array access with the speculation-safe array_index_nospec() function.

More use sites will be added over time.

CVE-2017-13166

A bug in the 32-bit compatibility layer of the v4l2 ioctl handling code has been found. Memory protections ensuring user-provided buffers always point to userland memory were disabled, allowing destination addresses to be in kernel space. On a 64-bit kernel a local user with access to a suitable video device can exploit this to overwrite kernel memory, leading to privilege escalation.

CVE-2017-13220

Al Viro reported that the Bluetooth HIDP implementation could dereference a pointer before performing the necessary type check. A local user could use this to cause a denial of service.

CVE-2017-16526

Andrey Konovalov reported that the UWB subsystem may dereference an invalid pointer in an error case. A local user might be able to use this for denial of service.

CVE-2017-16911

Secunia Research reported that the USB/IP vhci_hcd driver exposed kernel heap addresses to local users. This information could aid the exploitation of other vulnerabilities.

CVE-2017-16912

Secunia Research reported that the USB/IP stub driver failed to perform a range check on a received packet header field, leading to an out-of-bounds read. A remote user able to connect to the USB/IP server could use this for denial of service.

CVE-2017-16913

Secunia Research reported that the USB/IP stub driver failed to perform a range check on a received packet header field, leading to excessive memory allocation. A remote user able to connect to the USB/IP server could use this for denial of service.

CVE-2017-16914

Secunia Research reported that the USB/IP stub driver failed to check for an invalid combination of fields in a received packet, leading to a null pointer dereference. A remote user able to connect to the USB/IP server could use this for denial of service.

CVE-2017-18017

Denys Fedoryshchenko reported that the netfilter xt_TCPMSS module failed to validate TCP header lengths, potentially leading to a use-after-free. If this module is loaded, it could be used by a remote attacker for denial of service or possibly for code execution.

CVE-2017-18203

Hou Tao reported that there was a race condition in creation and deletion of device-mapper (DM) devices. A local user could potentially use this for denial of service.

CVE-2017-18216

Alex Chen reported that the OCFS2 filesystem failed to hold a necessary lock during nodemanager sysfs file operations, potentially leading to a null pointer dereference. A local user could use this for denial of service.

CVE-2017-18232

Jason Yan reported a race condition in the SAS (Serial-AttachedSCSI) subsystem, between probing and destroying a port. This could lead to a deadlock. A physically present attacker could use this to cause a denial of service.

CVE-2017-18241

Yunlei He reported that the f2fs implementation does not properly initialise its state if the "noflush_merge" mount option is used. A local user with access to a filesystem mounted with this option could use this to cause a denial of service.

CVE-2018-1066

Dan Aloni reported to Red Hat that the CIFS client implementation would dereference a null pointer if the server sent an invalid response during NTLMSSP setup negotiation. This could be used by a malicious server for denial of service.

CVE-2018-1068

The syzkaller tool found that the 32-bit compatibility layer of ebtables did not sufficiently validate offset values. On a 64-bit kernel, a local user with the CAP_NET_ADMIN capability (in any user namespace) could use this to overwrite kernel memory, possibly leading to privilege escalation. Debian disables unprivileged user namespaces by default.

CVE-2018-1092

Wen Xu reported that a crafted ext4 filesystem image would trigger a null dereference when mounted. A local user able to mount arbitrary filesystems could use this for denial of service.

CVE-2018-5332

Mohamed Ghannam reported that the RDS protocol did not sufficiently validate RDMA requests, leading to an out-of-bounds write. A local attacker on a system with the rds module loaded could use this for denial of service or possibly for privilege escalation.

CVE-2018-5333

Mohamed Ghannam reported that the RDS protocol did not properly handle an error case, leading to a null pointer dereference. A local attacker on a system with the rds module loaded could possibly use this for denial of service.

CVE-2018-5750

Wang Qize reported that the ACPI sbshc driver logged a kernel heap address. This information could aid the exploitation of other vulnerabilities.

CVE-2018-5803

Alexey Kodanev reported that the SCTP protocol did not range-check the length of chunks to be created. A local or remote user could use this to cause a denial of service.

CVE-2018-6927

Li Jinyue reported that the FUTEX_REQUEUE operation on futexes did not check for negative parameter values, which might lead to a denial of service or other security impact.

CVE-2018-7492

The syzkaller tool found that the RDS protocol was lacking a null pointer check. A local attacker on a system with the rds module loaded could use this for denial of service.

CVE-2018-7566

Fan LongFei reported a race condition in the ALSA (sound) sequencer core, between write and ioctl operations. This could lead to an out-of-bounds access or use-after-free. A local user with access to a sequencer device could use this for denial of service or possibly for privilege escalation.

CVE-2018-7740

Nic Losby reported that the hugetlbfs filesystem's mmap operation did not properly range-check the file offset. A local user with access to files on a hugetlbfs filesystem could use this to cause a denial of service.

CVE-2018-7757

Jason Yan reported a memory leak in the SAS (Serial-Attached SCSI) subsystem. A local user on a system with SAS devices could use this to cause a denial of service.

CVE-2018-7995

Seunghun Han reported a race condition in the x86 MCE (Machine Check Exception) driver. This is unlikely to have any security impact.

CVE-2018-8781

Eyal Itkin reported that the udl (DisplayLink) driver's mmap operation did not properly range-check the file offset. A local user with access to a udl framebuffer device could exploit this to overwrite kernel memory, leading to privilege escalation.

CVE-2018-8822

Dr Silvio Cesare of InfoSect reported that the ncpfs client implementation did not validate reply lengths from the server. An ncpfs server could use this to cause a denial of service or remote code execution in the client.

CVE-2018-1000004

Luo Quan reported a race condition in the ALSA (sound) sequencer core, between multiple ioctl operations. This could lead to a deadlock or use-after-free. A local user with access to a sequencer device could use this for denial of service or possibly for privilege escalation.

CVE-2018-1000199

Andy Lutomirski discovered that the ptrace subsystem did not sufficiently validate hardware breakpoint settings. Local users can use this to cause a denial of service, or possibly for privilege escalation, on x86 (amd64 and i386) and possibly other architectures.

For the oldstable distribution (jessie), these problems have been fixed in version 3.16.56-1.

For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux


RN-1008 (CM-21396)
The 'net del interface bridge vids' command removes the interface from the bridge ports list

If you run the net del interface <interface> bridge vids command, the interface is removed from the bridge ports list instead of inheriting the characteristics of the bridge.

To work around this issue, add the interface back to the bridge with the net add bridge bridge ports <interface> command.

This issue is fixed in Cumulus Linux 3.6.2.


RN-1010 (CM-21352)
Debian Security Advisory DSA-4212-1 CVE-2018-11235 for the git package

The following CVE was announced in Debian Security Advisory DSA-4212-1 and affects the git package.

This issue is fixed in Cumulus Linux 3.6.2.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4212-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

May 29, 2018 https://www.debian.org/security/faq

--------------------------------------------------------------------------

Package : git

CVE ID : CVE-2018-11235

Etienne Stalmans discovered that git, a fast, scalable, distributed revision control system, is prone to an arbitrary code execution vulnerability exploitable via specially crafted submodule names in a .gitmodules file.

For the oldstable distribution (jessie), this problem has been fixed in version 1:2.1.4-2.1+deb8u6.

For the stable distribution (stretch), this problem has been fixed in version 1:2.11.0-3+deb9u3.

We recommend that you upgrade your git packages.

For the detailed security status of git please refer to its security tracker page at: https://security-tracker.debian.org/tracker/git


RN-1011 (CM-21350)
Debian Security Advisory DSA 4224-1 CVE-2018-12020 for the gnupg package

The following CVE was announced in Debian Security Advisory DSA-4224-1 and affects the gnupg package.

This issue is fixed in Cumulus Linux 3.6.2.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4224-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 08, 2018 https://www.debian.org/security/faq

--------------------------------------------------------------------------

Package : gnupg

CVE ID : CVE-2018-12020

Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.

Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

For the oldstable distribution (jessie), this problem has been fixed in version 1.4.18-7+deb8u5.

For the detailed security status of gnupg, refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnupg


RN-1012 (CM-21351)
Debian Security Advisory DSA 4222-1 CVE-2018-12020 for the gnupg2 package

The following CVE was announced in Debian Security Advisory DSA-4222-1 and affects the gnupg2 package.

This issue is fixed in Cumulus Linux 3.6.2.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4222-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 08, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : gnupg2

CVE ID : CVE-2018-12020

Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.

Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

For the oldstable distribution (jessie), this problem has been fixed in version 2.0.26-6+deb8u2.

For the stable distribution (stretch), this problem has been fixed in version 2.1.18-8~deb9u2.

For the detailed security status of gnupg2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnupg2


RN-1013 (CM-20926)
Debian Security Advisory DSA-4195-1 CVE-2018-0494 for the wget package

The following CVEs were announced in Debian Security Advisory DSA-4195-1 and affect the wget package.

This issue is fixed in Cumulus Linux 3.6.2.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4195-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

May 08, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : wget

CVE ID : CVE-2018-0494

Debian Bug : 898076

Harry Sintonen discovered that wget, a network utility to retrieve files from the web, does not properly handle '\r\n' from continuation lines while parsing the Set-Cookie HTTP header. A malicious web server could use this flaw to inject arbitrary cookies to the cookie jar file, adding new or replacing existing cookie values.

For the oldstable distribution (jessie), this problem has been fixedin version 1.16-1+deb8u5.

For the stable distribution (stretch), this problem has been fixed in version 1.18-5+deb9u2.

We recommend that you upgrade your wget packages.

For the detailed security status of wget please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wget


RN-1014 (CM-21349)
Debian Security Advisory DSA-4226-1 CVE-2018-12015 for the perl package

The following CVEs were announced in Debian Security Advisory DSA-4226-1 and affect the perl package.

This issue is fixed in Cumulus Linux 3.6.2.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4226-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 12, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : perl

CVE ID : CVE-2018-12015

Debian Bug : 900834

Jakub Wilk discovered a directory traversal flaw in the Archive::Tar module, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted tar archive.

For the oldstable distribution (jessie), this problem has been fixed in version 5.20.2-3+deb8u11.

For the stable distribution (stretch), this problem has been fixed in version 5.24.1-3+deb9u4.

We recommend that you upgrade your perl packages.

For the detailed security status of perl, refer to its security tracker page at: https://security-tracker.debian.org/tracker/perl


RN-1016 (CM-20803)
Debian Security Advisory DSA-4186-1 CVE-2018-1000164 for gunicorn package

The following CVEs were announced in Debian Security Advisory DSA-4186-1 and affect the gunicorn package.

This issue is fixed in Cumulus Linux 3.6.2.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4186-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

April 28, 2018 https://www.debian.org/security/faq

--------------------------------------------------------------------------

Package : gunicorn

CVE ID : CVE-2018-1000164

It was discovered that gunicorn, an event-based HTTP/WSGI server was susceptible to HTTP Response splitting.

For the oldstable distribution (jessie), this problem has been fixed in version 19.0-1+deb8u1.

We recommend that you upgrade your gunicorn packages.

For the detailed security status of gunicorn please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/gunicorn


RN-1017 (CM-21348)
Debian Security Advisory DSA-4217-1 CVE-2018-9273 CVE-2018-7320 CVE-2018-7334 CVE-2018-7335 CVE-2018-7419 CVE-2018-9261 CVE-2018-9264 CVE-2018-11358 CVE-2018-11360 CVE-2018-11362 for wireshark

The following CVEs were announced in Debian Security Advisory DSA-4217-1 and affect the wireshark package.

This issue is fixed in Cumulus Linux 3.6.2.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4217-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

June 03, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : wireshark

CVE ID : CVE-2018-9273 CVE-2018-7320 CVE-2018-7334 CVE-2018-7335 CVE-2018-7419 CVE-2018-9261 CVE-2018-9264 CVE-2018-11358 CVE-2018-11360 CVE-2018-11362

It was discovered that Wireshark, a network protocol analyzer, contained several vulnerabilities in the dissectors for PCP, ADB, NBAP, UMTS MAC,

IEEE 802.11, SIGCOMP, LDSS, GSM A DTAP and Q.931, which result in denial of service or the execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed in version 1.12.1+g01b65bf-4+deb8u14.

For the stable distribution (stretch), these problems have been fixed in version 2.2.6+g32dac6a-2+deb9u3.

For the detailed security status of wireshark, refer to its security tracker page at: https://security-tracker.debian.org/tracker/wireshark


RN-1018 (CM-20799)
Cannot use NCLU to add or delete RADIUS client IP addresses for 802.1X interfaces

This issue is fixed in Cumulus Linux 3.6.2.


RN-1019 (CM-21156)
Debian Security Advisory DSA-4211-1 CVE-2017-18266 for xdg-utils package

The following CVEs were announced in Debian Security Advisory DSA-4211-1 and affect the xdg-utils package.

This issue is fixed in Cumulus Linux 3.6.2.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4211-1 security@debian.org

https://www.debian.org/security/ Luciano Bello

May 25, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : xdg-utils

CVE ID : CVE-2017-18266

Debian Bug : 898317

Gabriel Corona discovered that xdg-utils, a set of tools for desktop environment integration, is vulnerable to argument injection attacks. If the environment variable BROWSER in the victim host has a "%s" and the victim opens a link crafted by an attacker with xdg-open, the malicious party could manipulate the parameters used by the browser when opened. This manipulation could set, for example, a proxy to which the network traffic could be intercepted for that particular execution.

For the oldstable distribution (jessie), this problem has been fixed in version 1.1.0~rc1+git20111210-7.4+deb8u1.

For the stable distribution (stretch), this problem has been fixed in version 1.1.1-1+deb9u1.

For the detailed security status of xdg-utils, refer to its security tracker page at: https://security-tracker.debian.org/tracker/xdg-utils


RN-1020 (CM-21098)
Debian Security Advisory DSA-4208-1 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 for procps top, ps command

The following CVEs were announced in Debian Security Advisory DSA-4208-1 and affect the procps package.

This issue is fixed in Cumulus Linux 3.6.2.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4208-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

May 22, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : procps

CVE ID : CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126

Debian Bug : 899170

The Qualys Research Labs discovered multiple vulnerabilities in procps, a set of command line and full screen utilities for browsing procfs. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2018-1122

top reads its configuration from the current working directory if no $HOME was configured. If top were started from a directory writable by the attacker (such as /tmp) this could result in local privilege escalation.

CVE-2018-1123

Denial of service against the ps invocation of another user.

CVE-2018-1124

An integer overflow in the file2strvec() function of libprocps couldresult in local privilege escalation.

CVE-2018-1125

A stack-based buffer overflow in pgrep could result in denial of service for a user using pgrep for inspecting a specially crafted process.

CVE-2018-1126

Incorrect integer size parameters used in wrappers for standard allocators could cause integer truncation and lead to integer overflow issues.

For the oldstable distribution (jessie), these problems have been fixed in version 2:3.3.9-9+deb8u1.

For the stable distribution (stretch), these problems have been fixed in version 2:3.3.12-3+deb9u1.

For the detailed security status of procps, refer to its security tracker page at: https://security-tracker.debian.org/tracker/procps

A full readable description of the vulnerabilities is here: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt

They are all local issues only, Denial of Service, and a top privilege escalation.


RN-1022 (CM-20697)
Debian Security Advisory DSA-4176-1 CVE-2018-2755 CVE-2018-2761 CVE-2018-2771 CVE-2018-2773 CVE-2018-2781 CVE-2018-2813 CVE-2018-2817 CVE-2018-2818 CVE-2018-2819 for the mysql package

The following CVEs were announced in Debian Security Advisory DSA-4211-1 and affect the mysql library and common packages.

This issue is fixed in Cumulus Linux 3.6.2.

--------------------------------------------------------------------------

Debian Security Advisory DSA-4176-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 20, 2018 https://www.debian.org/security/faq

--------------------------------------------------------------------------

Package : mysql-5.5

CVE ID : CVE-2018-2755 CVE-2018-2761 CVE-2018-2771 CVE-2018-2773 CVE-2018-2781 CVE-2018-2813 CVE-2018-2817 CVE-2018-2818 CVE-2018-2819

Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.60, which includes additional changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-60.html

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

For the oldstable distribution (jessie), these problems have been fixed in version 5.5.60-0+deb8u1.

We recommend that you upgrade your mysql-5.5 packages.

For the detailed security status of mysql-5.5 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/mysql-5.5

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/


RN-1023 (CM-20138)
NCLU errors out on a breakout port when the port is already configured in a bridge

It's been reported that splitting a switch port removes it from the bridge.

This issue is fixed in Cumulus Linux 3.6.2.


RN-1024 (CM-21047)
cl-support takes a long time to complete when a large amount of space is allocated to /var/log/lastlog

When there is a lot of space allocated to /var/log/lastlog, cl-support takes a long time to run (sometimes more than an hour).

This issue is fixed in Cumulus Linux 3.6.2.


RN-1026 (CM-21012)
Debian Security Advisory DSA-4202-1 CVE-2018-1000301 for the curl package

The following CVEs were announced in Debian Security Advisory DSA-4202-1 and affect the curl package.

This issue is fixed in Cumulus Linux 3.6.2.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4202-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

May 16, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : curl

CVE ID : CVE-2018-1000301

Debian Bug : 898856

OSS-fuzz, assisted by Max Dymond, discovered that cURL, an URL transfer library, could be tricked into reading data beyond the end of a heap based buffer when parsing invalid headers in an RTSP response.

For the oldstable distribution (jessie), this problem has been fixed in version 7.38.0-4+deb8u11.

For the stable distribution (stretch), this problem has been fixed in version 7.52.1-5+deb9u6.

For the detailed security status of curl, refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl


RN-1028 (CM-20728)
Errors occur when installing TOS matched rules in ip6tables

The following error occurs when trying to install a TOS matched rule in ip6tables:

Installing acl policy
error: hw sync failed (Cannot process ip6tables,FORWARD,2,TOS match extension is supported only for iptables)
Rolling back ..
failed.

This issue is fixed in Cumulus Linux 3.6.2.

New Known Issues in Cumulus RMP 3.6.2

The following issues are new to Cumulus RMP and affect the current release.

Release Note ID Summary Description

RN-979 (CM-21691)
When removing a dot1x configured port from a traditional bridge, the net pending command does not show the changes

When removing a dot1x configured port from a traditional bridge, the net pending command does not show the pending changes; however, the port is removed from the bridge when you issue the net commit command.

This is a known issue and should be fixed in a future release of Cumulus Linux.


RN-980 (CM-21653)
Incorrect VLAN translation tags on double tagged bridge interfaces

A bridge with double tag translation configured on a member interface correctly maps the VLAN tags in the outgoing ARP request frame, but incorrectly maps the VLAN tags on the incoming ARP reply.

This is a known issue that is currently being investigated.


RN-982 (CM-21598)
IGMP configuration does not persist through a switch reboot

The order of the query interval and maximum response time parameters in an IGMP interface configuration together with an insufficient response time value causes the IGMP configuration to be lost during a switch reboot. The maximum response time cannot be greater than or equal to the query interval, and the maximum response time must be read before the interval.

To work around this issue temporarily, move the query interval parameter to follow the query-max-response-time parameter and set the query-max-response-time to a value less than the query interval. You must repeat this workaround each time FRR writes to the frr.conf file.

This issue is being investigated at this time.


RN-992 (CM-20570)
Disabled services started after running `net del all` then `net commit`

After running the net del all command to remove the configuration, then committing the change with net commit, NCLU enables every service and restarts them. You must manually disable those services again.

This is a known issue and should be fixed in a future release of Cumulus Linux.


RN-995 (CM-21373)
Debian Security advisory DSA-4231-1/CVE-2018-0495 for libgcrypt20 package

Debian issued the following security advisory, DSA-4231-1, which affects the libgcrypt20 package. This advisory applies only to the the Debian Stretch release.

Debian Jessie, upon which Cumulus Linux 3.0 - 3.6.2 is based, is vulnerable, but the vulnerability has not been fixed upstream in Debian yet.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4231-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 17, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : libgcrypt20

CVE ID : CVE-2018-0495

It was discovered that Libgcrypt is prone to a local side-channel attack allowing recovery of ECDSA private keys.

For the stable distribution (stretch), this problem has been fixed in version 1.7.6-2+deb9u3.

We recommend that you upgrade your libgcrypt20 packages.

For the detailed security status of libgcrypt20 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/libgcrypt20

This issue will be fixed in a future version of Cumulus Linux when a fix made available for Debian Jessie.


RN-996 (CM-21379)
Floating static route is not installed into the FIB when the primary route becomes unavailable

If a primary route becomes unavailable (for example, you run ifdown on the switch port), the backup route remains inactive and is not installed into FIB.

To work around this issue, configure routes as ECMP:

cumulus@switch:~$ net del routing route 4.1.1.0/24 1.1.1.1 10
cumulus@switch:~$ net add routing route 4.1.1.0/24 1.1.1.1
cumulus@switch:~$ net commit

This issue should be fixed in a future release of Cumulus Linux.


RN-998 (CM-21398)
Creating a MGMT ACL via NCLU results in a FORWARD entry

If you use NCLU to configure an ACL for eth0, you cannot designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file.

This issue should be fixed in a future release of Cumulus Linux.


RN-999 (CM-21422)
The NCLU `net show config` command shows the configuration that is pending and not the one that was committed

If you have any pending changes in the NCLU buffer, when you run net show config command or net show config interface <interface>, the output displays the pending configuration, not the one that was previously committed.

This issue should be fixed in a future release of Cumulus Linux.


RN-1000 (CM-21454)
Creating a new traditional mode bridge causes temporary traffic loss

Sometimes when creating a new bridge in traditional mode, an outage of 20-30 seconds can occur when running ifreload. This issue is more noticeable if you add and remove traditional bridges multiple times a day. The outage is long enough to drop BGP and OSPF sessions running through the switch. However, ifreload debug logs show everything is normal, that no interfaces are going down.

This issue should be fixed in a future release of Cumulus Linux.


RN-1004 (CM-21496)
Scalability of redistribute neighbor limits the number of supported hosts

A Cumulus Linux switch cannot manage Docker containers running on 500 hosts. Entries in table 10 start to expire and are removed from the table.

To work around this issue, modify the ebtable rules for set-rate and set-burst, increasing their values until the issue is resolved. For example, configure set-rate=1200 and set-burst=300.

This issue is being investigated at this time.


RN-1006 (CM-20644)
The ptp4l and phc2sys services are enabled by default resulting in repeated syslog messages

In Cumulus Linux 3.6.1 and later, the ptp4l and phc2sys services are enabled by default. If you are not using PTP or PTP is not configured, the logs are repeatedly filled with messages similar to the following.

2018-06-20T15:38:44.490543+00:00 cumulus phc2sys: [1542.230] Waiting for ptp4l...
2018-06-20T15:38:44.491160+00:00 cumulus phc2sys: [1542.230] uds: sendto failed: No such file or directory
2018-06-20T15:38:45.491747+00:00 cumulus phc2sys: [1543.231] Waiting for ptp4l...
2018-06-20T15:38:45.492259+00:00 cumulus phc2sys: [1543.231] uds: sendto failed: No such file or directory
2018-06-20T15:38:46.492925+00:00 cumulus phc2sys: [1544.233] Waiting for ptp4l...
2018-06-20T15:38:46.493440+00:00 cumulus phc2sys: [1544.233] uds: sendto failed: No such file or directory

To work around this issue in Cumulus Linux 3.6.2, add StartLimitInterval to both the ptp4l and phc2sys services as shown below:

sudo mkdir -p /etc/systemd/system/ptp4l.service.d /etc/systemd/system/phc2sys.service.d
sudo sh -c '/bin/echo -e "[Service]\nStartLimitInterval=375" > /etc/systemd/system/phc2sys.service.d/startinterval.conf'
sudo sh -c '/bin/echo -e "[Service]\nStartLimitInterval=375" > /etc/systemd/system/ptp4l.service.d/startinterval.conf'
sudo systemctl daemon-reload

This issue should be fixed in a future release of Cumulus Linux.

Issues Fixed in Cumulus RMP 3.6.1

The following is a list of issues fixed in Cumulus RMP 3.6.1 from earlier versions of Cumulus RMP. 

Release Note ID Summary Description

RN-897 (CM-20086)
FRR doesn't support hostnames starting with a digit

NCLU reports an error when attempting to configure FRR when the configured hostname begins with a digit:

unknown: buffer_flush_available: write error on fd -1: Bad file descriptor

To work around this issue, change the hostname of the switch to begin with an alphabetic character; not a digit.

This issue is fixed in Cumulus Linux 3.6.1.


RN-907 (CM-20829)
netd fails on start after apt upgrade to 3.6.0 with "ImportError: No module named time"

When you use the apt-get upgrade command to upgrade to Cumulus Linux 3.6.0 and you select to keep the currently-installed version of netd.conf (by typing N at the prompt), netd fails to start after reboot and you see errors in the logs when you try to restart netd.

This issue is fixed in Cumulus Linux 3.6.1.


RN-933 (CM-20781)
NCLU 'net add bgp neighbor' command with swp1, swp2, or swp1-2 causes TB NameError

Issuing the net add bgp neighbor command with swp1, swp2 or swp1-2 causes the following error:

TB NameError: global name 'ifname_expand_glob' is not defined.

This issue is fixed in Cumulus Linux 3.6.1.


RN-935 (CM-20772)
ACL rule unable to match interface eth0 when belonging to VRF

ACL rules do not block incoming packets when interface eth0 belongs to a VRF.

This issue is fixed in Cumulus Linux 3.6.1.


RN-936 (CM-20418)
ACL to only allow ARP prevents ARP on SVIs

ACL rules that only allow ARP packets prevent ARP packets from reaching SVIs.

This issue is fixed in Cumulus Linux 3.6.1.


RN-944 (CM-20841)
netd fails to start for apt-upgrade from 3.3.2 to 3.6.0

When upgrading from Cumulus Linux 3.3.2 to 3.6.0 using the netd.conf file from version 3.3.2, netd fails to start and displays the error ImportError: No module named frr-reload.

This issue is fixed in Cumulus Linux 3.6.1.


RN-945 (CM-20311)
Security: DSA-4157-1 for openssl issues CVE-2017-3738 CVE-2018-0739

The following CVEs were announced in Debian Security Advisory DSA-4157-1, and affect the openssl package.

This issue is fixed in Cumulus Linux 3.6.1.

--------------------------------------------------------------------------

Debian Security Advisory DSA-4157-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 29, 2018 https://www.debian.org/security/faq

--------------------------------------------------------------------------

Package : openssl

CVE ID : CVE-2017-3738 CVE-2018-0739

Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues:

CVE-2017-3738

David Benjamin of Google reported an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli.

CVE-2018-0739

It was discovered that constructed ASN.1 types with a recursive definition could exceed the stack, potentially leading to a denial of service.

Details can be found in the upstream advisory:

https://www.openssl.org/news/secadv/20180327.txt

For the oldstable distribution (jessie), these problems have been fixed in version 1.0.1t-1+deb8u8. The oldstable distribution is not affected by CVE-2017-3738.

For the stable distribution (stretch), these problems have been fixed in version 1.1.0f-3+deb9u2.

We recommend that you upgrade your openssl packages.

For the detailed security status of openssl please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/openssl


RN-946 (CM-20603)
Security: DSA-4172-1 for perl issues CVE-2018-6797 CVE-2018-6798 CVE-2018-6913

The following CVEs were announced in Debian Security Advisory DSA-4172-1 and affect the perl package.

This issue is fixed in Cumulus Linux 3.6.1.

--------------------------------------------------------------------------

Debian Security Advisory DSA-4172-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 14, 2018 https://www.debian.org/security/faq

--------------------------------------------------------------------------

Package : perl

CVE ID : CVE-2018-6797 CVE-2018-6798 CVE-2018-6913

Multiple vulnerabilities were discovered in the implementation of the Perl programming language. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2018-6797

Brian Carpenter reported that a crafted regular expression could cause a heap buffer write overflow, with control over the bytes written.

CVE-2018-6798

Nguyen Duc Manh reported that matching a crafted locale dependent regular expression could cause a heap buffer read overflow and potentially information disclosure.

CVE-2018-6913

GwanYeong Kim reported that 'pack()' could cause a heap buffer write overflow with a large item count.

For the oldstable distribution (jessie), these problems have been fixed in version 5.20.2-3+deb8u10. The oldstable distribution (jessie) update contains only a fix for CVE-2018-6913.

For the stable distribution (stretch), these problems have been fixed in version 5.24.1-3+deb9u3.

We recommend that you upgrade your perl packages.

For the detailed security status of perl please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/perl


RN-949 (CM-21038)
VRF stops working when /etc/resolv.conf does not exist

When upgrading to Cumulus Linux 3.6.0, if the /etc/resolv.conf file does not exist and eth0 is configured with a static IP address, the switch fails to start VRFs after reboot.

This issue is fixed in Cumulus Linux 3.6.1.


RN-958 (CM-21095)
NCLU 'net add bgp neighbor ' command does not create or enable the interface if it is not previously defined

When you run the net add bgp neighbor <interface> command, the interface is only added if previously defined.

This issue is fixed in Cumulus Linux 3.6.1.

New Known Issues in Cumulus RMP 3.6.1

The following issues are new to Cumulus RMP and affect the current release.

Release Note ID Summary Description

RN-942 (CM-20693)
In NCLU, you can only set the community number in a route map

In NCLU, you can only set the community number in a route map. You cannot set other community options such as no-export, no-advertise, or additive.

This issue is being investigated at this time.


RN-947 (CM-20992)
RS FEC configuration cleared and not re-installed on switchd restart, leaving links down

During switchd restart, the RS FEC configuration is not re-installed to the interfaces to which it was previously applied.

This issue is being investigated at this time.


RN-948 (CM-17494)
The default arp_ignore mode does not prevent reachable neighbor entries for hosts not on the connected subnet

In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet.

To work around this issue, change the value of arp_ignore to 2. See Default ARP Settings in Cumulus Linux for more information.


RN-951 (CM-21048)
NCLU command fails to delete the VRF static route

The NCLU command net del routing route does not delete a static route within a VRF.

To work around this issue, delete the VRF static route using vtysh, either directly in configuration mode or with vtysh -c.

This issue is being investigated at this time.


RN-952 (CM-21090)
NCLU 'net show bridge macs' command improperly displays the 'never' keyword

When you use the net show bridge macs command and a MAC address has just been updated, the never keyword improperly displays in the command output.

This issue is being investigated at this time.


RN-953 (CM-21082)
Virtual device counters not working as expected

Virtual device counters are not working as expected. The TX counter increments but the RX counter does not.

This issue is being investigated at this time.


RN-954 (CM-21062)
Redundant NCLU commands to configure the DHCP relay exits with return code 1

When using the NCLU command to add a redundant DHCP relay, the command exits with an error instead of displaying a message that the DHCP relay server configuration already contains the IP address.

This issue is being investigated at this time.


RN-955 (CM-21060)
NCLU 'net show configuration' output is out of order

When you run the net show configuration command after upgrading to Cumulus Linux 3.6, the interfaces display are out of order in the command output.

This issue is being investigated at this time.


RN-959 (CM-21167)
BGP aggregate created but left inactive in the routing table

If you use BGP to generate an aggregate, the aggregate shows up in the BGP table but is listed in zebra as inactive.

This issue is being investigated at this time.


RN-960 (CM-21154)
Deleting an interface with the NCLU command does not remove the interface in frr.conf

When you use NCLU to delete an interface, the associated configuration is not removed from the frr.conf file.

This issue is being investigated at this time.


RN-963 (CM-21362)
Bringing down a bridge member interface sets the interface MTU to 1500 and the bridge MTU to 1500

When you bring down an interface for a bridge member, the MTU for the interface and the MTU for the bridge are both set to 1500.

To work around this issue, run ifdown on the interface, then run the sudo ip link set dev <interface> mtu <mtu> command.

For example:

sudo ifdown swp3
sudo ip link set dev swp3 mtu 9192

As an alternative, in the /etc/network/interfaces file, add a post-down command to reset the MTU of the interface. For example:

auto swp3
iface swp3
    alias BNBYLAB-PD01HV-01_Port3
    bridge-vids 106 109 119 141 150-151
    mtu 9192
    post-down /sbin/ip link set dev swp3 mtu 9192

RN-965 (CM-21313, CM-15657)
Errors occur if comma-separated globs exist in the /etc/network/interfaces file

If you edit the /etc/network/interfaces file manually and add bridge VIDs to an interface using the NCLU syntax (comma separated globs), you see an error similar to the following:

ERROR: numbers_to_glob() could not extract any IDs from ['1,4,1000,1002,1006']

To work around this issue, separate globs with spaces when manually editing the /etc/network/interfaces file.

This issue is currently being investigated.


RN-966 (CM-21297)
TACACS authenticated users in 'netshow' or 'netedit' groups cannot issue 'net' commands after upgrade to Cumulus Linux 3.6

When upgrading from a previous release to Cumulus Linux 3.6, TACACS-authenticated users mapped to tacacs0 thru tacacs15 users with the netshow or netedit user groups cannot run net commands and they see the following error:

ERROR: You do not have permission to execute that command

This behavior is seen when upgrading with simple authentication only and occurs without a restricted shell for command authorization being enabled.

This problem is not present on a binary install of 3.6.0 or 3.6.1 and only happens when upgrading from previous releases.

To work around this issue, edit the /etc/netd.conf file, add the tacacs user group to the groups_with_show list, and add the tacacs15 user to the users_with_edit list as below:

# Control which users/groups are allowed to run "add", "del",
# "clear", "abort", and "commit" commands.
users_with_edit = root, cumulus, vagrant, tacacs15
groups_with_edit = netedit

# Control which users/groups are allowed to run "show" commands.
users_with_show = root, cumulus, vagrant
groups_with_show = netshow, netedit, tacacs

After making this change, restart netd with the sudo systemctl restart netd command.


RN-969 (CM-21278)
NCLU 'net show lldp' output has PortDescr as Remote Port

When you run the net show lldp command, the command output incorrectly displays the remote port as the port description.

To work around this issue, run the net show interface command when connected to Cisco equipment.

This issue is currently being investigated.


RN-970 (CM-21203)
VXLAN and tcam_resource_profile set to acl-heavy, causes the switch to crash

Changing tcam_resource_profile to acl-heavy on a switch with VXLAN enabled and attempting to apply the configuration with a switchd restart, causes switchd to fail to restart, netd to crash, the switch to become temporarily unresponsive, and a cl-support to be generated.

To work around this issue, remove the acl-heavy profile or the VXLAN configuration.

This issue is currently being investigated.

Issues Fixed in Cumulus RMP 3.6.0

The following is a list of issues fixed in Cumulus RMP 3.6.0 from earlier versions of Cumulus RMP.

Release Note ID Summary Description

RN-704 (CM-18886, CM-20027)
ifreload causes MTU to drop on bridge SVIs 

When you run the ifreload command on a bridge SVI with an MTU higher than 1500, the MTU resets to 1500 after the initial ifreload -a, then resets to its original value when running ifreload -a for a second time.

This issue is fixed in Cumulus Linux 3.6.0.


RN-785 (CM-19422)
NCLU 'net show interface detail' command does not display detailed output

The net show interface swp# command returns the same output as net show interface swp# detail.

To view the additional information typically presented, use alternative commands. For example, to view the module information and statistics, use ethtool swp# and ethtool -S swp#.

This issue is fixed in Cumulus Linux 3.6.0.


RN-787 (CM-19418)
NCLU 'net add hostname' creates an inconsistency between /etc/hostname and /etc/hosts files

Running the net add hostname <hostname> command updates both the /etc/hostname file and the/etc/hosts file. However, NCLU modifies the hostname value passed to the /etc/hostname file, removing certain characters and converting the hostname to lowercase, whereas the hostname passed to the /etc/hosts file is passed through as is, creating an inconsistency between the two files.

To work around this issue, manually set the hostname in both the /etc/hostname file and the /etc/hosts file using a text editor such as vi or nano.

This issue is fixed in Cumulus Linux 3.6.0.


RN-806 (CM-19241)
FRR removes all static routes when the service is stopped, including those created by ifupdown2

Whenever FRR is restarted, it deletes all routes in the kernel with a protocol type of BGP, ISIS, OSPF, and static. When you upgrade FRR and the service is stopped, the static routes defined in the /etc/network/interfaces file and installed using ifupdown2 are also removed.

To work around this issue, configure static routes in the /etc/network/interfaces file as follows:

post-up ip route add  via  proto kernel

For example:

auto swp2
iface swp2
  post-up ip route add 0.0.0.0/0 via 192.0.2.249 proto kernel

This issue is fixed in Cumulus Linux 3.6.0.


RN-807 (CM-17159)
NCLU 'net show interface <bond>' command shows interface counters that are not populated

The output of the NCLU net show interface <bond> command shows misleading and incorrect interface counters.

This issue is fixed in Cumulus Linux 3.6.0.


RN-809 (CM-19120)
The 'netshow lldp' command displays an error

When running the netshow lldp command, the output displays the following error:

cumulus@switch:~# netshow lldp
ERROR: The lldpd service is running, but '/usr/sbin/lldpctl -f xml' failed.

However, the NCLU net show lldp command works correctly.

This issue is fixed in Cumulus Linux 3.6.0.


RN-815 (CM-19630)
Bridge MAC address clashing when eth0 is part of the same broadcast domain

Cumulus Linux uses the eth0 MAC address as the MAC address for bridges. If eth0 is part of the same broadcast domain, you experience outages when upgrading.

To work around this issue, manually change the bridge MAC address in the /etc/network/interfaces file.

This issue is fixed in Cumulus Linux 3.6.0.


RN-821 (CM-19898)
The 'net show interface' command output missing information

The net show interface command output is missing LACP, CLAG, VLAN, LLDP, and physical link failure information.

This issue is fixed in Cumulus Linux 3.6.0.


RN-828 (CM-19748)
Security: Debian Security Advisory DSA-4110-1 for exim4 issue CVE-2018-6789

The following CVE was announced in Debian Security Advisory DSA-4110-1, and affects the exim4 package. While this package is no longer in the Cumulus Linux installation image, it is still in the repo3 repository. Cumulus Linux is built on Debian Jessie.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4110-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 10, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : exim4
CVE ID : CVE-2018-6789
Debian Bug : 890000
Meh Chang discovered a buffer overflow flaw in a utility function used in the SMTP listener of Exim, a mail transport agent. A remote attacker can take advantage of this flaw to cause a denial of service, or potentially the execution of arbitrary code via a specially crafted message.
For the oldstable distribution (jessie), this problem has been fixed in version 4.84.2-2+deb8u5.
For the stable distribution (stretch), this problem has been fixed in version 4.89-2+deb9u3.


RN-829 (CM-19660)
Security: Debian Security Advisory DSA-4052-1 for Bazaar issue CVE-2017-14176

The following CVE was announced in Debian Security Advisory DSA-4052-1, and affects the Bazaar version control system.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4052-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 29, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : bzr
CVE ID : CVE-2017-14176
Debian Bug : 874429

Adam Collard discovered that Bazaar, an easy to use distributed version control system, did not correctly handle maliciously constructed bzr+ssh URLs, allowing a remote attackers to run an arbitrary shell command.

For the oldstable distribution (jessie), this problem has been fixed in version 2.6.0+bzr6595-6+deb8u1.

For the stable distribution (stretch), this problem has been fixed in version 2.7.0+bzr6619-7+deb9u1.


RN-830 (CM-19595)
Security: Debian Security Advisory DSA-4098-1 for curl issues CVE-2018-1000005 CVE-2018-1000007

The following CVEs were announced in Debian Security Advisory DSA-4098-1, and affect the curl package.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4098-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
January 26, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : curl
CVE ID : CVE-2018-1000005 CVE-2018-1000007
Two vulnerabilities were discovered in cURL, an URL transfer library.

CVE-2018-1000005
Zhouyihai Ding discovered an out-of-bounds read in the code handling HTTP/2 trailers. This issue doesn't affect the oldstable distribution (jessie).

CVE-2018-1000007
Craig de Stigter discovered that authentication data might be leaked to third parties when following HTTP redirects.

For the oldstable distribution (jessie), these problems have been fixed in version 7.38.0-4+deb8u9.


RN-831 (CM-19507)
Security: Debian Security Advisory DSA-4091-1 for mysql issues CVE-2018-2562 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668

The following CVEs were announced in Debian Security Advisory DSA-4091-1, and affect all mysql packages, including mysql-* and libmysql-*.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4091-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 18, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : mysql-5.5
CVE ID : CVE-2018-2562 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668

Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.59, which includes additional changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-59.html
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

For the oldstable distribution (jessie), these problems have been fixed in version 5.5.59-0+deb8u1.


RN-832 (CM-19458)
Security: Debian Security Advisory DSA-4089-1 for bind9 issue CVE-2017-3145

The following CVE was announced in Debian Security Advisory DSA-4089-1, and affects the bind9 package.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4089-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 16, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : bind9

CVE ID : CVE-2017-3145
Jayachandran Palanisamy of Cygate AB reported that BIND, a DNS server implementation, was improperly sequencing cleanup operations, leading in some cases to a use-after-free error, triggering an assertion failure and crash in named.

For the oldstable distribution (jessie), this problem has been fixed in version 1:9.9.5.dfsg-9+deb8u15.

For the stable distribution (stretch), this problem has been fixed in version 1:9.10.3.dfsg.P4-12.3+deb9u4.

We recommend that you upgrade your bind9 packages.


RN-833 (CM-19446)
Security: Debian Security Advisory DSA-4086 for libxml2 issue CVE-2017-15412

The following CVE was announced in Debian Security Advisory DSA-4086-1, and affects the libxml2 package.

This issue is fixed in Cumulus Linux 3.6.0.

--------------------------------------------------------------------------
Debian Security Advisory DSA-4086-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 13, 2018 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : libxml2
CVE ID : CVE-2017-15412
Debian Bug : 883790

Nick Wellnhofer discovered that certain function calls inside XPath
predicates can lead to use-after-free and double-free errors when
executed by libxml2's XPath engine via an XSLT transformation.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.9.1+dfsg1-5+deb8u6.


RN-834 (CM-19385)
Security: Debian Security Advisories DSA-4082 for kernel issues CVE-2017-8824 CVE-2017-15868 CVE-2017-16538 CVE-2017-16939 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450 CVE-2017-17558 CVE-2017-17558 CVE-2017-17741 CVE-2017-17805 and more

The following CVEs were announced in Debian Security Advisory DSA-4086-1, and affect the Linux kernel.

This issue is fixed in Cumulus Linux 3.6.0.

--------------------------------------------------------------------------
Debian Security Advisory DSA-4082-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 09, 2018 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2017-8824 CVE-2017-15868 CVE-2017-16538
CVE-2017-16939 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450
CVE-2017-17558 CVE-2017-17741 CVE-2017-17805 CVE-2017-17806
CVE-2017-17807 CVE-2017-1000407 CVE-2017-1000410

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2017-8824

Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free. A local user could use this for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it:

echo >> /etc/modprobe.d/disable-dccp.conf install dccp false

CVE-2017-15868

Al Viro found that the Bluebooth Network Encapsulation Protocol (BNEP) implementation did not validate the type of the second socket passed to the BNEPCONNADD ioctl(), which could lead to memory corruption. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation.

CVE-2017-16538

Andrey Konovalov reported that the dvb-usb-lmedm04 media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash).

CVE-2017-16939

Mohamed Ghannam reported (through Beyond Security's SecuriTeam Secure Disclosure program) that the IPsec (xfrm) implementation did not correctly handle some failure cases when dumping policy information through netlink. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation.

CVE-2017-17448

Kevin Cernekee discovered that the netfilter subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace, not just the root namespace, to enable and disable connection tracking helpers. This could lead to denial of service, violation of network security policy, or have other impact.

CVE-2017-17449

Kevin Cernekee discovered that the netlink subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace to monitor netlink traffic in all net namespaces, not just those owned by that user namespace. This could lead to exposure of sensitive information.

CVE-2017-17450

Kevin Cernekee discovered that the xt_osf module allowed users with the CAP_NET_ADMIN capability in any user namespace to modify the global OS fingerprint list.

CVE-2017-17558

Andrey Konovalov reported that that USB core did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation.

CVE-2017-17741

Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash).

CVE-2017-17805

Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash).

CVE-2017-17806

It was discovered that the HMAC implementation could be used with an underlying hash algorithm that requires a key, which was not intended. A local user could use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation.

CVE-2017-17807

Eric Biggers discovered that the KEYS subsystem lacked a check for write permission when adding keys to a process's default keyring. A local user could use this to cause a denial of service or to obtain sensitive information.

CVE-2017-1000407

Andrew Honig reported that the KVM implementation for Intel processors allowed direct access to host I/O port 0x80, which is not generally safe. On some systems this allows a guest VM to cause a denial of service (crash) of the host.

CVE-2017-1000410

Ben Seri reported that the Bluetooth subsystem did not correctly handle short EFS information elements in L2CAP messages. An attacker able to communicate over Bluetooth could use this to obtain sensitive information from the kernel.

For the oldstable distribution (jessie), these problems have been fixed in version 3.16.51-3+deb8u1.


RN-836 (CM-19353)
NCLU 'net del' and 'net add bridge' commands do not work in the same 'net commit'

If a bridge is previously configured and you run the net del all and the net add bridge commands in the same net commit, all bridge and VLAN commands fail and no bridge or VLAN configuration is added to the switch.

This issue is fixed in Cumulus Linux 3.6.0.


RN-861 (CM-20694)
NCLU 'net show lldp' command traceback on 'descr'

When you run the net show lldp command, the netd process crashes and does not recover. This occurs because the LLDP peer does not send the description field in the TLV (which is optional), so NCLU cannot parse the information.

To work around the issue, make sure that the LLDP peer device is configured to send the LLDP description in the TLV.

This issue is fixed in Cumulus Linux 3.6.0.


RN-862 (CM-20416)
The error message 'snmpd[xxx]: truncating integer value > 32 bits' repeating in syslog

When the switch or snmpd is running for more than 497 days, the following error message repeats in syslog:

snmpd[xxxx]: truncating integer value > 32 bits

This issue is resolved by limiting the number of log messages to 10 occurrences.


RN-864 (CM-20272)

Security: Debian Security Advisory DSA-4154-1 for net-snmp issue 
CVE-2015-5621 
CVE-2018-1000116

The following CVE was announced in Debian Security Advisory DSA-4154-1, and affects the net-snmp package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4154-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 28, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : net-snmp
CVE ID : CVE-2015-5621 CVE-2018-1000116
Debian Bug : 788964 894110

A heap corruption vulnerability was discovered in net-snmp, a suite of
Simple Network Management Protocol applications, triggered when parsing
the PDU prior to the authentication process. A remote, unauthenticated
attacker can take advantage of this flaw to crash the snmpd process
(causing a denial of service) or, potentially, execute arbitrary code
with the privileges of the user running snmpd.

For the oldstable distribution (jessie), these problems have been fixed
in version 5.7.2.1+dfsg-1+deb8u1.

For the stable distribution (stretch), these problems have been fixed
before the initial release.

We recommend that you upgrade your net-snmp packages.

For the detailed security status of net-snmp please refer to its
https://security-tracker.debian.org/tracker/net-snmp

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


RN-868 (CM-20069)
Link-down does not work on SVIs configured in a VRF

The link-down yes configuration in the /etc/network/interfaces file has no effect on shutting down SVI interfaces configured in a VRF. SVIs configured without a VRF are not affected.

This issue is fixed in Cumulus Linux 3.6.0.


RN-869 (CM-20002)
Kernel route uses the bridge VRR interface instead of the bridge interface

In the kernel routing table, the bridge VRR interface is used instead of the bridge interface. This causes ARP packets to be sourced from the VRR interface instead of the physical interface.

This issue is fixed in Cumulus Linux 3.6.0.


RN-871 (CM-19906)
Security: Debian Security Advisory DSA-4120-1 for Linux kernel issues CVE-2018-5750

The following CVEs were announced in Debian Security Advisory DSA-4120-1, and affect the Linux kernel.

The issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4120-1 security@debian.org
https://www.debian.org/security/
January 19, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : linux
CVE ID : CVE-2018-5750 

It was found that the acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.

See https://patchwork.kernel.org/patch/10174835/ for further details.


RN-874 (CM-16293)
NCLU 'net show interface' output should be fewer than 80 characters

The output for the net show interface command can be more than 130 characters wide without line wrapping, which can be difficult to read on a 80 character wide terminal.

This issue is fixed in Cumulus Linux 3.6.0. The net show interface output is now fewer than 80 characters long for 80 character wide terminals.


RN-906 (CM-19405)
Status LED color does not match ledmgrd reported status

On RMP, the color of the status LED reported by ledmgrd does not match the actual color of the LED on the front of the switch.

This issue is fixed in Cumulus Linux 3.6.0.


RN-912 (CM-19801)
QinQ not working without a restart in traditional mode bridge

When changing the inner and outer VLANs of a double-tagged bridge interface using ifreload, the port's VLAN translation key is not updated correctly, causing an incorrect VLAN translation.

This issue is fixed in Cumulus Linux 3.6.0.


RN-913 (CM-19728)
NCLU 'ip forward' command has incorrect syntax and does not show in configuration

When you disable IP forwarding on an interface with the NCLU ip forward off command and commit the change, the command shows as unsupported when you run net show configuration commands.

This issue is fixed in Cumulus Linux 3.6.0.


RN-915 (CM-19689)
The default syslog level for DHCP Relay results in too many messages

The default syslog severity level for DHCP Relay is 6, which causes too many syslog messages.

This issue is fixed in Cumulus Linux 3.6.0.


RN-916 (CM-19666)
netd crashes when you add unicode characters in SNMP commands

Unicode characters in SNMP commands cause netd to crash.

This issue is fixed in Cumulus Linux 3.6.0.


RN-919 (CM-19452)
NCLU 'net show lldp' command causes netd to crash

The netd process crashes when you run the net show lldp command and does not recover.

This issue is fixed in Cumulus Linux 3.6.0.


RN-922 (CM-20237)
Security: Debian Security Advisory DSA-4151-1 for librelp issue CVE-2018-1000140 

The following CVEs were announced in Debian Security Advisory DSA-4151-1, and affect the librelp package.

This issue is fixed in Cumulus Linux 3.6.0

Debian Security Advisory DSA-4151-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 26, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : librelp
CVE ID : CVE-2018-1000140

Bas van Schaik and Kevin Backhouse discovered a stack-based buffer
overflow vulnerability in librelp, a library providing reliable event
logging over the network, triggered while checking x509 certificates
from a peer. A remote attacker able to connect to rsyslog can take
advantage of this flaw for remote code execution by sending a specially
crafted x509 certificate.

Details can be found in the upstream advisory:
http://www.rsyslog.com/cve-2018-1000140/

For the oldstable distribution (jessie), this problem has been fixed
in version 1.2.7-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.2.12-1+deb9u1.

We recommend that you upgrade your librelp packages.

For the detailed security status of librelp, please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/librelp


RN-923 (CM-20093)
Security: Debian Security Advisory DSA-4140-1 for libvorbis issue CVE-2018-5146 

The following CVEs were announced in Debian Security Advisory DSA-4140-1, and affect the libvorbis package.

This issue is fixed in Cumulus Linux 3.6.0

--------------------------------------------------------------------------
Debian Security Advisory DSA-4140-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 16, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : libvorbis
CVE ID : CVE-2018-5146
Debian Bug : 893130

Richard Zhu discovered that an out-of-bounds memory write in the
codeboook parsing code of the Libvorbis multimedia library could result
in the execution of arbitrary code.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.3.4-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.3.5-4+deb9u2.


RN-924 (CM-20066)
Security: Debian Security Advisory DSA-4136-1 for curl issues CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 

The following CVEs were announced in Debian Security Advisory DSA-4136-1, and affect the curl package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4136-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
March 14, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : curl
CVE ID : CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122

Multiple vulnerabilities were discovered in cURL, an URL transfer library.

CVE-2018-1000120

Duy Phan Thanh discovered that curl could be fooled into writing a
zero byte out of bounds when curl is told to work on an FTP URL with
the setting to only issue a single CWD command, if the directory part
of the URL contains a "%00" sequence.

CVE-2018-1000121
Dario Weisser discovered that curl might dereference a near-NULL
address when getting an LDAP URL due to the ldap_get_attribute_ber()
fuction returning LDAP_SUCCESS and a NULL pointer. A malicious server
might cause libcurl-using applications that allow LDAP URLs, or that
allow redirects to LDAP URLs to crash.

CVE-2018-1000122

OSS-fuzz, assisted by Max Dymond, discovered that curl could be
tricked into copying data beyond the end of its heap based buffer
when asked to transfer an RTSP URL.

For the oldstable distribution (jessie), these problems have been fixed
in version 7.38.0-4+deb8u10.

For the stable distribution (stretch), these problems have been fixed in
version 7.52.1-5+deb9u5.

We recommend that you upgrade your curl packages.

For the detailed security status of curl, please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl


RN-925 (CM-20030)
Security: Debian Security Advisory DSA-4100-1 for tiff (libtiff) issues CVE-2017-9935 CVE-2017-11335 CVE-2017-12944 CVE-2017-13726 CVE-2017-13727 CVE-2017-18013 

The following CVEs were announced in Debian Security Advisory DSA-4100-1, and affect the tiff package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4100-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 27, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : tiff
CVE ID : CVE-2017-9935 CVE-2017-11335 CVE-2017-12944 CVE-2017-13726
CVE-2017-13727 CVE-2017-18013

Multiple vulnerabilities have been discovered in the libtiff library and
the included tools, which may result in denial of service or the
execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed
in version 4.0.3-12.3+deb8u5.

For the stable distribution (stretch), these problems have been fixed in
version 4.0.8-2+deb9u2.
We recommend that you upgrade your tiff packages.

For the detailed security status of tiff, please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tiff


RN-926 (CM-19996)
Security: Debian Security Advisory DSA-4133-1 debian isc-dhcp issues CVE-2017-3144 CVE-2018-5732 CVE-2018-5733 

The following CVEs were announced in Debian Security Advisory DSA-4133-1, and affect the isc-dhcp package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4133-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 07, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : isc-dhcp
CVE ID : CVE-2017-3144 CVE-2018-5732 CVE-2018-5733
Debian Bug : 887413 891785 891786

Several vulnerabilities have been discovered in the ISC DHCP client,
relay and server. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2017-3144

It was discovered that the DHCP server does not properly clean up
closed OMAPI connections, which can lead to exhaustion of the pool
of socket descriptors available to the DHCP server, resulting in
denial of service.

CVE-2018-5732

Felix Wilhelm of the Google Security Team discovered that the DHCP
client is prone to an out-of-bound memory access vulnerability when
processing specially constructed DHCP options responses, resulting
in potential execution of arbitrary code by a malicious DHCP server.

CVE-2018-5733

Felix Wilhelm of the Google Security Team discovered that the DHCP
server does not properly handle reference counting when processing
client requests. A malicious client can take advantage of this flaw
to cause a denial of service (dhcpd crash) by sending large amounts
of traffic.

For the oldstable distribution (jessie), these problems have been fixed
in version 4.3.1-6+deb8u3.

For the stable distribution (stretch), these problems have been fixed in
version 4.3.5-3+deb9u1.

We recommend that you upgrade your isc-dhcp packages.

For the detailed security status of isc-dhcp, please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/isc-dhcp


RN-927 (CM-19961)
Security: Debian Security Advisory DSA-4132 for libvpx issue CVE-2017-13194 

The following CVEs were announced in Debian Security Advisory DSA-4132-1, and affect the libvpx package.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4132-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 04, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : libvpx
CVE ID : CVE-2017-13194

It was discovered that incorrect validation of frame widths in the libvpx
multimedia library may result in denial of service and potentially the
execution of arbitrary code.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.3.0-3+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.6.1-3+deb9u1.

We recommend that you upgrade your libvpx packages.

For the detailed security status of libvpx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libvpx


RN-928 (CM-19253)
Security: Debian Security Advisory DSA-4068-1 for rsync issues CVE-2017-16548 CVE-2017-17433 CVE-2017-17434 

The following CVEs were announced in Debian Security Advisory DSA-4068-1, and affect the rsync package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4068-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 17, 2017 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : rsync
CVE ID: CVE-2017-16548  CVE-2017-17433 CVE-2017-17434
Debian Bug : 880954 883665 883667

Several vulnerabilities were discovered in rsync, a fast, versatile,
remote (and local) file-copying tool, allowing a remote attacker to
bypass intended access restrictions or cause a denial of service.

For the oldstable distribution (jessie), these problems have been fixed
in version 3.1.1-3+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 3.1.2-1+deb9u1.


RN-929 (CM-19303)
Security: Debian Security Advisory DSA-4073-1 for linux kernel issues CVE-2017-8824 CVE-2017-16995 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450 CVE-2017-17558 CVE-2017-17712 CVE-2017-17741 CVE-2017-17805 CVE-2017(17806,17807,1000407,1000410) 

The following CVEs were announced in Debian Security Advisory DSA-4073-1, and affect the linux package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4073-1 security@debian.org
https://www.debian.org/security/ 
December 23, 2017 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2017-8824 CVE-2017-16995 CVE-2017-17448
CVE-2017-17449 CVE-2017-17450 CVE-2017-17558
CVE-2017-17712 CVE-2017-17741 CVE-2017-17805 CVE-2017-17806
CVE-2017-17807 CVE-2017-1000407 CVE-2017-1000410

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2017-8824

Mohamed Ghannam discovered that the DCCP implementation did not
correctly manage resources when a socket is disconnected and
reconnected, potentially leading to a use-after-free. A local
user could use this for denial of service (crash or data
corruption) or possibly for privilege escalation. On systems that
do not already have the dccp module loaded, this can be mitigated
by disabling it:
echo >> /etc/modprobe.d/disable-dccp.conf install dccp false

CVE-2017-16995

Jann Horn discovered that the Extended BPF verifier did not
correctly model the behaviour of 32-bit load instructions. A
local user can use this for privilege escalation.

CVE-2017-17448

Kevin Cernekee discovered that the netfilter subsystem allowed
users with the CAP_NET_ADMIN capability in any user namespace, not
just the root namespace, to enable and disable connection tracking
helpers. This could lead to denial of service, violation of
network security policy, or have other impact.

CVE-2017-17449

Kevin Cernekee discovered that the netlink subsystem allowed
users with the CAP_NET_ADMIN capability in any user namespace
to monitor netlink traffic in all net namespaces, not just
those owned by that user namespace. This could lead to
exposure of sensitive information.

CVE-2017-17450

Kevin Cernekee discovered that the xt_osf module allowed users
with the CAP_NET_ADMIN capability in any user namespace to modify
the global OS fingerprint list.

CVE-2017-17558

Andrey Konovalov reported that that USB core did not correctly
handle some error conditions during initialisation. A physically
present user with a specially designed USB device can use this to
cause a denial of service (crash or memory corruption), or
possibly for privilege escalation.

CVE-2017-17712

Mohamed Ghannam discovered a race condition in the IPv4 raw socket
implementation. A local user could use this to obtain sensitive
information from the kernel.

CVE-2017-17741

Dmitry Vyukov reported that the KVM implementation for x86 would
over-read data from memory when emulating an MMIO write if the
kvm_mmio tracepoint was enabled. A guest virtual machine might be
able to use this to cause a denial of service (crash).

CVE-2017-17805

It was discovered that some implementations of the Salsa20 block
cipher did not correctly handle zero-length input. A local user
could use this to cause a denial of service (crash) or possibly
have other security impact.

CVE-2017-17806

It was discovered that the HMAC implementation could be used with
an underlying hash algorithm that requires a key, which was not
intended. A local user could use this to cause a denial of
service (crash or memory corruption), or possibly for privilege
escalation.

CVE-2017-17807

Eric Biggers discovered that the KEYS subsystem lacked a check for
write permission when adding keys to a process's default keyring.
A local user could use this to cause a denial of service or to
obtain sensitive information.

CVE-2017-1000407

Andrew Honig reported that the KVM implementation for Intel
processors allowed direct access to host I/O port 0x80, which
is not generally safe. On some systems this allows a guest
VM to cause a denial of service (crash) of the host.

CVE-2017-1000410

Ben Seri reported that the Bluetooth subsystem did not correctly
handle short EFS information elements in L2CAP messages. An
attacker able to communicate over Bluetooth could use this to
obtain sensitive information from the kernel.

Debian disables unprivileged user namespaces by default, but if they
are enabled (via the kernel.unprivileged_userns_clone sysctl) then
CVE-2017-17448 can be exploited by any local user.


RN-930 (CM-19367)
Adding MTU to bonded interfaces creates an incorrect interface

When adding the MTU to bonded interfaces, NCLU creates an incorrect interface in the /etc/network/interfaces file.

This issue is fixed in Cumulus Linux 3.6.0.

New Known Issues in Cumulus RMP 3.6.0

The following issues are new to Cumulus RMP and affect the current release.

Release Note ID Summary Description

RN-382 (CM-6692)
FRR: Removing a bridge using  ifupdown2 does not remove it from the configuration files

Removing a bridge using ifupdown2 does not remove it from the FRR configuration files. However, restarting FRR successfully removes the bridge.

This issue is being investigated.


RN-754 (CM-15812)
Multicast forwarding fails for IP addresses whose DMAC overlaps with reserved DIPs

Multicast forwarding fails for IP addresses whose DMAC overlaps with reserved DIPs.

This issue is being investigated at this time.


RN-755 (CM-16855)
Auto-negotiation ON sometimes results in NO-CARRIER

If a two nodes on both sides of a link change from auto-negotiation off to auto-negotiation on for both sides during a short interval (around one second), the link might start flapping or stay down.

To work around this issue and stop the flapping, turn the link down on the switch with the command ifdown swpX, wait a few seconds, then bring the link back up with the command ifup swpX. Repeat this on the other side if necessary.


RN-760 (CM-18682)
smonctl utility JSON parsing error

There is a parsing error with the smonctl utility. In some cases when JSON output is chosen, the smonctl utility crashes. The JSON output is necessary to make the information available through SNMP.

This issue is being investigated.


RN-788 (CM-19381)
dhcrelay does not bind to interfaces that have names longer than 14 characters

The dhcrelay command does not bind to an interface if the interface's name is longer than 14 characters.

To work around this issue, change the interface name to be 14 or fewer characters if dhcrelay is required to bind to it.

This issue is currently being investigated.


RN-790 (CM-19014)
Configuring DHCP relay with VRR breaks ifreload

When you configure DHCP relay with VRR, the ifreload command does not work as expected; for example, the IP address might be removed from an SVI.

This issue is currently being investigated. 


RN-799 (CM-16493)
 

You cannot use NCLU or ifupdown2 to enable or disable of the IPv6 link-local eui-64 format.

To work around this limitation, you can use the following iproute2 command:

cumulus@switch:~$ sudo ip link set swp# addrgenmode {eui-64|none}

Note that this command does not persist across a reboot of the switch.

This issue is currently being investigated.


RN-822 (CM-19788)
Using the same VLAN ID on a subinterface and bridge VIDs for a given port is not easily corrected

If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict. To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-823 (CM-19724)
Multicast control protocols are classified to the bulk queue by default

PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-877 (CM-20745, CM-20678)
NCLU 'net show interface' commands report wrong mode in output for trunk ports

The net show interface command output displays the mode as Access/L2 instead of Trunk/L2.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-879 (CM-20724)
NCLU treats interface names with a hyphen as a range

If you create an interface name that includes a hyphen (-), Cumulus Linux treats the interface as a range of interfaces.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-885 (CM-20530)
NCLU 'net show interface' command shows 'NotConfigured' for unnumbered interfaces

When an interface is configured for OSPF/BGP unnumbered, the net show interface command shows NotConfigured instead of showing that it is unnumbered.

This issue is currently being investigated.


RN-893 (CM-20363)
IPv6 RA should include all on-link prefixes as prefix information

IPv6 RAs from a router can be used to do some host auto-configuration. The main aspects that can be auto-configured are the prefixes which are on-link (which can be used by the host to autoconfigure its addresses) and the default router. Some other information can also be indicated. FRR does have support to "advertise" some of these parameters. To work around this issue, configure the prefixes explicitly for announcement through RA using the IPv6 nd prefix command.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-897 (CM-20086)
 

NCLU reports an error when attempting to configure FRR when the configured hostname begins with a digit:

unknown: buffer_flush_available: write error on fd -1: Bad file descriptor

To work around this issue, change the hostname of the switch to begin with an alphabetic character; not a digit.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-907 (CM-20829)
'netd' fails on a reboot after upgrade to 3.6.0 with the error "ImportError: No module named time"

When you use the apt-get upgrade command to upgrade to Cumulus Linux 3.6.0 and you select to keep the currently-installed version of netd.conf (by typing N at the prompt), netd fails to start after reboot and you see errors in the logs when you try to restart it.

This issue is being investigated at this time.

Have more questions? Submit a request

Comments

Powered by Zendesk